check x509 cert hostname to make sure we are connected to the correct host (#146)

ryanwinter · web-flow · commit 5db5dd002b0d · 2020-09-29T17:33:40.000-07:00
* check x509 cert hostname to make sure we are connected to the correct host.
* reduce memory usage by reusing tls buffers for cert validation.
diff --git a/cmake/arm-gcc-cortex-toolchain.cmake b/cmake/arm-gcc-cortex-toolchain.cmake
@@ -72,7 +72,7 @@ set(CMAKE_COMMON_FLAGS "-ffunction-sections -fdata-sections -Wunused -Wuninitial
 set(CMAKE_C_FLAGS 	"${MCPU_FLAGS} ${VFP_FLAGS} ${SPECS_FLAGS} ${CMAKE_COMMON_FLAGS}")
 set(CMAKE_CXX_FLAGS "${MCPU_FLAGS} ${VFP_FLAGS} ${SPECS_FLAGS} ${CMAKE_COMMON_FLAGS}")
 set(CMAKE_ASM_FLAGS "${MCPU_FLAGS} ${VFP_FLAGS} ${SPECS_FLAGS}")
-set(CMAKE_EXE_LINKER_FLAGS "${LD_FLAGS} -Wl,--gc-sections,-print-memory-usage")
+set(CMAKE_EXE_LINKER_FLAGS "${LD_FLAGS} -fno-common -Wl,--gc-sections,-print-memory-usage")
 
 set(CMAKE_C_FLAGS_DEBUG "-O0 -g")
 set(CMAKE_CXX_ASM_FLAGS_DEBUG "-O0 -g")
diff --git a/core/src/azure_iot_mqtt/azure_iot_dps_mqtt.c b/core/src/azure_iot_mqtt/azure_iot_dps_mqtt.c
@@ -24,7 +24,9 @@
 
 #define EVENT_FLAGS_SUCCESS 1
 
-static VOID processRetry(AZURE_IOT_MQTT* azure_iot_mqtt, CHAR* topic, CHAR* message)
+extern CHAR* azure_iot_x509_hostname;
+
+static VOID process_retry(AZURE_IOT_MQTT* azure_iot_mqtt, CHAR* topic, CHAR* message)
 {
     UINT status;
 
@@ -72,7 +74,7 @@ static VOID processRetry(AZURE_IOT_MQTT* azure_iot_mqtt, CHAR* topic, CHAR* mess
     }
 }
 
-static VOID processSuccess(AZURE_IOT_MQTT* azure_iot_mqtt, CHAR* topic, CHAR* message)
+static VOID process_success(AZURE_IOT_MQTT* azure_iot_mqtt, CHAR* topic, CHAR* message)
 {
     jsmn_parser parser;
     jsmntok_t tokens[64];
@@ -146,13 +148,13 @@ static VOID mqtt_notify_cb(NXD_MQTT_CLIENT* client_ptr, UINT number_of_messages)
         switch (msg_status)
         {
             case 202:
-                processRetry(azure_iot_mqtt,
+                process_retry(azure_iot_mqtt,
                     azure_iot_mqtt->mqtt_receive_topic_buffer,
                     azure_iot_mqtt->mqtt_receive_message_buffer);
                 break;
 
             case 200:
-                processSuccess(azure_iot_mqtt,
+                process_success(azure_iot_mqtt,
                     azure_iot_mqtt->mqtt_receive_topic_buffer,
                     azure_iot_mqtt->mqtt_receive_message_buffer);
                 tx_event_flags_set(&azure_iot_mqtt->mqtt_event_flags, EVENT_FLAGS_SUCCESS, TX_OR);
@@ -282,6 +284,9 @@ UINT azure_iot_dps_register(AZURE_IOT_MQTT* azure_iot_mqtt, UINT wait)
         return status;
     }
 
+    // Stash the hostname so we can verify the cert at connect
+    azure_iot_x509_hostname = azure_iot_mqtt->mqtt_dps_endpoint;
+
     status = nxd_mqtt_client_secure_connect(&azure_iot_mqtt->nxd_mqtt_client,
         &server_ip,
         NXD_MQTT_TLS_PORT,
diff --git a/core/src/azure_iot_mqtt/azure_iot_mqtt.c b/core/src/azure_iot_mqtt/azure_iot_mqtt.c
@@ -36,6 +36,23 @@
 #define MQTT_TIMEOUT         (10 * TX_TIMER_TICKS_PER_SECOND)
 #define MQTT_KEEP_ALIVE      240
 
