Skip to content

net: sockets: tls: Add new options for certificate verification #90068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

net: sockets: tls: Add new options for certificate verification #90068

wants to merge 5 commits into from
+383 −142

Conversation

rlubos
Copy link
Collaborator

@rlubos rlubos commented May 16, 2025

Add new TLS socket options:

  • TLS_CERT_VERIFY_RESULT to retrieve certificate verification result,
  • TLS_CERT_VERIFY_CALLBACK to regsiter ceritificate verification callback.

Plus associated tests.

Resolves #52541

rlubos added 3 commits May 16, 2025 14:42
@rlubos
net: sockets: tls: Add new option to retrieve cert verification result
7ff1eed 
Add new TLS socket option, TLS_CERT_VERIFY_RESULT, to obtain the
certificate verification result from the most recent handshake on the
socket. The option works if TLS_PEER_VERIFY_OPTIONAL was set on the
socket, in which case the handshake may succeed even if certificate
verification fails.

Signed-off-by: Robert Lubos <[email protected]>
@rlubos
tests: net: socket: tls_ext: Extract common code into functions
8e77af3 
Extract server configuration, client configuration and test shutdown
into separate functions so that they're reusable in other tests.

Signed-off-by: Robert Lubos <[email protected]>
@rlubos
tests: net: socket: tls_ext: Add test case for verify result option
cae8dd3 
Add test case to verify if TLS_CERT_VERIFY_RESULT socket option works as
expected.

Signed-off-by: Robert Lubos <[email protected]>
@rlubos rlubos mentioned this pull request May 16, 2025
Open
rlubos added 2 commits May 16, 2025 15:49
@rlubos
net: sockets: tls: Add new option to register certificate verify cb
924b52f 
Add new TLS socket option, TLS_CERT_VERIFY_CALLBACK, which allows to
register an application callback to verify certificates obtained during
the TLS handshake.

Signed-off-by: Robert Lubos <[email protected]>
@rlubos
tests: net: socket: tls_ext: Add test case for cert veirfy cb option
fc6641d 
Add test case to verify if TLS_CERT_VERIFY_CALLBACK socket option works
as expected.

Signed-off-by: Robert Lubos <[email protected]>
@rlubos rlubos force-pushed the net/tls-cert-verify-opts branch from fa5c83c to fc6641d Compare May 16, 2025 13:49
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

jukkar
jukkar reviewed May 16, 2025
View reviewed changes
subsys/net/lib/sockets/sockets_tls.c
}

cert_verify = (struct tls_cert_verify_cb *)optval;
if (cert_verify->cb == NULL && cert_verify->ctx != NULL) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we care what the ctx is here, or was the idea that user can unset the callback by setting both values null (this is not documented if that is the idea)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jukkar jukkar jukkar left review comments

@pdgendt pdgendt Awaiting requested review from pdgendt

@ssharks ssharks Awaiting requested review from ssharks

@tbursztyka tbursztyka Awaiting requested review from tbursztyka

At least 2 approving reviews are required to merge this pull request.

Assignees

@jukkar jukkar

Labels
area: Networking area: Sockets Networking sockets
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

net: sockets: tls: Check whether peer was verified after handshake (with TLS_PEER_VERIFY_OPTIONAL)
2 participants
@rlubos @jukkar