* [PATCH 2/3] tls: Add support for l_tls_set_server_name and SNI extension
@ 2023-01-03 22:02 Marcel Holtmann
0 siblings, 0 replies; only message in thread
From: Marcel Holtmann @ 2023-01-03 22:02 UTC (permalink / raw)
To: ell; +Cc: andrew.zaborowski
Add suport for Server Name Indication (SNI) extension and provide API
function to set the server name as part of the TLS connection.
---
ell/ell.sym | 1 +
ell/tls-extensions.c | 28 ++++++++++++++++++++++++++++
ell/tls-private.h | 1 +
ell/tls.c | 12 ++++++++++++
ell/tls.h | 2 ++
5 files changed, 44 insertions(+)
diff --git a/ell/ell.sym b/ell/ell.sym
index 4d8596e0b7ae..f8148f257eb1 100644
--- a/ell/ell.sym
+++ b/ell/ell.sym
@@ -514,6 +514,7 @@ global:
l_tls_start;
l_tls_close;
l_tls_reset;
+ l_tls_set_server_name;
l_tls_set_cacert;
l_tls_set_auth_data;
l_tls_set_version_range;
diff --git a/ell/tls-extensions.c b/ell/tls-extensions.c
index bc8fc3d487b9..75f47f6ba548 100644
--- a/ell/tls-extensions.c
+++ b/ell/tls-extensions.c
@@ -31,6 +31,27 @@
#include "cert.h"
#include "tls-private.h"
+static ssize_t tls_server_name_client_write(struct l_tls *tls,
+ uint8_t *buf, size_t len)
+{
+ size_t hlen;
+
+ if (!tls->server_name)
+ return -ENOMSG;
+
+ hlen = strlen(tls->server_name);
+
+ if (len < hlen + 5)
+ return -ENOMEM;
+
+ l_put_be16(hlen + 3, buf);
+ l_put_u8(0, buf + 2);
+ l_put_be16(hlen, buf + 3);
+ memcpy(buf + 5, tls->server_name, hlen);
+
+ return hlen + 5;
+}
+
/* Most extensions are not used when resuming a cached session */
#define SKIP_ON_RESUMPTION() \
do { \
@@ -975,6 +996,13 @@ static bool tls_renegotiation_info_absent(struct l_tls *tls)
}
const struct tls_hello_extension tls_extensions[] = {
+ {
+ "Server Name", "server_name", 0,
+ tls_server_name_client_write,
+ NULL,
+ NULL,
+ NULL, NULL, NULL,
+ },
{
"Supported Groups", "elliptic_curves", 10,
tls_elliptic_curves_client_write,
diff --git a/ell/tls-private.h b/ell/tls-private.h
index bfd20b10cf88..ac477885c5f7 100644
--- a/ell/tls-private.h
+++ b/ell/tls-private.h
@@ -217,6 +217,7 @@ struct l_tls {
char **subject_mask;
struct tls_cipher_suite **cipher_suite_pref_list;
+ char *server_name;
struct l_settings *session_settings;
char *session_prefix;
diff --git a/ell/tls.c b/ell/tls.c
index 330ad4841e25..9556efd932bc 100644
--- a/ell/tls.c
+++ b/ell/tls.c
@@ -3420,6 +3420,7 @@ LIB_EXPORT void l_tls_free(struct l_tls *tls)
if (tls->cipher_suite_pref_list != tls_cipher_suite_pref)
l_free(tls->cipher_suite_pref_list);
+ l_free(tls->server_name);
l_free(tls);
}
@@ -3656,6 +3657,17 @@ LIB_EXPORT void l_tls_reset(struct l_tls *tls)
tls->message_buf_len = 0;
}
+LIB_EXPORT bool l_tls_set_server_name(struct l_tls *tls, const char *name)
+{
+ if (!tls)
+ return false;
+
+ l_free(tls->server_name);
+ tls->server_name = l_strdup(name);
+
+ return true;
+}
+
LIB_EXPORT bool l_tls_set_cacert(struct l_tls *tls, struct l_queue *ca_certs)
{
if (tls->ca_certs) {
diff --git a/ell/tls.h b/ell/tls.h
index cca8792a3262..c931b5db0a54 100644
--- a/ell/tls.h
+++ b/ell/tls.h
@@ -103,6 +103,8 @@ void l_tls_write(struct l_tls *tls, const uint8_t *data, size_t len);
/* Submit TLS payload from underlying transport to be decrypted */
void l_tls_handle_rx(struct l_tls *tls, const uint8_t *data, size_t len);
+bool l_tls_set_server_name(struct l_tls *tls, const char *name);
+
/*
* If peer is to be authenticated, supply the CA certificates. On success
* the l_tls object takes ownership of the queue and the individual l_cert
--
2.39.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-01-03 22:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-03 22:02 [PATCH 2/3] tls: Add support for l_tls_set_server_name and SNI extension Marcel Holtmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.