Skip to content

net: sockets: tls: Add new options for certificate verification #90068

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

net: sockets: tls: Add new options for certificate verification #90068

wants to merge 5 commits into from
+383 −142

Conversation

rlubos
Copy link
Collaborator

@rlubos rlubos commented May 16, 2025

Add new TLS socket options:

  • TLS_CERT_VERIFY_RESULT to retrieve certificate verification result,
  • TLS_CERT_VERIFY_CALLBACK to regsiter ceritificate verification callback.

Plus associated tests.

Resolves #52541

rlubos added 3 commits May 16, 2025 14:42
@rlubos
net: sockets: tls: Add new option to retrieve cert verification result
7ff1eed 
Add new TLS socket option, TLS_CERT_VERIFY_RESULT, to obtain the
certificate verification result from the most recent handshake on the
socket. The option works if TLS_PEER_VERIFY_OPTIONAL was set on the
socket, in which case the handshake may succeed even if certificate
verification fails.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
@rlubos
tests: net: socket: tls_ext: Extract common code into functions
8e77af3 
Extract server configuration, client configuration and test shutdown
into separate functions so that they're reusable in other tests.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
@rlubos
tests: net: socket: tls_ext: Add test case for verify result option
cae8dd3 
Add test case to verify if TLS_CERT_VERIFY_RESULT socket option works as
expected.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
@rlubos rlubos mentioned this pull request May 16, 2025
Open
@rlubos rlubos force-pushed the net/tls-cert-verify-opts branch from fa5c83c to fc6641d Compare May 16, 2025 13:49
jukkar
jukkar reviewed May 16, 2025
View reviewed changes
subsys/net/lib/sockets/sockets_tls.c Outdated
}

cert_verify = (struct tls_cert_verify_cb *)optval;
if (cert_verify->cb == NULL && cert_verify->ctx != NULL) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we care what the ctx is here, or was the idea that user can unset the callback by setting both values null (this is not documented if that is the idea)?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just thought that setting context w/o the callback does not make sense. Perhaps we should just forbid the NULL cb pointer?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is user able to unregister the callback somehow, or does it make sense in the first place?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure actually if mbed TLS allows that, perhaps better to check for NULL pointer after all. I'll send a fix.

rlubos added 2 commits May 19, 2025 10:07
@rlubos
net: sockets: tls: Add new option to register certificate verify cb
0e523f8 
Add new TLS socket option, TLS_CERT_VERIFY_CALLBACK, which allows to
register an application callback to verify certificates obtained during
the TLS handshake.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
@rlubos
tests: net: socket: tls_ext: Add test case for cert veirfy cb option
8b7775c 
Add test case to verify if TLS_CERT_VERIFY_CALLBACK socket option works
as expected.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
@rlubos rlubos force-pushed the net/tls-cert-verify-opts branch from fc6641d to 8b7775c Compare May 19, 2025 08:07
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jukkar jukkar jukkar approved these changes

@MY201314MY MY201314MY MY201314MY approved these changes

@pdgendt pdgendt Awaiting requested review from pdgendt

@ssharks ssharks Awaiting requested review from ssharks

@tbursztyka tbursztyka Awaiting requested review from tbursztyka

At least 2 approving reviews are required to merge this pull request.

Assignees

@jukkar jukkar

Labels
area: Networking area: Sockets Networking sockets
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

net: sockets: tls: Check whether peer was verified after handshake (with TLS_PEER_VERIFY_OPTIONAL)
3 participants
@rlubos @jukkar @MY201314MY