Crash_Override/OVMS3-idf
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

esp-tls: Add support to add CN from config and validate PEM buffers

Browse source
This commit is contained in:
Jitin George 2019-05-03 19:32:54 +05:30
parent 907471ce41
commit d1c6bbf42e
2 changed files with 28 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
components/esp-tls/esp_tls.c
View file

@ -240,18 +240,26 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
goto exit; goto exit;
} }
/* Hostname set here should match CN in server certificate */ if (!cfg->skip_common_name) {
char *use_host = strndup(hostname, hostlen); char *use_host = NULL;
if (!use_host) { if (cfg->common_name != NULL) {
goto exit; use_host = strndup(cfg->common_name, strlen(cfg->common_name));
} } else {
use_host = strndup(hostname, hostlen);
}
if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) { if (use_host == NULL) {
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret); goto exit;
}
/* Hostname set here should match CN in server certificate */
if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
free(use_host);
goto exit;
}
free(use_host); free(use_host);
goto exit;
} }
free(use_host);
if ((ret = mbedtls_ssl_config_defaults(&tls->conf, if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,

14
components/esp-tls/esp_tls.h
View file

@ -56,17 +56,20 @@ typedef struct esp_tls_cfg {
- where the first '2' is the length of the protocol and - where the first '2' is the length of the protocol and
- the subsequent 'h2' is the protocol name */ - the subsequent 'h2' is the protocol name */
const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer */ const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer.
This buffer should be NULL terminated */
unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate
pointed to by cacert_pem_buf */ pointed to by cacert_pem_buf */
const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */ const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer
This buffer should be NULL terminated */
unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by
clientcert_pem_buf */ clientcert_pem_buf */
const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */ const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer
This buffer should be NULL terminated */
unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by
clientkey_pem_buf */ clientkey_pem_buf */
@ -84,6 +87,11 @@ typedef struct esp_tls_cfg {
bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which
this bool is set. */ this bool is set. */
const char *common_name; /*!< If non-NULL, server certificate CN must match this name.
If NULL, server certificate CN must match hostname. */
bool skip_common_name; /*!< Skip any validation of server certificate CN field */
} esp_tls_cfg_t; } esp_tls_cfg_t;
/** /**