aboutsummaryrefslogtreecommitdiff
path: root/src/supplemental/tls
diff options
context:
space:
mode:
authorGarrett D'Amore <garrett@damore.org>2024-07-20 16:47:25 -0700
committerGarrett D'Amore <garrett@damore.org>2024-07-21 14:23:08 -0700
commit0aeed90d9a85eaf6f00e81c6f5f69a7ed9fec8c6 (patch)
tree9f1acaa0bc8569a9e8e88e203fddd877f0dbab99 /src/supplemental/tls
parentc0b93b441199619d27a1caf201a8c410f4246cf4 (diff)
downloadnng-0aeed90d9a85eaf6f00e81c6f5f69a7ed9fec8c6.tar.gz
nng-0aeed90d9a85eaf6f00e81c6f5f69a7ed9fec8c6.tar.bz2
nng-0aeed90d9a85eaf6f00e81c6f5f69a7ed9fec8c6.zip
fixes #1846 Add support for TLS PSK
This also adds an SP layer transport test for TLS, based on the TCP test but with some additions; this test does not cover all the edge cases for TLS, but it does at least show how to use it.
Diffstat (limited to 'src/supplemental/tls')
-rw-r--r--src/supplemental/tls/mbedtls/tls.c110
-rw-r--r--src/supplemental/tls/tls_common.c35
-rw-r--r--src/supplemental/tls/tls_test.c311
3 files changed, 446 insertions, 10 deletions
diff --git a/src/supplemental/tls/mbedtls/tls.c b/src/supplemental/tls/mbedtls/tls.c
index 8f09558a..3e424cc8 100644
--- a/src/supplemental/tls/mbedtls/tls.c
+++ b/src/supplemental/tls/mbedtls/tls.c
@@ -17,7 +17,9 @@
#include "mbedtls/version.h" // Must be first in order to pick up version
#include "mbedtls/error.h"
+
#include "nng/nng.h"
+#include "nng/supplemental/tls/tls.h"
// mbedTLS renamed this header for 2.4.0.
#if MBEDTLS_VERSION_MAJOR > 2 || MBEDTLS_VERSION_MINOR >= 4
@@ -38,6 +40,35 @@ typedef struct {
nni_list_node node;
} pair;
+// psk holds an identity and preshared key
+typedef struct {
+ // NB: Technically RFC 4279 requires this be UTF-8 string, although
+ // others suggest making it opaque bytes. We treat it as a C string,
+ // so we cannot support embedded zero bytes.
+ char *identity;
+ uint8_t *key;
+ size_t keylen;
+ nni_list_node node;
+} psk;
+
+static void
+psk_free(psk *p)
+{
+ if (p != NULL) {
+ NNI_ASSERT(!nni_list_node_active(&p->node));
+ if (p->identity != NULL) {
+ nni_strfree(p->identity);
+ p->identity = NULL;
+ }
+ if (p->key != NULL && p->keylen != 0) {
+ nni_free(p->key, p->keylen);
+ p->key = NULL;
+ p->keylen = 0;
+ }
+ NNI_FREE_STRUCT(p);
+ }
+}
+
#ifdef NNG_TLS_USE_CTR_DRBG
// Use a global RNG if we're going to override the builtin.
