Skip to content

Commit ad17954

Browse files
copercinicopercini
authored
SNI support (espressif#592)
Server Name Indication (SNI) support for WiFiClientSecure Fix espressif#571 and espressif#550
1 parent 04044e2 commit ad17954

File tree

3 files changed

+25
-31
lines changed

3 files changed

+25
-31
lines changed

libraries/WiFiClientSecure/src/WiFiClientSecure.cpp

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,12 @@ int WiFiClientSecure::connect(const char *host, uint16_t port)
9797

9898
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
9999
{
100-
int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key);
100+
return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
101+
}
102+
103+
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
104+
{
105+
int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key);
101106
if (ret < 0) {
102107
log_e("lwip_connect_r: %d", errno);
103108
stop();
@@ -107,18 +112,6 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert,
107112
return 1;
108113
}
109114

110-
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
111-
{
112-
struct hostent *server;
113-
server = gethostbyname(host);
114-
if (server == NULL) {
115-
return 0;
116-
}
117-
IPAddress srv((const uint8_t *)(server->h_addr));
118-
return connect(srv, port, _CA_cert, _cert, _private_key);
119-
}
120-
121-
122115
size_t WiFiClientSecure::write(uint8_t data)
123116
{
124117
return write(&data, 1);

libraries/WiFiClientSecure/src/ssl_client.cpp

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ void ssl_init(sslclient_context *ssl_client)
3737
}
3838

3939

40-
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
40+
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
4141
{
4242
char buf[512];
4343
int ret, flags, len, timeout;
@@ -53,10 +53,17 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
5353
return ssl_client->socket;
5454
}
5555

56+
struct hostent *server;
57+
server = gethostbyname(host);
58+
if (server == NULL) {
59+
return 0;
60+
}
61+
IPAddress srv((const uint8_t *)(server->h_addr));
62+
5663
struct sockaddr_in serv_addr;
5764
memset(&serv_addr, 0, sizeof(serv_addr));
5865
serv_addr.sin_family = AF_INET;
59-
serv_addr.sin_addr.s_addr = ipAddress;
66+
serv_addr.sin_addr.s_addr = srv;
6067
serv_addr.sin_port = htons(port);
6168

6269
if (lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == 0) {
@@ -90,9 +97,9 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
9097
return handle_error(ret);
9198
}
9299

93-
/* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
94-
MBEDTLS_SSL_VERIFY_NONE if not.
95-
*/
100+
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
101+
// MBEDTLS_SSL_VERIFY_NONE if not.
102+
96103
if (rootCABuff != NULL) {
97104
log_i("Loading CA cert");
98105
mbedtls_x509_crt_init(&ssl_client->ca_cert);
@@ -129,18 +136,12 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
129136
mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
130137
}
131138

132-
/*
133-
// TODO: implement match CN verification
139+
log_i("Setting hostname for TLS session...");
134140

135-
log_i("Setting hostname for TLS session...");
136-
137-
// Hostname set here should match CN in server certificate
138-
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0)
139-
{
140-
return handle_error(ret);
141-
142-
}
143-
*/
141+
// Hostname set here should match CN in server certificate
142+
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0){
143+
return handle_error(ret);
144+
}
144145

145146
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
146147

@@ -221,7 +222,7 @@ int data_to_read(sslclient_context *ssl_client)
221222
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
222223
//log_e("RET: %i",ret); //for low level debug
223224
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
224-
//log_e("RES: %i",res);
225+
//log_e("RES: %i",res); //for low level debug
225226
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
226227
return handle_error(ret);
227228
}

libraries/WiFiClientSecure/src/ssl_client.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ typedef struct sslclient_context {
2727

2828

2929
void ssl_init(sslclient_context *ssl_client);
30-
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
30+
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
3131
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
3232
int data_to_read(sslclient_context *ssl_client);
3333
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);

0 commit comments

Comments
 (0)