Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is the official lwip source code. Is it appropriate to modify it this way?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. This is a vendored lwIP source file, so I kept the change as small as possible and put it at the layer that owns the mbedTLS auth mode.

struct altcp_tls_config is opaque in altcp_tls.h, and mbedtls_ssl_conf_authmode() is only reachable inside this mbedTLS port implementation. Callers can pass a CA via altcp_tls_create_config_client() / _2wayauth(), but they cannot safely adjust the internal mbedtls_ssl_config afterwards.

With MBEDTLS_SSL_VERIFY_OPTIONAL, mbedTLS still lets the handshake continue after certificate verification fails unless the user later calls mbedtls_ssl_get_verify_result(). The lwIP altcp TLS API here does not expose that verification step to callers, so a configured CA would not reliably enforce the trust anchor.

This patch only switches client configs that actually provide a CA to MBEDTLS_SSL_VERIFY_REQUIRED; server configs and clients without CA keep the existing optional mode for compatibility. If RT-Thread prefers to avoid behavior patches in vendored lwIP files, I can rework this as an upstream-style backport, but that would need a separate RT-Thread config policy to preserve the same security behavior for client connections with CA.

Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,11 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
altcp_mbedtls_free_config(conf);
return NULL;
}
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
if (!is_server && have_ca) {
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
} else {
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
}

mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
#if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF
Expand Down Expand Up @@ -886,7 +890,7 @@ altcp_tls_free_config(struct altcp_tls_config *conf)
}
if (conf->ca) {
mbedtls_x509_crt_free(conf->ca);
}
}
altcp_mbedtls_free_config(conf);
}

Expand Down
Loading