Add Server Name Identification to ALTCP TLS

marceloalcocer · marceloalcocer · commit bc80f0bd1dd6 · 2024-11-20T22:38:43.000+01:00
This is a known missing feature; * [lwip-tcpip#47][gh-lwip-pr] * [lwip-tcpip/lwip@c53c9d020][gh-lwip-commit] Added here again for compatibility with [pico-sdk][gh-pico] v1.5.x. See discussion in [marceloalcocer/picohttps#1][gh-issue] for more details. [gh-lwip-pr]: lwip-tcpip#47 [gh-lwip-commit] lwip-tcpip@c53c9d0 [gh-pico]: https://github.com/raspberrypi/pico-sdk [gh-issue]: marceloalcocer/picohttps#1 (comment)
diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -107,6 +107,7 @@ struct altcp_tls_config {
   u8_t pkey_count;
   u8_t pkey_max;
   mbedtls_x509_crt *ca;
+  char host[256];
 #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
   /** Inter-connection cache for fast connection startup */
   struct mbedtls_ssl_cache_context cache;
@@ -633,6 +634,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_
   /* tell mbedtls about our I/O functions */
   mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);
 
+  mbedtls_ssl_set_hostname(&state->ssl_context, config->host);
   altcp_mbedtls_setup_callbacks(conn, inner_conn);
   conn->inner_conn = inner_conn;
   conn->fns = &altcp_mbedtls_functions;
@@ -942,7 +944,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_
 }
 
 static struct altcp_tls_config *
-altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth)
+altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char* host)
 {
   int ret;
   struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL);
@@ -964,13 +966,14 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way
 
     mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL);
   }
+  memcpy(conf->host, host, sizeof(conf->host));
   return conf;
 }
 
 struct altcp_tls_config *
-altcp_tls_create_config_client(const u8_t *ca, size_t ca_len)
+altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char* host)
 {
-  return altcp_tls_create_config_client_common(ca, ca_len, 0);
+  return altcp_tls_create_config_client_common(ca, ca_len, 0, host);
 }
 
 struct altcp_tls_config *
@@ -986,7 +989,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_
     return NULL;
   }
 
-  conf = altcp_tls_create_config_client_common(ca, ca_len, 1);
+  conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL);
   if (conf == NULL) {
     return NULL;
   }
diff --git a/src/include/lwip/altcp_tls.h b/src/include/lwip/altcp_tls.h
@@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t
 /** @ingroup altcp_tls
  * Create an ALTCP_TLS client configuration handle
  */
-struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len);
+struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char* host);
 
 /** @ingroup altcp_tls
  * Create an ALTCP_TLS client configuration handle with two-way server/client authentication

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ struct altcp_tls_config {`
`107`	`107`	`u8_t pkey_count;`
`108`	`108`	`u8_t pkey_max;`
`109`	`109`	`mbedtls_x509_crt *ca;`
	`110`	`+ char host[256];`
`110`	`111`	`#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE`
`111`	`112`	`/** Inter-connection cache for fast connection startup */`
`112`	`113`	`struct mbedtls_ssl_cache_context cache;`
`@@ -633,6 +634,7 @@ altcp_mbedtls_setup(void conf, struct altcp_pcb conn, struct altcp_pcb *inner_`
`633`	`634`	`/* tell mbedtls about our I/O functions */`
`634`	`635`	`mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);`
`635`	`636`
	`637`	`+ mbedtls_ssl_set_hostname(&state->ssl_context, config->host);`
`636`	`638`	`altcp_mbedtls_setup_callbacks(conn, inner_conn);`
`637`	`639`	`conn->inner_conn = inner_conn;`
`638`	`640`	`conn->fns = &altcp_mbedtls_functions;`
`@@ -942,7 +944,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_`
`942`	`944`	`}`
`943`	`945`
`944`	`946`	`static struct altcp_tls_config *`
`945`		`-altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth)`
	`947`	`+altcp_tls_create_config_client_common(const u8_t ca, size_t ca_len, int is_2wayauth, char host)`
`946`	`948`	`{`
`947`	`949`	`int ret;`
`948`	`950`	`struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL);`
`@@ -964,13 +966,14 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way`
`964`	`966`
`965`	`967`	`mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL);`
`966`	`968`	`}`
	`969`	`+ memcpy(conf->host, host, sizeof(conf->host));`
`967`	`970`	`return conf;`
`968`	`971`	`}`
`969`	`972`
`970`	`973`	`struct altcp_tls_config *`
`971`		`-altcp_tls_create_config_client(const u8_t *ca, size_t ca_len)`
	`974`	`+altcp_tls_create_config_client(const u8_t ca, size_t ca_len, char host)`
`972`	`975`	`{`
`973`		`- return altcp_tls_create_config_client_common(ca, ca_len, 0);`
	`976`	`+ return altcp_tls_create_config_client_common(ca, ca_len, 0, host);`
`974`	`977`	`}`
`975`	`978`
`976`	`979`	`struct altcp_tls_config *`
`@@ -986,7 +989,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_`
`986`	`989`	`return NULL;`
`987`	`990`	`}`
`988`	`991`
`989`		`- conf = altcp_tls_create_config_client_common(ca, ca_len, 1);`
	`992`	`+ conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL);`
`990`	`993`	`if (conf == NULL) {`
`991`	`994`	`return NULL;`
`992`	`995`	`}`