esp-tls: Add support to add CN from config and validate PEM buffers

diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c
index 49505b0c9325d45609805732d38841af47a840e4..094292dd0cde43d2d202e3d98ca6083c7ad968a9 100644 (file)
--- a/components/esp-tls/esp_tls.c
+++ b/components/esp-tls/esp_tls.c
@@ -240,18 +240,26 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
         goto exit;        
     }
     
-    /* Hostname set here should match CN in server certificate */    
-    char *use_host = strndup(hostname, hostlen);
-    if (!use_host) {
-        goto exit;
-    }
+    if (!cfg->skip_common_name) {
+        char *use_host = NULL;
+        if (cfg->common_name != NULL) {
+            use_host = strndup(cfg->common_name, strlen(cfg->common_name));
+        } else {
+            use_host = strndup(hostname, hostlen);
+        }
 
-    if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
-        ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
+        if (use_host == NULL) {
+            goto exit;
+        }
+
+        /* Hostname set here should match CN in server certificate */
+        if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
+            ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
+            free(use_host);
+            goto exit;
+        }
         free(use_host);
-        goto exit;
     }
-    free(use_host);
 
     if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
                     MBEDTLS_SSL_IS_CLIENT,

diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h
index df6bb365ca6aba1d9d90250b41abb625c4076737..41faa5b0c876fccbfb1a53d4391257048382a1d3 100644 (file)
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@@ -56,17 +56,20 @@ typedef struct esp_tls_cfg {
                                                  - where the first '2' is the length of the protocol and
                                                  - the subsequent 'h2' is the protocol name */
  
-    const unsigned char *cacert_pem_buf;    /*!< Certificate Authority's certificate in a buffer */
+    const unsigned char *cacert_pem_buf;    /*!< Certificate Authority's certificate in a buffer.
+                                                 This buffer should be NULL terminated */
  
     unsigned int cacert_pem_bytes;          /*!< Size of Certificate Authority certificate
                                                  pointed to by cacert_pem_buf */
 
-    const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */
+    const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer
+                                                 This buffer should be NULL terminated */
  
     unsigned int clientcert_pem_bytes;      /*!< Size of client certificate pointed to by
                                                  clientcert_pem_buf */
 
-    const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */
+    const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer
+                                                 This buffer should be NULL terminated */
 
     unsigned int clientkey_pem_bytes;       /*!< Size of client key pointed to by
                                                  clientkey_pem_buf */
@@ -84,6 +87,11 @@ typedef struct esp_tls_cfg {
 
     bool use_global_ca_store;               /*!< Use a global ca_store for all the connections in which
                                                  this bool is set. */
+
+    const char *common_name;                /*!< If non-NULL, server certificate CN must match this name.
+                                                 If NULL, server certificate CN must match hostname. */
+
+    bool skip_common_name;                  /*!< Skip any validation of server certificate CN field */
 } esp_tls_cfg_t;
 
 /**