Skip to content

[mbedtls] add dtls hostname verification support #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ZhangLe2016 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

[mbedtls] add dtls hostname verification support #328

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
37da12e
[mbedtls] Add DTLS hostname verification support
ZhangLe2016 Sep 24, 2025
433f45b
refactor the tests by creating helper functions to eliminate the red…
ZhangLe2016 Sep 24, 2025
254a8ab
add a new test case for hostname verification is invalid
ZhangLe2016 Sep 24, 2025
07ec857
Merge branch 'main' into mbedtls-hostname
ZhangLe2016 Sep 25, 2025
fe3bb80
remove the defination of disabling the hostname verificaiton from the
ZhangLe2016 Sep 25, 2025
5560f11
Update include/commissioner/commissioner.hpp
ZhangLe2016 Sep 25, 2025
3277b9b
Update src/library/dtls.cpp
ZhangLe2016 Sep 25, 2025
a715078
Update src/library/dtls.hpp
ZhangLe2016 Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions include/commissioner/commissioner.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,9 @@ struct Config

// Thread Security Materials Root path
std::string mThreadSMRoot;

// Optional for DTLS hostname verification.
std::string mDtlsHostname = "ThreadRegistrar"; ///< The expected hostname in the certificate of the border agent.
};

/**
Expand Down
100 changes: 52 additions & 48 deletions src/library/coap_secure_test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,66 +42,68 @@ namespace commissioner {
namespace coap {

static const std::string kClientTrustAnchor = "-----BEGIN CERTIFICATE-----\r\n"
"MIIBejCCAR+gAwIBAgIIc5C+m8ijatIwCgYIKoZIzj0EAwIwGDEWMBQGA1UEAwwN\r\n"
"VGhyZWFkR3JvdXBDQTAeFw0xOTA2MTkyMTI0MjdaFw0yNDA2MTcyMTI0MjdaMBgx\r\n"
"FjAUBgNVBAMMDVRocmVhZEdyb3VwQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\r\n"
"AASXse2WkWSTCYW7uKyaKvlFXN/upLEd4uedBov6gDkmtABSUbNPHAgVpMvgP70b\r\n"
"vLY19kMaIt54ZTuHuZU37OFso1MwUTAPBgNVHRMECDAGAQH/AgEDMB0GA1UdDgQW\r\n"
"BBSS6nZAQEqPq08nC/O8N52GzXKA+DAfBgNVHSMEGDAWgBSS6nZAQEqPq08nC/O8\r\n"
"N52GzXKA+DAKBggqhkjOPQQDAgNJADBGAiEA5l70etVXL6pUSU+E/5+8C6yM5HaD\r\n"
"v8WNLEhNNeunmcMCIQCwyjOK804IuUTv7IOw/6y9ulOwTBHtfPJ8rfRyaVbHPQ==\r\n"
"MIIBhTCCASugAwIBAgIUEZrQnf8iH3PYpbtc7PMhd+5EMSswCgYIKoZIzj0EAwIw\r\n"
"GDEWMBQGA1UEAwwNVGhyZWFkR3JvdXBDQTAeFw0yNTA5MjQwNDUxMDlaFw0zNTA5\r\n"
"MjIwNDUxMDlaMBgxFjAUBgNVBAMMDVRocmVhZEdyb3VwQ0EwWTATBgcqhkjOPQIB\r\n"
"BggqhkjOPQMBBwNCAAR5d2C22dtBQfu0E69YVKUdBlSwdvd1maeyvW7sxpNswasX\r\n"
"GnKjUKHW9950m4Pw6YvV+5Emxw23YdvN0IY2+nQMo1MwUTAdBgNVHQ4EFgQUzmMx\r\n"
"td34Zih6C4aYNdaZECjgQV8wHwYDVR0jBBgwFoAUzmMxtd34Zih6C4aYNdaZECjg\r\n"
"QV8wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiAK6EBelCHpjaPx\r\n"
"c7SssfmUGzb1u44YahVxlh5gZbuCmwIhAIYeycNpRVOVEAXuoJYeG1Ez7i+CVeNR\r\n"
"7N9vrIylB8A+\r\n"
"-----END CERTIFICATE-----\r\n";