+CHAR* azure_iot_x509_hostname;
+
+static ULONG azure_iot_certificate_verify(NX_SECURE_TLS_SESSION* session, NX_SECURE_X509_CERT* certificate)
+{
+    UINT status;
+
+    // Check certicate matches the correct address
+    status = nx_secure_x509_common_name_dns_check(
+        certificate, (UCHAR*)azure_iot_x509_hostname, strlen(azure_iot_x509_hostname));
+    if (status)
+    {
+        printf("Error in certificate verification: DNS name did not match CN\r\n");
+    }
+
+    return status;
+}
+
 UINT azure_iot_mqtt_register_direct_method_callback(
     AZURE_IOT_MQTT* azure_iot_mqtt, func_ptr_direct_method mqtt_direct_method_callback)
 {
@@ -107,26 +124,6 @@ UINT tls_setup(NXD_MQTT_CLIENT* client,
         return status;
     }
 
-    status = nx_secure_tls_remote_certificate_allocate(tls_session,
-        &azure_iot_mqtt->mqtt_remote_certificate,
-        azure_iot_mqtt->mqtt_remote_cert_buffer,
-        sizeof(azure_iot_mqtt->mqtt_remote_cert_buffer));
-    if (status != NX_SUCCESS)
-    {
-        printf("Failed to create remote certificate buffer (0x%04x)\r\n", status);
-        return status;
-    }
-
-    status = nx_secure_tls_remote_certificate_allocate(tls_session,
-        &azure_iot_mqtt->mqtt_remote_issuer,
-        azure_iot_mqtt->mqtt_remote_issuer_buffer,
-        sizeof(azure_iot_mqtt->mqtt_remote_issuer_buffer));
-    if (status != NX_SUCCESS)
-    {
-        printf("Failed to create remote issuer buffer (0x%04x)\r\n", status);
-        return status;
-    }
-
     // Add a CA Certificate to our trusted store for verifying incoming server certificates
     status = nx_secure_x509_certificate_initialize(trusted_cert,
         (UCHAR*)azure_iot_root_ca,
@@ -157,6 +154,15 @@ UINT tls_setup(NXD_MQTT_CLIENT* client,
         return status;
     }
 
+    // Setup the callback invoked when TLS has a certificate it wants to verify so we can
+    // do additional checks not done automatically by TLS.
+    status = nx_secure_tls_session_certificate_callback_set(tls_session, azure_iot_certificate_verify);
+    if (status)
+    {
+        printf("Failed to set the session certificate callback: status: %d", status);
+        return status;
+    }
+
     // Add a timestamp function for time checking and timestamps in the TLS handshake
     nx_secure_tls_session_time_function_set(tls_session, azure_iot_mqtt->unix_time_get);
 
@@ -717,6 +723,9 @@ UINT azure_iot_mqtt_connect(AZURE_IOT_MQTT* azure_iot_mqtt)
         return status;
     }
 
+    // Stash the hostname in a global variable so we can verify the cert at connect
+    azure_iot_x509_hostname = azure_iot_mqtt->mqtt_hub_hostname;
+
     status = nxd_mqtt_client_secure_connect(&azure_iot_mqtt->nxd_mqtt_client,
         &server_ip,
         NXD_MQTT_TLS_PORT,
diff --git a/core/src/azure_iot_mqtt/azure_iot_mqtt.h b/core/src/azure_iot_mqtt/azure_iot_mqtt.h
@@ -23,9 +23,8 @@
 #define AZURE_IOT_MQTT_DIRECT_COMMAND_RID_SIZE 6
 
 #define AZURE_IOT_MQTT_CLIENT_STACK_SIZE 4096
-#define AZURE_IOT_MQTT_CERT_BUFFER_SIZE 4096
 
-#define TLS_PACKET_BUFFER 4096
+#define TLS_PACKET_BUFFER (7 * 1024)
 
 #define MQTT_QOS_0 0 // QoS 0 - Deliver at most once
 #define MQTT_QOS_1 1 // QoS 1 - Deliver at least once
@@ -78,11 +77,6 @@ struct AZURE_IOT_MQTT_STRUCT
     ULONG tls_metadata_buffer[NX_AZURE_IOT_TLS_METADATA_BUFFER_SIZE / sizeof(ULONG)];
     UCHAR tls_packet_buffer[TLS_PACKET_BUFFER];
 
-    NX_SECURE_X509_CERT mqtt_remote_certificate;
-    NX_SECURE_X509_CERT mqtt_remote_issuer;
-    UCHAR mqtt_remote_cert_buffer[AZURE_IOT_MQTT_CERT_BUFFER_SIZE];
-    UCHAR mqtt_remote_issuer_buffer[AZURE_IOT_MQTT_CERT_BUFFER_SIZE];
-
     func_ptr_direct_method cb_ptr_mqtt_invoke_direct_method;
     func_ptr_c2d_message cb_ptr_mqtt_c2d_message;
     func_ptr_device_twin_desired_prop cb_ptr_mqtt_device_twin_desired_prop_callback;
