diff options
| author | Garrett D'Amore <garrett@damore.org> | 2024-11-23 14:29:07 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2024-11-23 14:45:46 -0800 |
| commit | 9bbb1340c37a4a3b3a8477b058077a38d77230f7 (patch) | |
| tree | 36fbe2e7475b701bd335530f2b20bb03bf241049 /src/supplemental/tls | |
| parent | b4ef0f3b1f365beb76a7c1bc1b6ae455cb58dfbc (diff) | |
| download | nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.tar.gz nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.tar.bz2 nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.zip | |
tls: add a mutual authentication test
Also, make it clearer that TLS keys and certificates can only
be set once on a configuration. (mbedTLS makes this confusing!)
This mutual test is only fully validated on mbed, because wolfSSL
seems to not properly validate this in many configurations.
Diffstat (limited to 'src/supplemental/tls')
| -rw-r--r-- | src/supplemental/tls/tls_common.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c index aa34b533..c3c4d3c3 100644 --- a/src/supplemental/tls/tls_common.c +++ b/src/supplemental/tls/tls_common.c @@ -47,6 +47,7 @@ struct nng_tls_config { nni_mtx lock; int ref; bool busy; + bool key_is_set; size_t size; // ... engine config data follows @@ -1140,10 +1141,16 @@ nng_tls_config_own_cert( { int rv; nni_mtx_lock(&cfg->lock); - if (cfg->busy) { + // NB: we cannot set the key if we already have done so. + // This is because some lower layers create a "stack" of keys + // and certificates, and this will almost certainly lead to confusion. + if (cfg->busy || cfg->key_is_set) { rv = NNG_EBUSY; } else { rv = cfg->ops.own_cert((void *) (cfg + 1), cert, key, pass); + if (rv == 0) { + cfg->key_is_set = true; + } } nni_mtx_unlock(&cfg->lock); return (rv); |