static mbedtls_ctr_drbg_context rng_ctx;
@@ -56,7 +87,9 @@ struct nng_tls_engine_config {
mbedtls_x509_crl crl;
int min_ver;
int max_ver;
+ nng_tls_mode mode;
nni_list pairs;
+ nni_list psks;
};
static void
@@ -371,6 +404,7 @@ static void
config_fini(nng_tls_engine_config *cfg)
{
pair *p;
+ psk *psk;
mbedtls_ssl_config_free(&cfg->cfg_ctx);
#ifdef NNG_TLS_USE_CTR_DRBG
@@ -381,13 +415,17 @@ config_fini(nng_tls_engine_config *cfg)
if (cfg->server_name) {
nni_strfree(cfg->server_name);
}
- while ((p = nni_list_first(&cfg->pairs))) {
+ while ((p = nni_list_first(&cfg->pairs)) != NULL) {
nni_list_remove(&cfg->pairs, p);
mbedtls_x509_crt_free(&p->crt);
mbedtls_pk_free(&p->key);
NNI_FREE_STRUCT(p);
}
+ while ((psk = nni_list_first(&cfg->psks)) != NULL) {
+ nni_list_remove(&cfg->psks, psk);
+ psk_free(psk);
+ }
}
static int
@@ -405,7 +443,9 @@ config_init(nng_tls_engine_config *cfg, enum nng_tls_mode mode)
auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
}
+ cfg->mode = mode;
NNI_LIST_INIT(&cfg->pairs, pair, node);
+ NNI_LIST_INIT(&cfg->psks, psk, node);
mbedtls_ssl_config_init(&cfg->cfg_ctx);
mbedtls_x509_crt_init(&cfg->ca_certs);
mbedtls_x509_crl_init(&cfg->crl);
@@ -452,6 +492,73 @@ config_server_name(nng_tls_engine_config *cfg, const char *name)
return (0);
}
+// callback used on the server side to select the right key
+static int
+config_psk_cb(void *arg, mbedtls_ssl_context *ssl,
+ const unsigned char *identity, size_t id_len)
+{
+ nng_tls_engine_config *cfg = arg;
+ psk *psk;
+ NNI_LIST_FOREACH (&cfg->psks, psk) {
+ if (id_len == strlen(psk->identity) &&
+ (memcmp(identity, psk->identity, id_len) == 0)) {
+ nng_log_debug("NNG-TLS-PSK-IDENTITY",
+ "TLS client using PSK identity %s", psk->identity);
+ return (mbedtls_ssl_set_hs_psk(
+ ssl, psk->key, psk->keylen));
+ }
+ }
+ nng_log_warn(
+ "NNG-TLS-PSK-NO-IDENTITY", "TLS client PSK identity not found");
+ return (MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY);
+}
+
+static int
+config_psk(nng_tls_engine_config *cfg, const char *identity,
+ const uint8_t *key, size_t key_len)
+{
+ int rv;
+ psk *srch;
+ psk *newpsk;
+
+ if (((newpsk = NNI_ALLOC_STRUCT(newpsk)) == NULL) ||
+ ((newpsk->identity = nni_strdup(identity)) == NULL) ||
+ ((newpsk->key = nni_alloc(key_len)) == NULL)) {
+ psk_free(newpsk);
+ return (NNG_ENOMEM);
+ }
+ newpsk->keylen = key_len;
+ memcpy(newpsk->key, key, key_len);
+
+ if (cfg->mode == NNG_TLS_MODE_SERVER) {
+ if (nni_list_empty(&cfg->psks)) {
+ mbedtls_ssl_conf_psk_cb(
+ &cfg->cfg_ctx, config_psk_cb, cfg);
+ }
+ } else {
+ if ((rv = mbedtls_ssl_conf_psk(&cfg->cfg_ctx, key, key_len,
+ (const unsigned char *) identity,
+ strlen(identity))) != 0) {
+ psk_free(newpsk);
+ tls_log_err("NNG-TLS-PSK-FAIL",
+ "Failed to configure PSK identity", rv);
+ return (tls_mk_err(rv));
+ }
+ }
+
+ // If the identity was previously configured, replace it.
+ // The rule here is that last one wins, so we always append.
