From d1c6bbf42e52de8fc3862a7ea3c41ce756c78a43 Mon Sep 17 00:00:00 2001 From: Jitin George Date: Fri, 3 May 2019 19:32:54 +0530 Subject: [PATCH] esp-tls: Add support to add CN from config and validate PEM buffers --- components/esp-tls/esp_tls.c | 26 +++++++++++++++++--------- components/esp-tls/esp_tls.h | 14 +++++++++++--- 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index 49505b0c9..094292dd0 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -240,18 +240,26 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle goto exit; } - /* Hostname set here should match CN in server certificate */ - char *use_host = strndup(hostname, hostlen); - if (!use_host) { - goto exit; - } + if (!cfg->skip_common_name) { + char *use_host = NULL; + if (cfg->common_name != NULL) { + use_host = strndup(cfg->common_name, strlen(cfg->common_name)); + } else { + use_host = strndup(hostname, hostlen); + } - if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) { - ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret); + if (use_host == NULL) { + goto exit; + } + + /* Hostname set here should match CN in server certificate */ + if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) { + ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret); + free(use_host); + goto exit; + } free(use_host); - goto exit; } - free(use_host); if ((ret = mbedtls_ssl_config_defaults(&tls->conf, MBEDTLS_SSL_IS_CLIENT, diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index df6bb365c..41faa5b0c 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -56,17 +56,20 @@ typedef struct esp_tls_cfg { - where the first '2' is the length of the protocol and - the subsequent 'h2' is the protocol name */ - const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer */ + const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer. + This buffer should be NULL terminated */ unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate pointed to by cacert_pem_buf */ - const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */ + const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer + This buffer should be NULL terminated */ unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by clientcert_pem_buf */ - const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */ + const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer + This buffer should be NULL terminated */ unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by clientkey_pem_buf */ @@ -84,6 +87,11 @@ typedef struct esp_tls_cfg { bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which this bool is set. */ + + const char *common_name; /*!< If non-NULL, server certificate CN must match this name. + If NULL, server certificate CN must match hostname. */ + + bool skip_common_name; /*!< Skip any validation of server certificate CN field */ } esp_tls_cfg_t; /**