[noup] Add wildcard identifier for suffix match#127
[noup] Add wildcard identifier for suffix match#127rado17 wants to merge 1 commit intozephyrproject-rtos:mainfrom
Conversation
Prepend "*." to suffix_match before updating hostname check in mbedtls. This will help in identifying if a wildcard check is expected against the configured hostname. Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
There was a problem hiding this comment.
Pull request overview
Adjusts the MbedTLS-alt TLS handshake path to treat suffix_match as a wildcard hostname when calling mbedtls_ssl_set_hostname(), aiming to make wildcard expectations explicit during hostname checking.
Changes:
- Builds a temporary hostname string by prepending
"*."totls_conf->suffix_match. - Uses the constructed string in
mbedtls_ssl_set_hostname()and frees it afterward.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } else if (conn->tls_conf->suffix_match != NULL) { | ||
| ret = mbedtls_ssl_set_hostname(&conn->ssl, conn->tls_conf->suffix_match); | ||
| /* Prepend wildcard to suffix match */ | ||
| size_t suffix_len = os_strlen(conn->tls_conf->suffix_match); | ||
| char *wildcard_hostname = os_malloc(suffix_len + 3); /* "*." + suffix + '\0' */ | ||
| if (wildcard_hostname == NULL) { | ||
| wpa_printf(MSG_ERROR, "Failed to allocate memory for wildcard hostname"); | ||
| return NULL; | ||
| } | ||
| os_memcpy(wildcard_hostname, "*.", 2); | ||
| os_memcpy(wildcard_hostname + 2, conn->tls_conf->suffix_match, suffix_len + 1); | ||
|
|
||
| ret = mbedtls_ssl_set_hostname(&conn->ssl, wildcard_hostname); | ||
| os_free(wildcard_hostname); |
There was a problem hiding this comment.
mbedtls_ssl_set_hostname() is being called with a value constructed as "." + suffix_match. This is not a valid SNI host name (wildcards are not permitted in the SNI "host_name"), and it is also unlikely to work for certificate name verification because the expected hostname should be a concrete DNS name (wildcard handling is typically applied to the certificate name, not the reference name). Additionally, suffix_match is defined as a semicolon-delimited list in tls.h, so prefixing the whole string with "." will produce an invalid hostname when multiple suffixes are configured. Consider not using suffix_match to set the MbedTLS hostname (e.g., disable the built-in host check by not setting a hostname / setting it to NULL) and rely on tls_mbedtls_match_suffixes() for suffix validation, or introduce a separate config field for an actual SNI/hostname if needed.
There was a problem hiding this comment.
This is a perfect catch. This API needs complete string and doesn't take wildcards, we already have tls_mbedtls_verify_cb a custom callback to do the verification based on suffixes, need to ensure this is called.
| /* Prepend wildcard to suffix match */ | ||
| size_t suffix_len = os_strlen(conn->tls_conf->suffix_match); | ||
| char *wildcard_hostname = os_malloc(suffix_len + 3); /* "*." + suffix + '\0' */ | ||
| if (wildcard_hostname == NULL) { | ||
| wpa_printf(MSG_ERROR, "Failed to allocate memory for wildcard hostname"); | ||
| return NULL; | ||
| } | ||
| os_memcpy(wildcard_hostname, "*.", 2); | ||
| os_memcpy(wildcard_hostname + 2, conn->tls_conf->suffix_match, suffix_len + 1); | ||
|
|
||
| ret = mbedtls_ssl_set_hostname(&conn->ssl, wildcard_hostname); | ||
| os_free(wildcard_hostname); |
There was a problem hiding this comment.
This new block uses tab indentation, while the surrounding code in this function uses spaces. Please align indentation with the existing style in this file to avoid inconsistent formatting/diffs going forward.
| /* Prepend wildcard to suffix match */ | |
| size_t suffix_len = os_strlen(conn->tls_conf->suffix_match); | |
| char *wildcard_hostname = os_malloc(suffix_len + 3); /* "*." + suffix + '\0' */ | |
| if (wildcard_hostname == NULL) { | |
| wpa_printf(MSG_ERROR, "Failed to allocate memory for wildcard hostname"); | |
| return NULL; | |
| } | |
| os_memcpy(wildcard_hostname, "*.", 2); | |
| os_memcpy(wildcard_hostname + 2, conn->tls_conf->suffix_match, suffix_len + 1); | |
| ret = mbedtls_ssl_set_hostname(&conn->ssl, wildcard_hostname); | |
| os_free(wildcard_hostname); | |
| /* Prepend wildcard to suffix match */ | |
| size_t suffix_len = os_strlen(conn->tls_conf->suffix_match); | |
| char *wildcard_hostname = os_malloc(suffix_len + 3); /* "*." + suffix + '\0' */ | |
| if (wildcard_hostname == NULL) { | |
| wpa_printf(MSG_ERROR, "Failed to allocate memory for wildcard hostname"); | |
| return NULL; | |
| } | |
| os_memcpy(wildcard_hostname, "*.", 2); | |
| os_memcpy(wildcard_hostname + 2, conn->tls_conf->suffix_match, suffix_len + 1); | |
| ret = mbedtls_ssl_set_hostname(&conn->ssl, wildcard_hostname); | |
| os_free(wildcard_hostname); |
Prepend "*." to suffix_match before updating hostname check in mbedtls. This will help in identifying if a wildcard check is expected against the configured hostname.