+ NNI_LIST_FOREACH (&cfg->psks, srch) {
+ if (strcmp(srch->identity, identity) == 0) {
+ nni_list_remove(&cfg->psks, srch);
+ psk_free(srch);
+ break;
+ }
+ }
+ nni_list_append(&cfg->psks, newpsk);
+ return (0);
+}
+
static int
config_auth_mode(nng_tls_engine_config *cfg, nng_tls_auth_mode mode)
{
@@ -630,6 +737,7 @@ static nng_tls_engine_config_ops config_ops = {
.ca_chain = config_ca_chain,
.own_cert = config_own_cert,
.server = config_server_name,
+ .psk = config_psk,
.version = config_version,
};
diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c
index 65805b03..62296de0 100644
--- a/src/supplemental/tls/tls_common.c
+++ b/src/supplemental/tls/tls_common.c
@@ -1,5 +1,5 @@
//
-// Copyright 2021 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
// Copyright 2018 Capitar IT Group BV <info@capitar.com>
// Copyright 2019 Devolutions <info@devolutions.net>
//
@@ -46,7 +46,7 @@ struct nng_tls_config {
const nng_tls_engine *engine; // store this so we can verify
nni_mtx lock;
int ref;
- int busy;
+ bool busy;
size_t size;
// ... engine config data follows
@@ -843,6 +843,10 @@ tls_alloc(tls_conn **conn_p, nng_tls_config *cfg, nng_aio *user_aio)
eng = cfg->engine;
+ nni_mtx_lock(&cfg->lock);
+ cfg->busy = true;
+ nni_mtx_unlock(&cfg->lock);
+
size = NNI_ALIGN_UP(sizeof(*conn)) + eng->conn_ops->size;
if ((conn = nni_zalloc(size)) == NULL) {
@@ -1325,7 +1329,7 @@ nng_tls_config_version(
int rv;
nni_mtx_lock(&cfg->lock);
- if (cfg->busy != 0) {
+ if (cfg->busy) {
rv = NNG_EBUSY;
} else {
rv = cfg->ops.version((void *) (cfg + 1), min_ver, max_ver);
@@ -1340,7 +1344,7 @@ nng_tls_config_server_name(nng_tls_config *cfg, const char *name)
int rv;
nni_mtx_lock(&cfg->lock);
- if (cfg->busy != 0) {
+ if (cfg->busy) {
rv = NNG_EBUSY;
} else {
rv = cfg->ops.server((void *) (cfg + 1), name);
@@ -1356,7 +1360,7 @@ nng_tls_config_ca_chain(
int rv;
nni_mtx_lock(&cfg->lock);
- if (cfg->busy != 0) {
+ if (cfg->busy) {
rv = NNG_EBUSY;
} else {
rv = cfg->ops.ca_chain((void *) (cfg + 1), certs, crl);
@@ -1371,7 +1375,7 @@ nng_tls_config_own_cert(
{
int rv;
nni_mtx_lock(&cfg->lock);
- if (cfg->busy != 0) {
+ if (cfg->busy) {
rv = NNG_EBUSY;
} else {
rv = cfg->ops.own_cert((void *) (cfg + 1), cert, key, pass);
@@ -1381,12 +1385,27 @@ nng_tls_config_own_cert(
}
int
+nng_tls_config_psk(nng_tls_config *cfg, const char *identity,
+ const uint8_t *key, size_t key_len)
+{
+ int rv;
