altcp_tls_mbedtls: Support Server Name Indication

jetm · jetm · commit 10954dca72d2 · 2025-04-08T15:57:15.000-06:00
SNI, or Server Name Indication, is an addition to the TLS encryption
protocol that enables a client device to specify the domain name it is
trying to reach in the first step of the TLS handshake, preventing
common name mismatch errors and not reaching to HTTPS server that
enforce this condition.

Signed-off-by: Javier Tia &lt;javier.tia@linaro.org&gt;
diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -109,6 +109,7 @@ struct altcp_tls_config {
   u8_t pkey_count;
   u8_t pkey_max;
   mbedtls_x509_crt *ca;
+  char host[256];
 #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
   /** Inter-connection cache for fast connection startup */
   struct mbedtls_ssl_cache_context cache;
@@ -644,6 +645,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_
   /* tell mbedtls about our I/O functions */
   mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);
 
+  mbedtls_ssl_set_hostname(&state->ssl_context, config->host);
   altcp_mbedtls_setup_callbacks(conn, inner_conn);
   conn->inner_conn = inner_conn;
   conn->fns = &altcp_mbedtls_functions;
@@ -953,7 +955,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_
 }
 
 static struct altcp_tls_config *
-altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth)
+altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char *host)
 {
   int ret;
   struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL);
@@ -975,13 +977,15 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way
 
     mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL);
   }
+  strlcpy(conf->host, host, sizeof(conf->host));
+
   return conf;
 }
 
 struct altcp_tls_config *
-altcp_tls_create_config_client(const u8_t *ca, size_t ca_len)
+altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char *host)
 {
-  return altcp_tls_create_config_client_common(ca, ca_len, 0);
+  return altcp_tls_create_config_client_common(ca, ca_len, 0, host);
 }
 
 struct altcp_tls_config *
@@ -997,7 +1001,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_
     return NULL;
   }
 
-  conf = altcp_tls_create_config_client_common(ca, ca_len, 1);
+  conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL);
   if (conf == NULL) {
     return NULL;
   }
diff --git a/src/include/lwip/altcp_tls.h b/src/include/lwip/altcp_tls.h
@@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t
 /** @ingroup altcp_tls
  * Create an ALTCP_TLS client configuration handle
  */
-struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len);
+struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char *host);
 
 /** @ingroup altcp_tls
  * Create an ALTCP_TLS client configuration handle with two-way server/client authentication

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,7 @@ struct altcp_tls_config {`
`109`	`109`	`u8_t pkey_count;`
`110`	`110`	`u8_t pkey_max;`
`111`	`111`	`mbedtls_x509_crt *ca;`
	`112`	`+ char host[256];`
`112`	`113`	`#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE`
`113`	`114`	`/** Inter-connection cache for fast connection startup */`
`114`	`115`	`struct mbedtls_ssl_cache_context cache;`
`@@ -644,6 +645,7 @@ altcp_mbedtls_setup(void conf, struct altcp_pcb conn, struct altcp_pcb *inner_`
`644`	`645`	`/* tell mbedtls about our I/O functions */`
`645`	`646`	`mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);`
`646`	`647`
	`648`	`+ mbedtls_ssl_set_hostname(&state->ssl_context, config->host);`
`647`	`649`	`altcp_mbedtls_setup_callbacks(conn, inner_conn);`
`648`	`650`	`conn->inner_conn = inner_conn;`
`649`	`651`	`conn->fns = &altcp_mbedtls_functions;`
`@@ -953,7 +955,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_`
`953`	`955`	`}`
`954`	`956`
`955`	`957`	`static struct altcp_tls_config *`
`956`		`-altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth)`
	`958`	`+altcp_tls_create_config_client_common(const u8_t ca, size_t ca_len, int is_2wayauth, char host)`
`957`	`959`	`{`
`958`	`960`	`int ret;`
`959`	`961`	`struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL);`
`@@ -975,13 +977,15 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way`
`975`	`977`
`976`	`978`	`mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL);`
`977`	`979`	`}`
	`980`	`+ strlcpy(conf->host, host, sizeof(conf->host));`
	`981`	`+`
`978`	`982`	`return conf;`
`979`	`983`	`}`
`980`	`984`
`981`	`985`	`struct altcp_tls_config *`
`982`		`-altcp_tls_create_config_client(const u8_t *ca, size_t ca_len)`
	`986`	`+altcp_tls_create_config_client(const u8_t ca, size_t ca_len, char host)`
`983`	`987`	`{`
`984`		`- return altcp_tls_create_config_client_common(ca, ca_len, 0);`
	`988`	`+ return altcp_tls_create_config_client_common(ca, ca_len, 0, host);`
`985`	`989`	`}`
`986`	`990`
`987`	`991`	`struct altcp_tls_config *`
`@@ -997,7 +1001,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_`
`997`	`1001`	`return NULL;`
`998`	`1002`	`}`
`999`	`1003`
`1000`		`- conf = altcp_tls_create_config_client_common(ca, ca_len, 1);`
	`1004`	`+ conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL);`
`1001`	`1005`	`if (conf == NULL) {`
`1002`	`1006`	`return NULL;`
`1003`	`1007`	`}`