net: sockets: tls: Validate credentials when registering on a socket #97630
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zephyrbot
added
area: Tests
rlubos
force-pushed
the
net/prevalidate-tls-credentials-on-setsockopt
branch
from
7c61a20 to
9e90311
Compare
jukkar
reviewed
Oct 15, 2025
| tag_found = true; | ||
|
|
||
| switch (cred->type) { | ||
| case TLS_CREDENTIAL_CA_CERTIFICATE: |
There was a problem hiding this comment.
I think we should add here __fallthrough;
There was a problem hiding this comment.
__fallthrough is needed when cases have a body, for combined cases it's not needed.
Both cases are fine here:
switch (some_var) {
case 1:
/* some logic */
__fallthrough;
case 2:
/* ... */
}
switch (some_var) {
case 1:
case 2:
/* ... */
}
So far the TLS/DTLS credentials would only be validated upon first use, i. e. when TLS/DTLS handshake was initiated. This could lead to some confusion, especially when trying to understand the reason of the handshake failure, as it wasn't clear whether the handshake failed due to peer sending bad certificate or due to local configuration issues. This commit attempts to improve this, by pre-validating the credentials as soon as they are configured on a socket with TLS_SEC_TAG_LIST socket option. That way, in case bad credentials are configured on a socket, or more commonly, mbed TLS is misconfigured to handle certain credential type, it will be caught early during socket configuration, instead of during the handshake. Signed-off-by: Robert Lubos <[email protected]>
Add test cases verifying that invalid credentials are rejected by the socket when configured on TLS/DTLS socket with TLS_SEC_TAG_LIST socket option. Signed-off-by: Robert Lubos <[email protected]>
rlubos
force-pushed
the
net/prevalidate-tls-credentials-on-setsockopt
branch
from
9e90311 to
9fba17b
Compare
|
pdgendt
approved these changes
Oct 16, 2025
jukkar
approved these changes
Oct 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
So far the TLS/DTLS credentials would only be validated upon first use,
i. e. when TLS/DTLS handshake was initiated. This could lead to some
confusion, especially when trying to understand the reason of the
handshake failure, as it wasn't clear whether the handshake failed due
to peer sending bad certificate or due to local configuration issues.
This commit attempts to improve this, by pre-validating the credentials
as soon as they are configured on a socket with TLS_SEC_TAG_LIST socket
option. That way, in case bad credentials are configured on a socket, or
more commonly, mbed TLS is misconfigured to handle certain credential
type, it will be caught early during socket configuration, instead of
during the handshake.
Resolves #97541