+ nni_mtx_lock(&cfg->lock);
+ if (cfg->busy) {
+ rv = NNG_EBUSY;
+ } else {
+ rv = cfg->ops.psk((void *) (cfg + 1), identity, key, key_len);
+ }
+ nni_mtx_unlock(&cfg->lock);
+ return (rv);
+}
+
+int
nng_tls_config_auth_mode(nng_tls_config *cfg, nng_tls_auth_mode mode)
{
int rv;
nni_mtx_lock(&cfg->lock);
- if (cfg->busy != 0) {
+ if (cfg->busy) {
rv = NNG_EBUSY;
} else {
rv = cfg->ops.auth((void *) (cfg + 1), mode);
@@ -1423,7 +1442,7 @@ nng_tls_config_alloc(nng_tls_config **cfg_p, nng_tls_mode mode)
cfg->size = size;
cfg->engine = eng;
cfg->ref = 1;
- cfg->busy = 0;
+ cfg->busy = false;
nni_mtx_init(&cfg->lock);
if ((rv = cfg->ops.init((void *) (cfg + 1), mode)) != 0) {
diff --git a/src/supplemental/tls/tls_test.c b/src/supplemental/tls/tls_test.c
index 4a3f6e2d..d4ad2cc4 100644
--- a/src/supplemental/tls/tls_test.c
+++ b/src/supplemental/tls/tls_test.c
@@ -86,7 +86,7 @@ test_tls_large_message(void)
void *t2;
int port;
- NUTS_ENABLE_LOG(NNG_LOG_INFO);
+ NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
// allocate messages
NUTS_ASSERT((buf1 = nng_alloc(size)) != NULL);
NUTS_ASSERT((buf2 = nng_alloc(size)) != NULL);
@@ -170,10 +170,319 @@ test_tls_garbled_cert(void)
nng_tls_config_free(c1);
}
+void
+test_tls_psk(void)
+{
+ nng_stream_listener *l;
+ nng_stream_dialer *d;
+ nng_aio *aio1, *aio2;
+ nng_stream *s1;
+ nng_stream *s2;
+ nng_tls_config *c1;
+ nng_tls_config *c2;
+ char addr[32];
+ uint8_t key[32];
+ uint8_t *buf1;
+ uint8_t *buf2;
+ size_t size = 10000;
+ void *t1;
+ void *t2;
+ int port;
+
+ NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
+ // allocate messages
+ NUTS_ASSERT((buf1 = nng_alloc(size)) != NULL);
+ NUTS_ASSERT((buf2 = nng_alloc(size)) != NULL);
+
+ for (size_t i = 0; i < sizeof(key); i++) {
+ key[i] = rand() & 0xff;
+ }
+ for (size_t i = 0; i < size; i++) {
+ buf1[i] = rand() & 0xff;
+ }
+
+ NUTS_PASS(nng_aio_alloc(&aio1, NULL, NULL));
+ NUTS_PASS(nng_aio_alloc(&aio2, NULL, NULL));
+ nng_aio_set_timeout(aio1, 5000);
+ nng_aio_set_timeout(aio2, 5000);
+
+ // Allocate the listener first. We use a wild-card port.
+ NUTS_PASS(nng_stream_listener_alloc(&l, "tls+tcp://127.0.0.1:0"));
+ NUTS_PASS(nng_tls_config_alloc(&c1, NNG_TLS_MODE_SERVER));
+ NUTS_PASS(nng_tls_config_psk(c1, "identity", key, sizeof(key)));
+ NUTS_PASS(nng_stream_listener_set_ptr(l, NNG_OPT_TLS_CONFIG, c1));
+ NUTS_PASS(nng_stream_listener_listen(l));
+ NUTS_PASS(
