SNI support (#592)

Server Name Indication (SNI) support for WiFiClientSecure Fix https://github.com/espressif/arduino-esp32/issues/571 and https://github.com/espressif/arduino-esp32/issues/550

SNI support (#592)
Server Name Indication (SNI) support for WiFiClientSecure Fix https://github.com/espressif/arduino-esp32/issues/571 and https://github.com/espressif/arduino-esp32/issues/550
ad179548 · copercini · GitHub · 04044e22 · ad179548 · ad179548
3 changed file
--- a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp
+++ b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp
@@ -97,7 +97,12 @@ int WiFiClientSecure::connect(const char *host, uint16_t port)

 int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
 {
-    int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key);
+    return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
+}
+
+int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
+{
+    int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key);
    if (ret < 0) {
        log_e("lwip_connect_r: %d", errno);
        stop();
@@ -107,18 +112,6 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert,
    return 1;
 }

-int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
-{
-    struct hostent *server;
-    server = gethostbyname(host);
-    if (server == NULL) {
-        return 0;
-    }
-    IPAddress srv((const uint8_t *)(server->h_addr));
-    return connect(srv, port, _CA_cert, _cert, _private_key);
-}
-
-
 size_t WiFiClientSecure::write(uint8_t data)
 {
    return write(&data, 1);

--- a/libraries/WiFiClientSecure/src/ssl_client.cpp
+++ b/libraries/WiFiClientSecure/src/ssl_client.cpp
@@ -37,7 +37,7 @@ void ssl_init(sslclient_context *ssl_client)
 }


-int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
 {
    char buf[512];
    int ret, flags, len, timeout;
@@ -53,10 +53,17 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
        return ssl_client->socket;
    }

+	struct hostent *server;
+    server = gethostbyname(host);
+    if (server == NULL) {
+        return 0;
+    }
+    IPAddress srv((const uint8_t *)(server->h_addr));
+	
    struct sockaddr_in serv_addr;
    memset(&serv_addr, 0, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
-    serv_addr.sin_addr.s_addr = ipAddress;
+    serv_addr.sin_addr.s_addr = srv;
    serv_addr.sin_port = htons(port);

    if (lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == 0) {
@@ -90,9 +97,9 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
        return handle_error(ret);
    }

-    /* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
-        MBEDTLS_SSL_VERIFY_NONE if not.
-        */
+    // MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
+    // MBEDTLS_SSL_VERIFY_NONE if not.
+
    if (rootCABuff != NULL) {
        log_i("Loading CA cert");
        mbedtls_x509_crt_init(&ssl_client->ca_cert);
@@ -129,18 +136,12 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
        mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
    }

-    /*
-        // TODO: implement match CN verification
+    log_i("Setting hostname for TLS session...");

-        log_i("Setting hostname for TLS session...");
-
-                // Hostname set here should match CN in server certificate
-        if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0)
-        {
-            return handle_error(ret);
-
-        }
-    */
+    // Hostname set here should match CN in server certificate
+    if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0){
+        return handle_error(ret);
+	}

    mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);

@@ -221,7 +222,7 @@ int data_to_read(sslclient_context *ssl_client)
    ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
    //log_e("RET: %i",ret);   //for low level debug
    res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
-    //log_e("RES: %i",res);
+    //log_e("RES: %i",res);    //for low level debug
    if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
        return handle_error(ret);
    }

--- a/libraries/WiFiClientSecure/src/ssl_client.h
+++ b/libraries/WiFiClientSecure/src/ssl_client.h
@@ -27,7 +27,7 @@ typedef struct sslclient_context {


 void ssl_init(sslclient_context *ssl_client);
-int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
 void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
 int data_to_read(sslclient_context *ssl_client);
 int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);