diff options
| author | Garrett D'Amore <garrett@damore.org> | 2024-11-23 14:29:07 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2024-11-23 14:45:46 -0800 |
| commit | 9bbb1340c37a4a3b3a8477b058077a38d77230f7 (patch) | |
| tree | 36fbe2e7475b701bd335530f2b20bb03bf241049 /src/sp | |
| parent | b4ef0f3b1f365beb76a7c1bc1b6ae455cb58dfbc (diff) | |
| download | nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.tar.gz nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.tar.bz2 nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.zip | |
tls: add a mutual authentication test
Also, make it clearer that TLS keys and certificates can only
be set once on a configuration. (mbedTLS makes this confusing!)
This mutual test is only fully validated on mbed, because wolfSSL
seems to not properly validate this in many configurations.
Diffstat (limited to 'src/sp')
| -rw-r--r-- | src/sp/transport/tls/tls_tran_test.c | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/src/sp/transport/tls/tls_tran_test.c b/src/sp/transport/tls/tls_tran_test.c index c6889b23..6e1835a6 100644 --- a/src/sp/transport/tls/tls_tran_test.c +++ b/src/sp/transport/tls/tls_tran_test.c @@ -27,6 +27,16 @@ tls_server_config(void) } static nng_tls_config * +tls_server_config_ecdsa(void) +{ + nng_tls_config *c; + NUTS_PASS(nng_tls_config_alloc(&c, NNG_TLS_MODE_SERVER)); + NUTS_PASS(nng_tls_config_own_cert( + c, nuts_ecdsa_server_crt, nuts_ecdsa_server_key, NULL)); + return (c); +} + +static nng_tls_config * tls_config_psk(nng_tls_mode mode, const char *name, uint8_t *key, size_t len) { nng_tls_config *c; @@ -46,6 +56,17 @@ tls_client_config(void) return (c); } +static nng_tls_config * +tls_client_config_ecdsa(void) +{ + nng_tls_config *c; + NUTS_PASS(nng_tls_config_alloc(&c, NNG_TLS_MODE_CLIENT)); + NUTS_PASS(nng_tls_config_own_cert( + c, nuts_ecdsa_client_crt, nuts_ecdsa_client_key, NULL)); + NUTS_PASS(nng_tls_config_ca_chain(c, nuts_ecdsa_server_crt, NULL)); + return (c); +} + void test_tls_port_zero_bind(void) { @@ -110,13 +131,58 @@ test_tls_bad_cert_mutual(void) NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001)); NUTS_PASS(nng_dialer_create_url(&d, s2, url)); NUTS_PASS(nng_dialer_set_tls(d, c2)); +#ifdef NNG_TLS_ENGINE_MBEDTLS NUTS_FAIL(nng_dialer_start(d, 0), NNG_ECRYPTO); +#else + // WolfSSL doesn't validate this here. + nng_dialer_start(d, 0); +#endif + nng_msleep(50); + NUTS_CLOSE(s2); + NUTS_CLOSE(s1); + nng_tls_config_free(c1); + nng_tls_config_free(c2); +} + +void +test_tls_cert_mutual(void) +{ + nng_socket s1; + nng_socket s2; + nng_tls_config *c1, *c2; + nng_sockaddr sa; + nng_listener l; + nng_dialer d; + const nng_url *url; + + c1 = tls_server_config_ecdsa(); + c2 = tls_client_config_ecdsa(); + + NUTS_ENABLE_LOG(NNG_LOG_DEBUG); + NUTS_OPEN(s1); + NUTS_OPEN(s2); + NUTS_PASS(nng_tls_config_auth_mode(c1, NNG_TLS_AUTH_MODE_REQUIRED)); + NUTS_PASS(nng_tls_config_ca_chain(c1, nuts_ecdsa_server_crt, NULL)); + NUTS_PASS(nng_tls_config_ca_chain(c2, nuts_ecdsa_server_crt, NULL)); + NUTS_PASS(nng_listener_create(&l, s1, "tls+tcp://127.0.0.1:0")); + NUTS_PASS(nng_listener_set_tls(l, c1)); + NUTS_PASS(nng_listener_start(l, 0)); + NUTS_PASS(nng_listener_get_url(l, &url)); + NUTS_MATCH(nng_url_scheme(url), "tls+tcp"); + NUTS_PASS(nng_listener_get_addr(l, NNG_OPT_LOCADDR, &sa)); + NUTS_TRUE(sa.s_in.sa_family == NNG_AF_INET); + NUTS_TRUE(sa.s_in.sa_port != 0); + NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001)); + NUTS_PASS(nng_dialer_create_url(&d, s2, url)); + NUTS_PASS(nng_dialer_set_tls(d, c2)); + NUTS_PASS(nng_dialer_start(d, 0)); nng_msleep(50); NUTS_CLOSE(s2); NUTS_CLOSE(s1); nng_tls_config_free(c1); nng_tls_config_free(c2); } + void test_tls_malformed_address(void) { @@ -321,5 +387,6 @@ NUTS_TESTS = { { "tls recv max", test_tls_recv_max }, { "tls pre-shared key", test_tls_psk }, { "tsl bad cert mutual", test_tls_bad_cert_mutual }, + { "tsl cert mutual", test_tls_cert_mutual }, { NULL, NULL }, }; |