+ nng_stream_listener_get_int(l, NNG_OPT_TCP_BOUND_PORT, &port));
+ NUTS_TRUE(port > 0);
+ NUTS_TRUE(port < 65536);
+
+ snprintf(addr, sizeof(addr), "tls+tcp://127.0.0.1:%d", port);
+ NUTS_PASS(nng_stream_dialer_alloc(&d, addr));
+ NUTS_PASS(nng_tls_config_alloc(&c2, NNG_TLS_MODE_CLIENT));
+ NUTS_PASS(nng_tls_config_psk(c2, "identity", key, sizeof(key)));
+ NUTS_PASS(nng_tls_config_server_name(c2, "localhost"));
+
+ NUTS_PASS(nng_stream_dialer_set_ptr(d, NNG_OPT_TLS_CONFIG, c2));
+
+ nng_stream_listener_accept(l, aio1);
+ nng_stream_dialer_dial(d, aio2);
+
+ nng_aio_wait(aio1);
+ nng_aio_wait(aio2);
+
+ NUTS_PASS(nng_aio_result(aio1));
+ NUTS_PASS(nng_aio_result(aio2));
+
+ NUTS_TRUE((s1 = nng_aio_get_output(aio1, 0)) != NULL);
+ NUTS_TRUE((s2 = nng_aio_get_output(aio2, 0)) != NULL);
+
+ t1 = nuts_stream_send_start(s1, buf1, size);
+ t2 = nuts_stream_recv_start(s2, buf2, size);
+
+ NUTS_PASS(nuts_stream_wait(t1));
+ NUTS_PASS(nuts_stream_wait(t2));
+ NUTS_TRUE(memcmp(buf1, buf2, size) == 0);
+
+ nng_free(buf1, size);
+ nng_free(buf2, size);
+ nng_stream_free(s1);
+ nng_stream_free(s2);
+ nng_stream_dialer_free(d);
+ nng_stream_listener_free(l);
+ nng_tls_config_free(c1);
+ nng_tls_config_free(c2);
+ nng_aio_free(aio1);
+ nng_aio_free(aio2);
+}
+
+void
+test_tls_psk_server_identities(void)
+{
+ nng_stream_listener *l;
+ nng_stream_dialer *d;
+ nng_aio *aio1, *aio2;
+ nng_stream *s1;
+ nng_stream *s2;
+ nng_tls_config *c1;
+ nng_tls_config *c2;
+ char addr[32];
+ uint8_t *buf1;
+ uint8_t *buf2;
+ size_t size = 10000;
+ void *t1;
+ void *t2;
+ int port;
+ char *identity = "test_identity";
+ uint8_t key[32];
+
+ NUTS_ENABLE_LOG(NNG_LOG_INFO);
+ // allocate messages
+ NUTS_ASSERT((buf1 = nng_alloc(size)) != NULL);
+ NUTS_ASSERT((buf2 = nng_alloc(size)) != NULL);
+
+ for (size_t i = 0; i < sizeof(key); i++) {
+ key[i] = rand() & 0xff;
+ }
+ for (size_t i = 0; i < size; i++) {
+ buf1[i] = rand() & 0xff;
+ }
+
+ NUTS_PASS(nng_aio_alloc(&aio1, NULL, NULL));
+ NUTS_PASS(nng_aio_alloc(&aio2, NULL, NULL));
+ nng_aio_set_timeout(aio1, 5000);
+ nng_aio_set_timeout(aio2, 5000);
+
+ // Allocate the listener first. We use a wild-card port.
+ NUTS_PASS(nng_stream_listener_alloc(&l, "tls+tcp://127.0.0.1:0"));
+ NUTS_PASS(nng_tls_config_alloc(&c1, NNG_TLS_MODE_SERVER));
+ // Replace the identity .. first write one value, then we change it
+ NUTS_PASS(
+ nng_tls_config_psk(c1, "identity2", key + 4, sizeof(key) - 4));
