Skip to content

Releases: Ericsson/xcm

v1.10.1

26 Oct 11:58
Compare
Choose a tag to compare

Release v1.10.1 contains the following improvements:

  • Reduced worst-case stack usage. (Issue #100)
  • Fix bug causing the DNS name resolution process to time out too quickly on c-ares v1.1.7 or later, when a large XCM "dns.timeout" was configured.
  • Have the SCTP transport properly handle multi-chunk SCTP messages. (Issue #32)
  • Work around valgrind memcheck false positive in unit test.
  • Modernize gencert test tool to avoid Python deprecation warnings.

The ABI/API remains unchanged.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.10.1/

v1.10.0

24 Apr 15:05
Compare
Choose a tag to compare

Release v1.10.0 contains the following improvements:

  • Support for transport-agnostic address syntax checking is added to the <xcm_addr.h> API.
  • xcm_close() is now guaranteed (API-wise) to never fail. The function signature remains the same.
  • An XCM-level relay utility 'xcmrelay' is added. xcmrelay binds a server port, and for each inbound connection creates an outbound connection to a remote address. The program relays data (or messages) between the inbound and the corresponding outbound connection.
  • Python test cases are modernized (e.g., moved from Python's unittest module to pytest).
  • A non-blocking, libevent-based, example program is added (echod.c).
  • Fix bug where the 'xcm' command-line tool failed to call xcm_close() on closed connections, which in turn many generate a SSL-level error at the remote peer.
  • Improved 'xcm' command-line program usage information.

The ABI/API is bumped to 0.25.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.10.0/

v1.9.2

04 Dec 08:12
Compare
Choose a tag to compare

Release v1.9.2 contains the following improvements:

  • Work around bug causing all certificate verification to fail in case CRL checking was enabled, and there was a CRL issued by a non-root CA. The root cause of the failure is a bug in OpenSSL effectively preventing to the use of partial chains and CRL checking simultaneously. To work around this issue, the XCM TLS transport disallows partial chains (i.e., chains of trust where the trust anchor is a non-root CA) if (and only if) CRL checking is enabled.
  • Log cause of certificate verification failures.
  • Fail test runs on Valgrind memory leaks. Prior to this fix, any memory-related errors would just cause printouts on stderr during test execution.

The ABI/API remains unchanged.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.9.2/

v1.9.1

02 Nov 23:06
Compare
Choose a tag to compare

Release v1.9.1 contains the following improvements:

  • Fix bug causing xcm_remote_addr() to return NULL in case SO_PASSCRED was not set by the peer. Issue #85.
  • Fix bug where errno wasn't properly set on xcm_remote_addr(), xcm_local_addr(), or xcm_attr_get(..., "xcm.remote_addr") failures. See issue #84.
  • The Python XCM wrapper module now allows the retrieval of double-type socket attributes.
  • Test improvements, including
    • Fix race condition cause occasionally failures in the UTLS remote address test case.
    • Lengthened test CRL update interval, to avoid test certificates going invalid.
    • Extend test IP addresses to avoid collisions.
    • Fix cosmetic memory leak in utest.
  • Various documentation improvements, including:
    • Make example select calls valid.
    • Rephrase overview in API documentation.
    • Add missing BTCP references.

The ABI/API remains unchanged.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.9.1/

v1.9.0

31 Jul 14:43
Compare
Choose a tag to compare

Release v1.9.0 contains the following improvements:

BTCP Transport

XCM v1.9.0 introduces a new XCM transport BTCP, including the appropriate extensions to <xcm_addr.h>. API-wise, BTCP presents a XCM bytestream type service. On the wire, XCM BTCP is just "raw" TCP, with no XCM-specific wire protocol elements.

There are two primary drivers behind BTCP. One is that it provides a clean and easy way to share TCP/BSD socket-related functionality between XCM BTLS and the XCM TCP transports, and helps assure that TCP-level options and behaviors are the same for both XCM TCP and XCM BTLS/TLS/UTLS.