static const std::string kClientCert = "-----BEGIN CERTIFICATE-----\r\n"
"MIICATCCAaegAwIBAgIIJU8KN/Bcw4cwCgYIKoZIzj0EAwIwGDEWMBQGA1UEAwwN\r\n"
"VGhyZWFkR3JvdXBDQTAeFw0xOTA2MTkyMTM2MTFaFw0yNDA2MTcyMTM2MTFaMBox\r\n"
"GDAWBgNVBAMMD1RocmVhZFJlZ2lzdHJhcjBZMBMGByqGSM49AgEGCCqGSM49AwEH\r\n"
"A0IABCAwhVvoRpELPssVyvhXLT61Zb3GVKFe+vbt66qLnhYIxckQyTogho/IUE03\r\n"
"Dxsm+pdZ9nmDu3iGPtqay+pRJPajgdgwgdUwDwYDVR0TBAgwBgEB/wIBAjALBgNV\r\n"
"HQ8EBAMCBeAwbAYDVR0RBGUwY6RhMF8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKDAxU\r\n"
"aHJlYWQgR3JvdXAxFzAVBgNVBAMMDlRlc3QgUmVnaXN0cmFyMSAwHgYJKoZIhvcN\r\n"
"AQkBFhFtYXJ0aW5Ac3Rva29lLm5ldDBHBgNVHSMEQDA+gBSS6nZAQEqPq08nC/O8\r\n"
"N52GzXKA+KEcpBowGDEWMBQGA1UEAwwNVGhyZWFkR3JvdXBDQYIIc5C+m8ijatIw\r\n"
"CgYIKoZIzj0EAwIDSAAwRQIgbI7Vrg348jGCENRtT3GbV5FaEqeBaVTeHlkCA99z\r\n"
"RVACIQDGDdZSWXAR+AlfmrDecYnmp5Vgz8eTyjm9ZziIFXPUwA==\r\n"
"MIIBcjCCARmgAwIBAgIUTsd8PPWTr5Dl8P1jj8V3tlmDGDswCgYIKoZIzj0EAwIw\r\n"
"GDEWMBQGA1UEAwwNVGhyZWFkR3JvdXBDQTAeFw0yNTA5MjQwNDUxMDlaFw0zNTA5\r\n"
"MjIwNDUxMDlaMBcxFTATBgNVBAMMDFRocmVhZENsaWVudDBZMBMGByqGSM49AgEG\r\n"
"CCqGSM49AwEHA0IABJjtiRe7qsIvGC0fblGEM0vi36HFcJ4jX9JEBWUAR4kqMu8t\r\n"
"X619Kgf6wyZsmSuBQfESI5A3lFwrP+pmAPT+FiejQjBAMB0GA1UdDgQWBBSn1HEr\r\n"
"V2jDNiS7R/tHJDZyUvnN1DAfBgNVHSMEGDAWgBTOYzG13fhmKHoLhpg11pkQKOBB\r\n"
"XzAKBggqhkjOPQQDAgNHADBEAiBHDbT44MGbo+ZQNmFW8m8JWv8vDnxtkaTbEVRu\r\n"
"0XT7RwIgTEznRgFQ0aiJz8AYNjT+DgZVzZEq5ROQnUOZqPUh26Y=\r\n"
"-----END CERTIFICATE-----\r\n";

static const std::string kClientKey = "-----BEGIN PRIVATE KEY-----\r\n"
"MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYJ/MP0dWA9BkYd4W\r\n"
"s6oRY62hDddaEmrAVm5dtAXE/UGhRANCAAQgMIVb6EaRCz7LFcr4Vy0+tWW9xlSh\r\n"
"Xvr27euqi54WCMXJEMk6IIaPyFBNNw8bJvqXWfZ5g7t4hj7amsvqUST2\r\n"
"-----END PRIVATE KEY-----\r\n";
static const std::string kClientKey = "-----BEGIN EC PARAMETERS-----\r\n"
"BggqhkjOPQMBBw==\r\n"
"-----END EC PARAMETERS-----\r\n"
"-----BEGIN EC PRIVATE KEY-----\r\n"
"MHcCAQEEIFVHUtrU9IUeM44w0KtZeg7ulLE7vFx8hs6+xNIK/3fqoAoGCCqGSM49\r\n"
"AwEHoUQDQgAEmO2JF7uqwi8YLR9uUYQzS+LfocVwniNf0kQFZQBHiSoy7y1frX0q\r\n"
"B/rDJmyZK4FB8RIjkDeUXCs/6mYA9P4WJw==\r\n"
"-----END EC PRIVATE KEY-----\r\n";

