Skip to content

Commit ad17954

Browse files
copercinicopercini
authored
SNI support (espressif#592)
Server Name Indication (SNI) support for WiFiClientSecure Fixespressif#571 and espressif#550
1 parent 04044e2 commit ad17954

File tree

3 files changed

+25
-31
lines changed

3 files changed

+25
-31
lines changed

‎libraries/WiFiClientSecure/src/WiFiClientSecure.cpp‎

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,12 @@ int WiFiClientSecure::connect(const char *host, uint16_t port)
9797

9898
intWiFiClientSecure::connect(IPAddress ip, uint16_t port, constchar *_CA_cert, constchar *_cert, constchar *_private_key)
9999
{
100-
int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key);
100+
returnconnect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
101+
}
102+
103+
intWiFiClientSecure::connect(constchar *host, uint16_t port, constchar *_CA_cert, constchar *_cert, constchar *_private_key)
104+
{
105+
int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key);
101106
if (ret < 0){
102107
log_e("lwip_connect_r: %d", errno);
103108
stop();
@@ -107,18 +112,6 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert,
107112
return1;
108113
}
109114

110-
intWiFiClientSecure::connect(constchar *host, uint16_t port, constchar *_CA_cert, constchar *_cert, constchar *_private_key)
111-
{
112-
structhostent *server;
113-
server = gethostbyname(host);
114-
if (server == NULL){
115-
return0;
116-
}
117-
IPAddress srv((constuint8_t *)(server->h_addr));
118-
returnconnect(srv, port, _CA_cert, _cert, _private_key);
119-
}
120-
121-
122115
size_tWiFiClientSecure::write(uint8_t data)
123116
{
124117
returnwrite(&data, 1);

‎libraries/WiFiClientSecure/src/ssl_client.cpp‎

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ void ssl_init(sslclient_context *ssl_client)
3737
}
3838

3939

40-
intstart_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, constchar *rootCABuff, constchar *cli_cert, constchar *cli_key)
40+
intstart_ssl_client(sslclient_context *ssl_client, constchar *host, uint32_t port, constchar *rootCABuff, constchar *cli_cert, constchar *cli_key)
4141
{
4242
char buf[512];
4343
int ret, flags, len, timeout;
@@ -53,10 +53,17 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
5353
return ssl_client->socket;
5454
}
5555

56+
structhostent *server;
57+
server = gethostbyname(host);
58+
if (server == NULL){
59+
return0;
60+
}
61+
IPAddress srv((constuint8_t *)(server->h_addr));
62+
5663
structsockaddr_in serv_addr;
5764
memset(&serv_addr, 0, sizeof(serv_addr));
5865
serv_addr.sin_family = AF_INET;
59-
serv_addr.sin_addr.s_addr = ipAddress;
66+
serv_addr.sin_addr.s_addr = srv;
6067
serv_addr.sin_port = htons(port);
6168

6269
if (lwip_connect(ssl_client->socket, (structsockaddr *)&serv_addr, sizeof(serv_addr)) == 0){
@@ -90,9 +97,9 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
9097
returnhandle_error(ret);
9198
}
9299

93-
/* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
94-
MBEDTLS_SSL_VERIFY_NONE if not.
95-
*/
100+
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
101+
// MBEDTLS_SSL_VERIFY_NONE if not.
102+
96103
if (rootCABuff != NULL){
97104
log_i("Loading CA cert");
98105
mbedtls_x509_crt_init(&ssl_client->ca_cert);
@@ -129,18 +136,12 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
129136
mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
130137
}
131138

132-
/*
133-
// TODO: implement match CN verification
139+
log_i("Setting hostname for TLS session...");
134140

135-
log_i("Setting hostname for TLS session...");
136-
137-
// Hostname set here should match CN in server certificate
138-
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0)
139-
{
140-
return handle_error(ret);
141-
142-
}
143-
*/
141+
// Hostname set here should match CN in server certificate
142+
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0){
143+
returnhandle_error(ret);
144+
}
144145

145146
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
146147

@@ -221,7 +222,7 @@ int data_to_read(sslclient_context *ssl_client)
221222
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
222223
//log_e("RET: %i",ret); //for low level debug
223224
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
224-
//log_e("RES: %i",res);
225+
//log_e("RES: %i",res); //for low level debug
225226
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0){
226227
returnhandle_error(ret);
227228
}

‎libraries/WiFiClientSecure/src/ssl_client.h‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ typedef struct sslclient_context{
2727

2828

2929
voidssl_init(sslclient_context*ssl_client);
30-
intstart_ssl_client(sslclient_context*ssl_client, uint32_tipAddress, uint32_tport, constchar*rootCABuff, constchar*cli_cert, constchar*cli_key);
30+
intstart_ssl_client(sslclient_context*ssl_client, constchar*host, uint32_tport, constchar*rootCABuff, constchar*cli_cert, constchar*cli_key);
3131
voidstop_ssl_socket(sslclient_context*ssl_client, constchar*rootCABuff, constchar*cli_cert, constchar*cli_key);
3232
intdata_to_read(sslclient_context*ssl_client);
3333
intsend_ssl_data(sslclient_context*ssl_client, constuint8_t*data, uint16_tlen);

0 commit comments

Comments
(0)