Already prior to the introduction of BTCP, DNS and BSD sockets-related code was shared between BTLS and TCP (e.g., tcp_attr). The requirement to support RFC 6555-style "Happy Eyeballs" DNS and TCP connection establishment procedures increased the incentive to realize BTCP.

In v1.9.0, XCM BTLS uses the new BTCP transport as mapping layer between OpenSSL and the BSD sockets API. In OpenSSL speak, such a module is referred to as a "BIO". The BTLS transport now has a custom BIO which relays data between OpenSSL and BTCP. An upside of this change is that XCM no longer needs to configure libc to ignore SIGPIPE (which is not something shared libraries should do, generally). Ignoring SIGPIPE was required since the standard OpenSSL BIO previously used by XCM issued the send() syscall without the MSG_NOSIGNAL flag set. Without SIGPIPE filtering, such SIGPIPE UNIX signals would be delivered to the process in case the connection was broken on send(), likely much to the surprise of most applications.

The second reason is for the introduction of BTCP is symmetry (or completeness). XCM BTCP is to XCM TCP what XCM BTLS is to XCM TLS.

Happy Eyeballs

New in v1.9.0 is support for configurable DNS-based TCP connection establishment algorithms.

The DNS resolver (glibc or C-ares) sorts the A and AAA records and returns them to the higher layer in the order of preference. XCM versions prior to v1.9.0 always only attempted to connect to the first, most preferred, address in this list. If that connection attempt failed, an error was returned to the caller.

In v1.9.0, the application may control which algorithm (or mechanism) is used to translate the list of addresses into an established TCP connection using a new XCM socket attribute "dns.algorithm". The default algorithm is "single", which is identical to legacy XCM behavior.

If the "sequential" method is specified, all addresses provided by DNS will be probed, one-by-one, in resolver-controlled priority order.

If the "happy_eyeballs" algorithm is configured, the XCM socket maintains two concurrent tracks, where one attempts to connect to all IPv6 addresses, one-by-one, in priority order, and the other does the same, but for the IPv4 subset. All this pretty much in accordance to RFC 6555.

The "dns.algorithm" attribute is available in all TCP-based transports; UTLS, TLS, BTLS, TCP, and BTCP.

To keep core BTCP transport complexity low, the responsibility for managing BSD socket creation and TCP connection establishment is moved out from xcm_tp_btcp.c to a new module tconnect.c.

v1.9.0 also sports a new "tcp.connect_timeout" socket attribute, which allows the user to specify a TCP connection establishment-specific timeouts. The default is 3 s, which is roughly the same as older XCM versions.

Certificate Revocation Verification

Starting in this release, XCM may optionally be configured to check the remote peer's certificate (and other certificates in the chain of trust) against a set of certificate revocation lists (CRLs). The full chain is checked against the CRLs.

CRL checking is supported in all XCM transports using TLS, including for UTLS connection sockets of the TLS type.

CRL checking is disabled by default. It is enabled by setting the new "tls.check_crl" socket attribute to true.

The actual CRL bundle is supplied by setting one of the new "tls.crl_file" or "tls.crl" socket attributes.

The CRL bundle is cached and re-read/re-parsed on change in the same manner as the cert.pem, key.pem and tc.pem files. Already-established TLS connections will not be torn down.

CRL checking is available on both socket serving in the TLS client and server roles.

Other Improvements

  • Avoid redundant epoll instance updates in the TLS transport, reducing message send and receive overhead with ~5%.
  • Fix DNS-related test failures occuring on non-C-ares builds.
  • Improve API documentation in regards to MT safety.
  • Various minor refactorings.
  • Use SOCK_NONBLOCK to avoid fnctl() calls and reduce overhead for socket creation.
  • Improve "dns.timeout" attribute documentation.
  • Introduce directory subtree under libxcm/, to make navigating the source code easier.
  • Enable the BTLS address parsning test cases.
  • Extend invalid address test cases.
  • Missing SPDX license headers are added to various Python source files.
  • Fix 'xcm' command-line tool floating point attribute bug.