static const std::string kServerTrustAnchor = "-----BEGIN CERTIFICATE-----\r\n"
"MIIBejCCAR+gAwIBAgIIc5C+m8ijatIwCgYIKoZIzj0EAwIwGDEWMBQGA1UEAwwN\r\n"
"VGhyZWFkR3JvdXBDQTAeFw0xOTA2MTkyMTI0MjdaFw0yNDA2MTcyMTI0MjdaMBgx\r\n"
"FjAUBgNVBAMMDVRocmVhZEdyb3VwQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\r\n"
"AASXse2WkWSTCYW7uKyaKvlFXN/upLEd4uedBov6gDkmtABSUbNPHAgVpMvgP70b\r\n"
"vLY19kMaIt54ZTuHuZU37OFso1MwUTAPBgNVHRMECDAGAQH/AgEDMB0GA1UdDgQW\r\n"
"BBSS6nZAQEqPq08nC/O8N52GzXKA+DAfBgNVHSMEGDAWgBSS6nZAQEqPq08nC/O8\r\n"
"N52GzXKA+DAKBggqhkjOPQQDAgNJADBGAiEA5l70etVXL6pUSU+E/5+8C6yM5HaD\r\n"
"v8WNLEhNNeunmcMCIQCwyjOK804IuUTv7IOw/6y9ulOwTBHtfPJ8rfRyaVbHPQ==\r\n"
"MIIBhTCCASugAwIBAgIUEZrQnf8iH3PYpbtc7PMhd+5EMSswCgYIKoZIzj0EAwIw\r\n"
"GDEWMBQGA1UEAwwNVGhyZWFkR3JvdXBDQTAeFw0yNTA5MjQwNDUxMDlaFw0zNTA5\r\n"
"MjIwNDUxMDlaMBgxFjAUBgNVBAMMDVRocmVhZEdyb3VwQ0EwWTATBgcqhkjOPQIB\r\n"
"BggqhkjOPQMBBwNCAAR5d2C22dtBQfu0E69YVKUdBlSwdvd1maeyvW7sxpNswasX\r\n"
"GnKjUKHW9950m4Pw6YvV+5Emxw23YdvN0IY2+nQMo1MwUTAdBgNVHQ4EFgQUzmMx\r\n"
"td34Zih6C4aYNdaZECjgQV8wHwYDVR0jBBgwFoAUzmMxtd34Zih6C4aYNdaZECjg\r\n"
"QV8wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiAK6EBelCHpjaPx\r\n"
"c7SssfmUGzb1u44YahVxlh5gZbuCmwIhAIYeycNpRVOVEAXuoJYeG1Ez7i+CVeNR\r\n"
"7N9vrIylB8A+\r\n"
"-----END CERTIFICATE-----\r\n";

static const std::string kServerCert = "-----BEGIN CERTIFICATE-----\r\n"
"MIICATCCAaegAwIBAgIIJU8KN/Bcw4cwCgYIKoZIzj0EAwIwGDEWMBQGA1UEAwwN\r\n"
"VGhyZWFkR3JvdXBDQTAeFw0xOTA2MTkyMTM2MTFaFw0yNDA2MTcyMTM2MTFaMBox\r\n"
"GDAWBgNVBAMMD1RocmVhZFJlZ2lzdHJhcjBZMBMGByqGSM49AgEGCCqGSM49AwEH\r\n"
"A0IABCAwhVvoRpELPssVyvhXLT61Zb3GVKFe+vbt66qLnhYIxckQyTogho/IUE03\r\n"
"Dxsm+pdZ9nmDu3iGPtqay+pRJPajgdgwgdUwDwYDVR0TBAgwBgEB/wIBAjALBgNV\r\n"
"HQ8EBAMCBeAwbAYDVR0RBGUwY6RhMF8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKDAxU\r\n"
"aHJlYWQgR3JvdXAxFzAVBgNVBAMMDlRlc3QgUmVnaXN0cmFyMSAwHgYJKoZIhvcN\r\n"
"AQkBFhFtYXJ0aW5Ac3Rva29lLm5ldDBHBgNVHSMEQDA+gBSS6nZAQEqPq08nC/O8\r\n"
"N52GzXKA+KEcpBowGDEWMBQGA1UEAwwNVGhyZWFkR3JvdXBDQYIIc5C+m8ijatIw\r\n"
"CgYIKoZIzj0EAwIDSAAwRQIgbI7Vrg348jGCENRtT3GbV5FaEqeBaVTeHlkCA99z\r\n"
"RVACIQDGDdZSWXAR+AlfmrDecYnmp5Vgz8eTyjm9ZziIFXPUwA==\r\n"
"MIIBdjCCARygAwIBAgIUTsd8PPWTr5Dl8P1jj8V3tlmDGDowCgYIKoZIzj0EAwIw\r\n"
"GDEWMBQGA1UEAwwNVGhyZWFkR3JvdXBDQTAeFw0yNTA5MjQwNDUxMDlaFw0zNTA5\r\n"
"MjIwNDUxMDlaMBoxGDAWBgNVBAMMD1RocmVhZFJlZ2lzdHJhcjBZMBMGByqGSM49\r\n"
"AgEGCCqGSM49AwEHA0IABGr5hdFY+5eaF1vhw6wG+0Mybw0tauCxG04X7OqXv7/P\r\n"
"V7Y+teABvZkorhF2b332Z7Pqk/6k+wuCX1N5VAZJtyijQjBAMB0GA1UdDgQWBBQf\r\n"
"ASGIrYEzMd1F/eYF1IzmZ5M5bTAfBgNVHSMEGDAWgBTOYzG13fhmKHoLhpg11pkQ\r\n"
"KOBBXzAKBggqhkjOPQQDAgNIADBFAiEA4zluVAVVDfsCCuv4OSwx9o1P7w+QvmEC\r\n"
"xhJPt7eGQRYCIEgzvrcQ4VPinEe8t3CkIrrHe/zQrkHw9ZhQnLv509XW\r\n"
"-----END CERTIFICATE-----\r\n";

