From bc80f0bd1dd62f2311dfce258bd8903b2751fb47 Mon Sep 17 00:00:00 2001 From: Marcelo Alcocer Date: Wed, 20 Nov 2024 22:25:53 +0100 Subject: [PATCH] Add Server Name Identification to ALTCP TLS This is a known missing feature; * [lwip-tcpip/lwip#47][gh-lwip-pr] * [lwip-tcpip/lwip@c53c9d020][gh-lwip-commit] Added here again for compatibility with [pico-sdk][gh-pico] v1.5.x. See discussion in [marceloalcocer/picohttps#1][gh-issue] for more details. [gh-lwip-pr]: https://github.com/lwip-tcpip/lwip/pull/47 [gh-lwip-commit] https://github.com/lwip-tcpip/lwip/commit/c53c9d02036be24a461d2998053a52991e65b78e [gh-pico]: https://github.com/raspberrypi/pico-sdk [gh-issue]: https://github.com/marceloalcocer/picohttps/issues/1#issuecomment-2486827870 --- src/apps/altcp_tls/altcp_tls_mbedtls.c | 11 +++++++---- src/include/lwip/altcp_tls.h | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c index e787ae286..861b23e0f 100644 --- a/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -107,6 +107,7 @@ struct altcp_tls_config { u8_t pkey_count; u8_t pkey_max; mbedtls_x509_crt *ca; + char host[256]; #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE /** Inter-connection cache for fast connection startup */ struct mbedtls_ssl_cache_context cache; @@ -633,6 +634,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_ /* tell mbedtls about our I/O functions */ mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL); + mbedtls_ssl_set_hostname(&state->ssl_context, config->host); altcp_mbedtls_setup_callbacks(conn, inner_conn); conn->inner_conn = inner_conn; conn->fns = &altcp_mbedtls_functions; @@ -942,7 +944,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_ } static struct altcp_tls_config * -altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth) +altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char* host) { int ret; struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL); @@ -964,13 +966,14 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL); } + memcpy(conf->host, host, sizeof(conf->host)); return conf; } struct altcp_tls_config * -altcp_tls_create_config_client(const u8_t *ca, size_t ca_len) +altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char* host) { - return altcp_tls_create_config_client_common(ca, ca_len, 0); + return altcp_tls_create_config_client_common(ca, ca_len, 0, host); } struct altcp_tls_config * @@ -986,7 +989,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ return NULL; } - conf = altcp_tls_create_config_client_common(ca, ca_len, 1); + conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL); if (conf == NULL) { return NULL; } diff --git a/src/include/lwip/altcp_tls.h b/src/include/lwip/altcp_tls.h index fcb784d89..4aa994016 100644 --- a/src/include/lwip/altcp_tls.h +++ b/src/include/lwip/altcp_tls.h @@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle */ -struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len); +struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char* host); /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle with two-way server/client authentication