+ NUTS_PASS(nng_tls_config_psk(c1, identity, key + 4, sizeof(key) - 4));
+ NUTS_PASS(nng_tls_config_psk(c1, identity, key, sizeof(key)));
+ NUTS_PASS(nng_stream_listener_set_ptr(l, NNG_OPT_TLS_CONFIG, c1));
+ NUTS_PASS(nng_stream_listener_listen(l));
+ NUTS_PASS(
+ nng_stream_listener_get_int(l, NNG_OPT_TCP_BOUND_PORT, &port));
+ NUTS_TRUE(port > 0);
+ NUTS_TRUE(port < 65536);
+
+ snprintf(addr, sizeof(addr), "tls+tcp://127.0.0.1:%d", port);
+ NUTS_PASS(nng_stream_dialer_alloc(&d, addr));
+ NUTS_PASS(nng_tls_config_alloc(&c2, NNG_TLS_MODE_CLIENT));
+ NUTS_PASS(nng_tls_config_psk(c2, identity, key, sizeof(key)));
+ NUTS_PASS(nng_tls_config_server_name(c2, "localhost"));
+
+ NUTS_PASS(nng_stream_dialer_set_ptr(d, NNG_OPT_TLS_CONFIG, c2));
+
+ nng_stream_listener_accept(l, aio1);
+ nng_stream_dialer_dial(d, aio2);
+
+ nng_aio_wait(aio1);
+ nng_aio_wait(aio2);
+
+ NUTS_PASS(nng_aio_result(aio1));
+ NUTS_PASS(nng_aio_result(aio2));
+
+ NUTS_TRUE((s1 = nng_aio_get_output(aio1, 0)) != NULL);
+ NUTS_TRUE((s2 = nng_aio_get_output(aio2, 0)) != NULL);
+
+ t1 = nuts_stream_send_start(s1, buf1, size);
+ t2 = nuts_stream_recv_start(s2, buf2, size);
+
+ NUTS_PASS(nuts_stream_wait(t1));
+ NUTS_PASS(nuts_stream_wait(t2));
+ NUTS_TRUE(memcmp(buf1, buf2, size) == 0);
+
+ nng_free(buf1, size);
+ nng_free(buf2, size);
+ nng_stream_free(s1);
+ nng_stream_free(s2);
+ nng_stream_dialer_free(d);
+ nng_stream_listener_free(l);
+ nng_tls_config_free(c1);
+ nng_tls_config_free(c2);
+ nng_aio_free(aio1);
+ nng_aio_free(aio2);
+}
+
+void
+test_tls_psk_bad_identity(void)
+{
+ nng_stream_listener *l;
+ nng_stream_dialer *d;
+ nng_aio *aio1, *aio2;
+ nng_stream *s1;
+ nng_stream *s2;
+ nng_tls_config *c1;
+ nng_tls_config *c2;
+ char addr[32];
+ uint8_t *buf1;
+ uint8_t *buf2;
+ size_t size = 10000;
+ void *t1;
+ void *t2;
+ int port;
+ uint8_t key[32];
+
+ NUTS_ENABLE_LOG(NNG_LOG_INFO);
+ // allocate messages
+ NUTS_ASSERT((buf1 = nng_alloc(size)) != NULL);
+ NUTS_ASSERT((buf2 = nng_alloc(size)) != NULL);
+
+ for (size_t i = 0; i < sizeof(key); i++) {
+ key[i] = rand() & 0xff;
+ }
+ for (size_t i = 0; i < size; i++) {
+ buf1[i] = rand() & 0xff;
+ }
+
+ NUTS_PASS(nng_aio_alloc(&aio1, NULL, NULL));
+ NUTS_PASS(nng_aio_alloc(&aio2, NULL, NULL));
+ nng_aio_set_timeout(aio1, 5000);
+ nng_aio_set_timeout(aio2, 5000);
+
+ // Allocate the listener first. We use a wild-card port.