The API/ABI version is bumped to 0.24.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.9.0/

v1.8.0

07 Feb 16:42
Compare
Choose a tag to compare

Release v1.8.0 contains the following improvements:

  • XCM switches over from using the glibc resolver to the c-ares DNS library. It is still possible to build a library which uses glibc and getaddrinfo_a(), with the --disable-cares configure option. c-ares has the following number of advantages over glibc's resolver:
    • Does not leak memory.
    • Better performance.
    • Allows to programmatically tweak DNS timeout parameters.
    • Much cleaner API.
    • Does not use a background thread. The glibc threads caused a number of issues, in particular since they failed to block UNIX signals.
  • A new attribute "dns.timeout" is added, which allows an application to specify the maximum time out for the DNS resolution process. The default is 10 seconds. This attribute is only available if libxcm is built with c-ares support.
  • Support for double-precision floating point socket attributes are added to <xcm_attr.h> and <xcm_attr_map.h> APIs.

The API/ABI version is bumped to 0.23.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.8.0/

v1.7.0

03 Feb 21:43
Compare
Choose a tag to compare

Release v1.7.0 contains the following improvements:

Library:

  • Support for configuring TLS credentials by-value by means of three new socket attributes ("tls.cert", "tls.key", and "tls.tc") are added.
  • Convenience functions for accessing binary type attributes are introduced into the <xcm_attr.h> and <xcm_attr_map.h> APIs.
  • The 'xcm' command-line tool now allows configuring binary attributes on the sockets it creates.
  • The use of OpenSSL API calls marked obsolete in OpenSSL 3.0.0 is discontinued.

Documentation:

  • Certificate file documentation restructured.
  • Various spelling fixes.
  • Improvements to xcm_finish() documentation.
  • Fix error (suggesting the function would always return 0 on success) in xcm_fd() documentation.
  • Doxygen configuration cleaned up.

Test suite:

  • Race condition in TCP keepalive test case fixed.
  • Deprecated Python APIs are longer used in the Python test suite.
  • Bytestream testcases added to the Python test suite.
  • TLS test case for multiple CAs with same subject added.
  • A memory leak in the TLS multi-record test case is fixed.
  • TLS spammer test case no longer times out.
  • Authority key ids are added to all XCM test certificates

v1.6.2

13 Sep 18:03
Compare
Choose a tag to compare

Release v1.6.2 contains the following improvements:

  • Bugfix for TLS header parsing issue, where a XCM header split into multiple TLS protocol-level records triggered a library assertion.
  • The user manual is extended to include information on the XCM tracing facilities.
  • Library version is now logged.
  • The default compiler flags no longer terminate the build upon encountering compiler warnings.

API/ABI remains unchanged.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.6.2/

v1.6.1

19 May 10:23
Compare
Choose a tag to compare

Release v1.6.1 contains the following improvements:

  • Reduce the control interface poll frequency, which in turn gives a slight performance boost, especially for UX socket users (~5-10%), in ping-pong scenarios.
  • Fix bug #62 "Connection establishment with DNS name may create socket in the wrong namespace".
  • Fix bug which prevented test suite to be run in Valgrind.
  • Fix IPv6 scope related SCTP build issue.

API/ABI remains unchanged.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.6.1/

v1.6.0

08 Mar 11:37
Compare
Choose a tag to compare

Release v1.6.0 contains the following improvements:

  • Support IPv6 link local addresses as a part of XCM TCP, BTLS, and TLS addresses. The scope id is specified by the application by means of a new socket attribute "ipv6.scope". Resolves issue #34.
  • Fix bug in the control interface, which in certain rare (and usually transient) conditions causes a lack of responsiveness (on that interface) and application stalls.

The API/ABI version is bumped to 0.21.

The API documentation and user manual for this release can be found at:
https://ericsson.github.io/xcm/doc/v1.6.0/