From 9bbb1340c37a4a3b3a8477b058077a38d77230f7 Mon Sep 17 00:00:00 2001
From: Garrett D'Amore <garrett@damore.org>
Date: Sat, 23 Nov 2024 14:29:07 -0800
Subject: tls: add a mutual authentication test

Also, make it clearer that TLS keys and certificates can only
be set once on a configuration.  (mbedTLS makes this confusing!)

This mutual test is only fully validated on mbed, because wolfSSL
seems to not properly validate this in many configurations.
---
 src/supplemental/tls/tls_common.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'src/supplemental')

diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c
index aa34b533..c3c4d3c3 100644
--- a/src/supplemental/tls/tls_common.c
+++ b/src/supplemental/tls/tls_common.c
@@ -47,6 +47,7 @@ struct nng_tls_config {
 	nni_mtx                   lock;
 	int                       ref;
 	bool                      busy;
+	bool                      key_is_set;
 	size_t                    size;
 
 	// ... engine config data follows
@@ -1140,10 +1141,16 @@ nng_tls_config_own_cert(
 {
 	int rv;
 	nni_mtx_lock(&cfg->lock);
-	if (cfg->busy) {
+	// NB: we cannot set the key if we already have done so.
+	// This is because some lower layers create a "stack" of keys
+	// and certificates, and this will almost certainly lead to confusion.
+	if (cfg->busy || cfg->key_is_set) {
 		rv = NNG_EBUSY;
 	} else {
 		rv = cfg->ops.own_cert((void *) (cfg + 1), cert, key, pass);
+		if (rv == 0) {
+			cfg->key_is_set = true;
+		}
 	}
 	nni_mtx_unlock(&cfg->lock);
 	return (rv);
-- 
cgit v1.2.3-70-g09d2