SNI support (#592)
Server Name Indication (SNI) support for WiFiClientSecure Fix https://github.com/espressif/arduino-esp32/issues/571 and https://github.com/espressif/arduino-esp32/issues/550
This commit is contained in:
parent
04044e2245
commit
ad179548e4
@ -97,7 +97,12 @@ int WiFiClientSecure::connect(const char *host, uint16_t port)
|
|||||||
|
|
||||||
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
||||||
{
|
{
|
||||||
int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key);
|
return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
|
||||||
|
}
|
||||||
|
|
||||||
|
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
||||||
|
{
|
||||||
|
int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
log_e("lwip_connect_r: %d", errno);
|
log_e("lwip_connect_r: %d", errno);
|
||||||
stop();
|
stop();
|
||||||
@ -107,18 +112,6 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert,
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
|
||||||
{
|
|
||||||
struct hostent *server;
|
|
||||||
server = gethostbyname(host);
|
|
||||||
if (server == NULL) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
IPAddress srv((const uint8_t *)(server->h_addr));
|
|
||||||
return connect(srv, port, _CA_cert, _cert, _private_key);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
size_t WiFiClientSecure::write(uint8_t data)
|
size_t WiFiClientSecure::write(uint8_t data)
|
||||||
{
|
{
|
||||||
return write(&data, 1);
|
return write(&data, 1);
|
||||||
|
@ -37,7 +37,7 @@ void ssl_init(sslclient_context *ssl_client)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
|
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
|
||||||
{
|
{
|
||||||
char buf[512];
|
char buf[512];
|
||||||
int ret, flags, len, timeout;
|
int ret, flags, len, timeout;
|
||||||
@ -53,10 +53,17 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
|
|||||||
return ssl_client->socket;
|
return ssl_client->socket;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct hostent *server;
|
||||||
|
server = gethostbyname(host);
|
||||||
|
if (server == NULL) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
IPAddress srv((const uint8_t *)(server->h_addr));
|
||||||
|
|
||||||
struct sockaddr_in serv_addr;
|
struct sockaddr_in serv_addr;
|
||||||
memset(&serv_addr, 0, sizeof(serv_addr));
|
memset(&serv_addr, 0, sizeof(serv_addr));
|
||||||
serv_addr.sin_family = AF_INET;
|
serv_addr.sin_family = AF_INET;
|
||||||
serv_addr.sin_addr.s_addr = ipAddress;
|
serv_addr.sin_addr.s_addr = srv;
|
||||||
serv_addr.sin_port = htons(port);
|
serv_addr.sin_port = htons(port);
|
||||||
|
|
||||||
if (lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == 0) {
|
if (lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == 0) {
|
||||||
@ -90,9 +97,9 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
|
|||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
|
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
|
||||||
MBEDTLS_SSL_VERIFY_NONE if not.
|
// MBEDTLS_SSL_VERIFY_NONE if not.
|
||||||
*/
|
|
||||||
if (rootCABuff != NULL) {
|
if (rootCABuff != NULL) {
|
||||||
log_i("Loading CA cert");
|
log_i("Loading CA cert");
|
||||||
mbedtls_x509_crt_init(&ssl_client->ca_cert);
|
mbedtls_x509_crt_init(&ssl_client->ca_cert);
|
||||||
@ -129,18 +136,12 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
|
|||||||
mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
|
mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
log_i("Setting hostname for TLS session...");
|
||||||
// TODO: implement match CN verification
|
|
||||||
|
|
||||||
log_i("Setting hostname for TLS session...");
|
// Hostname set here should match CN in server certificate
|
||||||
|
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0){
|
||||||
// Hostname set here should match CN in server certificate
|
return handle_error(ret);
|
||||||
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0)
|
}
|
||||||
{
|
|
||||||
return handle_error(ret);
|
|
||||||
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
|
|
||||||
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
|
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
|
||||||
|
|
||||||
@ -221,7 +222,7 @@ int data_to_read(sslclient_context *ssl_client)
|
|||||||
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
|
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
|
||||||
//log_e("RET: %i",ret); //for low level debug
|
//log_e("RET: %i",ret); //for low level debug
|
||||||
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
|
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
|
||||||
//log_e("RES: %i",res);
|
//log_e("RES: %i",res); //for low level debug
|
||||||
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
|
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
|
||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
}
|
}
|
||||||
|
@ -27,7 +27,7 @@ typedef struct sslclient_context {
|
|||||||
|
|
||||||
|
|
||||||
void ssl_init(sslclient_context *ssl_client);
|
void ssl_init(sslclient_context *ssl_client);
|
||||||
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
||||||
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
||||||
int data_to_read(sslclient_context *ssl_client);
|
int data_to_read(sslclient_context *ssl_client);
|
||||||
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);
|
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);
|
||||||
|
Loading…
Reference in New Issue
Block a user