static const std::string kServerKey = "-----BEGIN PRIVATE KEY-----\r\n"
"MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYJ/MP0dWA9BkYd4W\r\n"
"s6oRY62hDddaEmrAVm5dtAXE/UGhRANCAAQgMIVb6EaRCz7LFcr4Vy0+tWW9xlSh\r\n"
"Xvr27euqi54WCMXJEMk6IIaPyFBNNw8bJvqXWfZ5g7t4hj7amsvqUST2\r\n"
"-----END PRIVATE KEY-----\r\n";
static const std::string kServerKey = "-----BEGIN EC PARAMETERS-----\r\n"
"BggqhkjOPQMBBw==\r\n"
"-----END EC PARAMETERS-----\r\n"
"-----BEGIN EC PRIVATE KEY-----\r\n"
"MHcCAQEEIMdyKql6JZNPhCw+KSY/zbYKRor5qoebmt9kQQ73MzWcoAoGCCqGSM49\r\n"
"AwEHoUQDQgAEavmF0Vj7l5oXW+HDrAb7QzJvDS1q4LEbThfs6pe/v89Xtj614AG9\r\n"
"mSiuEXZvffZns+qT/qT7C4JfU3lUBkm3KA==\r\n"
"-----END EC PRIVATE KEY-----\r\n";

static const char *kServerAddr = "::";
static constexpr uint16_t kServerPort = 5683;
Expand Down Expand Up @@ -151,6 +153,8 @@ TEST(CoapsTest, CoapsClientServerHello)
config.mOwnCert.push_back(0);
config.mOwnKey.push_back(0);

config.mHostname = "ThreadRegistrar";

CoapSecure coapsClient{eventBase, false};
EXPECT_EQ(coapsClient.Init(config), ErrorCode::kNone);
auto onClientConnected = [&coapsClient, eventBase](const DtlsSession &aSession, Error aError) {
Expand Down
18 changes: 14 additions & 4 deletions src/library/dtls.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,10 +106,11 @@ DtlsConfig GetDtlsConfig(const Config &aConfig)

dtlsConfig.mEnableDebugLogging = aConfig.mEnableDtlsDebugLogging;

dtlsConfig.mPSK = aConfig.mPSKc;
dtlsConfig.mOwnKey = aConfig.mPrivateKey;
dtlsConfig.mOwnCert = aConfig.mCertificate;
dtlsConfig.mCaChain = aConfig.mTrustAnchor;
dtlsConfig.mPSK = aConfig.mPSKc;
dtlsConfig.mOwnKey = aConfig.mPrivateKey;
dtlsConfig.mOwnCert = aConfig.mCertificate;
dtlsConfig.mCaChain = aConfig.mTrustAnchor;
dtlsConfig.mHostname = aConfig.mDtlsHostname;

return dtlsConfig;
}
Expand Down Expand Up @@ -166,6 +167,15 @@ Error DtlsSession::Init(const DtlsConfig &aConfig)
ExitNow(error = ErrorFromMbedtlsError(fail));
}

// Set hostname for certificate verification (client-side only)
if (!mIsServer && !aConfig.mHostname.empty())
{
if (int fail = mbedtls_ssl_set_hostname(&mSsl, aConfig.mHostname.c_str()))
{
ExitNow(error = ERROR_SECURITY("set DTLS hostname failed; {}", ErrorFromMbedtlsError(fail).GetMessage()));
}
}

mbedtls_ssl_conf_authmode(&mConfig, kAuthMode);

// Debug
Expand Down
13 changes: 7 additions & 6 deletions src/library/dtls.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,12 +69,13 @@ static constexpr uint32_t kDtlsHandshakeTimeoutMax = 60;

struct DtlsConfig
{
bool mEnableDebugLogging = false;
int mLogLevel = 3;
ByteArray mPSK;
ByteArray mOwnKey;
ByteArray mOwnCert;
ByteArray mCaChain;
bool mEnableDebugLogging = false;
int mLogLevel = 3;
ByteArray mPSK;
ByteArray mOwnKey;
ByteArray mOwnCert;
ByteArray mCaChain;
std::string mHostname;
};

DtlsConfig GetDtlsConfig(const Config &aConfig);
Expand Down
Loading
Loading