+ NUTS_PASS(nng_stream_listener_alloc(&l, "tls+tcp://127.0.0.1:0"));
+ NUTS_PASS(nng_tls_config_alloc(&c1, NNG_TLS_MODE_SERVER));
+ // Replace the identity .. first write one value, then we change it
+ NUTS_PASS(nng_tls_config_psk(c1, "identity1", key, sizeof(key)));
+ NUTS_PASS(nng_stream_listener_set_ptr(l, NNG_OPT_TLS_CONFIG, c1));
+ NUTS_PASS(nng_stream_listener_listen(l));
+ NUTS_PASS(
+ nng_stream_listener_get_int(l, NNG_OPT_TCP_BOUND_PORT, &port));
+ NUTS_TRUE(port > 0);
+ NUTS_TRUE(port < 65536);
+
+ snprintf(addr, sizeof(addr), "tls+tcp://127.0.0.1:%d", port);
+ NUTS_PASS(nng_stream_dialer_alloc(&d, addr));
+ NUTS_PASS(nng_tls_config_alloc(&c2, NNG_TLS_MODE_CLIENT));
+ NUTS_PASS(nng_tls_config_psk(c2, "identity2", key, sizeof(key)));
+ NUTS_PASS(nng_tls_config_server_name(c2, "localhost"));
+
+ NUTS_PASS(nng_stream_dialer_set_ptr(d, NNG_OPT_TLS_CONFIG, c2));
+
+ nng_stream_listener_accept(l, aio1);
+ nng_stream_dialer_dial(d, aio2);
+
+ nng_aio_wait(aio1);
+ nng_aio_wait(aio2);
+
+ NUTS_PASS(nng_aio_result(aio1));
+ NUTS_PASS(nng_aio_result(aio2));
+
+ NUTS_TRUE((s1 = nng_aio_get_output(aio1, 0)) != NULL);
+ NUTS_TRUE((s2 = nng_aio_get_output(aio2, 0)) != NULL);
+
+ t1 = nuts_stream_send_start(s1, buf1, size);
+ t2 = nuts_stream_recv_start(s2, buf2, size);
+
+ NUTS_FAIL(nuts_stream_wait(t1), NNG_ECRYPTO);
+ NUTS_FAIL(nuts_stream_wait(t2), NNG_ECRYPTO);
+
+ nng_free(buf1, size);
+ nng_free(buf2, size);
+ nng_stream_free(s1);
+ nng_stream_free(s2);
+ nng_stream_dialer_free(d);
+ nng_stream_listener_free(l);
+ nng_tls_config_free(c1);
+ nng_tls_config_free(c2);
+ nng_aio_free(aio1);
+ nng_aio_free(aio2);
+}
+
+void
+test_tls_psk_key_too_big(void)
+{
+ nng_tls_config *c1;
+ uint8_t key[5000];
+
+ NUTS_ENABLE_LOG(NNG_LOG_INFO);
+
+ // Allocate the listener first. We use a wild-card port.
+ NUTS_PASS(nng_tls_config_alloc(&c1, NNG_TLS_MODE_CLIENT));
+ NUTS_FAIL(
+ nng_tls_config_psk(c1, "identity", key, sizeof(key)), NNG_ECRYPTO);
+ nng_tls_config_free(c1);
+}
+
+void
+test_tls_psk_config_busy(void)
+{
+ nng_tls_config *c1;
+ uint8_t key[32];
+ nng_stream_listener *l;
+ nng_aio *aio;
+
+ nng_aio_alloc(&aio, NULL, NULL);
+
+ NUTS_ENABLE_LOG(NNG_LOG_INFO);
+
+ NUTS_PASS(nng_stream_listener_alloc(&l, "tls+tcp://127.0.0.1:0"));
+ NUTS_PASS(nng_tls_config_alloc(&c1, NNG_TLS_MODE_SERVER));
+ NUTS_PASS(nng_tls_config_psk(c1, "identity", key, sizeof(key)));
+ NUTS_PASS(nng_stream_listener_set_ptr(l, NNG_OPT_TLS_CONFIG, c1));
+ nng_stream_listener_accept(l, aio);
+ nng_msleep(100);
+ NUTS_FAIL(
+ nng_tls_config_psk(c1, "identity2", key, sizeof(key)), NNG_EBUSY);
+
+ nng_stream_listener_free(l);
+ nng_aio_free(aio);
+ nng_tls_config_free(c1);
+}
+
TEST_LIST = {
{ "tls config version", test_tls_config_version },
{ "tls conn refused", test_tls_conn_refused },
{ "tls large message", test_tls_large_message },
{ "tls garbled cert", test_tls_garbled_cert },
+ { "tls psk", test_tls_psk },
+ { "tls psk server identities", test_tls_psk_server_identities },
+ { "tls psk bad identity", test_tls_psk_bad_identity },
+ { "tls psk key too big", test_tls_psk_key_too_big },
+ { "tls psk key config busy", test_tls_psk_config_busy },
{ NULL, NULL },
};
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-01-18 09:25:52 +0000