From ad179548e41b410b9040700a783ff4de350da7c9 Mon Sep 17 00:00:00 2001 From: copercini Date: Wed, 23 Aug 2017 21:33:26 -0300 Subject: [PATCH] SNI support (#592) Server Name Indication (SNI) support for WiFiClientSecure Fix https://github.com/espressif/arduino-esp32/issues/571 and https://github.com/espressif/arduino-esp32/issues/550 --- .../WiFiClientSecure/src/WiFiClientSecure.cpp | 19 ++++------ libraries/WiFiClientSecure/src/ssl_client.cpp | 35 ++++++++++--------- libraries/WiFiClientSecure/src/ssl_client.h | 2 +- 3 files changed, 25 insertions(+), 31 deletions(-) diff --git a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp index 02fa838b..f1716c69 100644 --- a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp +++ b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp @@ -97,7 +97,12 @@ int WiFiClientSecure::connect(const char *host, uint16_t port) int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key) { - int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key); + return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key); +} + +int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key) +{ + int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key); if (ret < 0) { log_e("lwip_connect_r: %d", errno); stop(); @@ -107,18 +112,6 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, return 1; } -int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key) -{ - struct hostent *server; - server = gethostbyname(host); - if (server == NULL) { - return 0; - } - IPAddress srv((const uint8_t *)(server->h_addr)); - return connect(srv, port, _CA_cert, _cert, _private_key); -} - - size_t WiFiClientSecure::write(uint8_t data) { return write(&data, 1); diff --git a/libraries/WiFiClientSecure/src/ssl_client.cpp b/libraries/WiFiClientSecure/src/ssl_client.cpp index a94bfa56..124daaa2 100644 --- a/libraries/WiFiClientSecure/src/ssl_client.cpp +++ b/libraries/WiFiClientSecure/src/ssl_client.cpp @@ -37,7 +37,7 @@ void ssl_init(sslclient_context *ssl_client) } -int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key) +int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key) { char buf[512]; int ret, flags, len, timeout; @@ -53,10 +53,17 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t return ssl_client->socket; } + struct hostent *server; + server = gethostbyname(host); + if (server == NULL) { + return 0; + } + IPAddress srv((const uint8_t *)(server->h_addr)); + struct sockaddr_in serv_addr; memset(&serv_addr, 0, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; - serv_addr.sin_addr.s_addr = ipAddress; + serv_addr.sin_addr.s_addr = srv; serv_addr.sin_port = htons(port); if (lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == 0) { @@ -90,9 +97,9 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t return handle_error(ret); } - /* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and - MBEDTLS_SSL_VERIFY_NONE if not. - */ + // MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and + // MBEDTLS_SSL_VERIFY_NONE if not. + if (rootCABuff != NULL) { log_i("Loading CA cert"); mbedtls_x509_crt_init(&ssl_client->ca_cert); @@ -129,18 +136,12 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key); } - /* - // TODO: implement match CN verification + log_i("Setting hostname for TLS session..."); - log_i("Setting hostname for TLS session..."); - - // Hostname set here should match CN in server certificate - if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0) - { - return handle_error(ret); - - } - */ + // Hostname set here should match CN in server certificate + if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0){ + return handle_error(ret); + } mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx); @@ -221,7 +222,7 @@ int data_to_read(sslclient_context *ssl_client) ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0); //log_e("RET: %i",ret); //for low level debug res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx); - //log_e("RES: %i",res); + //log_e("RES: %i",res); //for low level debug if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) { return handle_error(ret); } diff --git a/libraries/WiFiClientSecure/src/ssl_client.h b/libraries/WiFiClientSecure/src/ssl_client.h index 18b13ce9..531db188 100644 --- a/libraries/WiFiClientSecure/src/ssl_client.h +++ b/libraries/WiFiClientSecure/src/ssl_client.h @@ -27,7 +27,7 @@ typedef struct sslclient_context { void ssl_init(sslclient_context *ssl_client); -int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key); +int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key); void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key); int data_to_read(sslclient_context *ssl_client); int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);