mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
esp-tls: Add support to add CN from config and validate PEM buffers
This commit is contained in:
parent
907471ce41
commit
d1c6bbf42e
@ -240,18 +240,26 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Hostname set here should match CN in server certificate */
|
||||
char *use_host = strndup(hostname, hostlen);
|
||||
if (!use_host) {
|
||||
goto exit;
|
||||
}
|
||||
if (!cfg->skip_common_name) {
|
||||
char *use_host = NULL;
|
||||
if (cfg->common_name != NULL) {
|
||||
use_host = strndup(cfg->common_name, strlen(cfg->common_name));
|
||||
} else {
|
||||
use_host = strndup(hostname, hostlen);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
|
||||
if (use_host == NULL) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Hostname set here should match CN in server certificate */
|
||||
if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
|
||||
free(use_host);
|
||||
goto exit;
|
||||
}
|
||||
free(use_host);
|
||||
goto exit;
|
||||
}
|
||||
free(use_host);
|
||||
|
||||
if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
|
||||
MBEDTLS_SSL_IS_CLIENT,
|
||||
|
@ -56,17 +56,20 @@ typedef struct esp_tls_cfg {
|
||||
- where the first '2' is the length of the protocol and
|
||||
- the subsequent 'h2' is the protocol name */
|
||||
|
||||
const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer */
|
||||
const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer.
|
||||
This buffer should be NULL terminated */
|
||||
|
||||
unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate
|
||||
pointed to by cacert_pem_buf */
|
||||
|
||||
const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */
|
||||
const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer
|
||||
This buffer should be NULL terminated */
|
||||
|
||||
unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by
|
||||
clientcert_pem_buf */
|
||||
|
||||
const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */
|
||||
const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer
|
||||
This buffer should be NULL terminated */
|
||||
|
||||
unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by
|
||||
clientkey_pem_buf */
|
||||
@ -84,6 +87,11 @@ typedef struct esp_tls_cfg {
|
||||
|
||||
bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which
|
||||
this bool is set. */
|
||||
|
||||
const char *common_name; /*!< If non-NULL, server certificate CN must match this name.
|
||||
If NULL, server certificate CN must match hostname. */
|
||||
|
||||
bool skip_common_name; /*!< Skip any validation of server certificate CN field */
|
||||
} esp_tls_cfg_t;
|
||||
|
||||
/**
|
||||
|
Loading…
x
Reference in New Issue
Block a user