applications: serial_lte_modem: allow to skip cert verify

Allow #XTCPCLI, #XUDPCLI and #XHTTPCCON to set PEER_VERIFY
socket option, and to disable the hostname verification via
TLS_HOSTNAME socket option.

By default PEER_VERIFY is TLS_PEER_VERIFY_REQUIRED and hostname
verification is done.

Signed-off-by: Markus Lassila <markus.lassila@nordicsemi.no>

Author: MarkusLassila

applications/serial_lte_modem/doc/HTTPC_AT_commands.rst

@@ -24,7 +24,7 @@ Syntax
 
 ::
 
-   AT#XHTTPCCON=<op>[,<host>,<port>[,<sec_tag>]]
+   AT#XHTTPCCON=<op>[,<host>,<port>[,<sec_tag>[,peer_verify[,hostname_verify]]]]
 
 * The ``<op>`` parameter can accept one of the following values:
 
@@ -38,6 +38,21 @@ Syntax
   It represents the HTTP server port.
 * The ``<sec_tag>`` parameter is an integer.
   It indicates to the modem the credential of the security tag used for establishing a secure connection.
+* The ``<peer_verify>`` parameter accepts the following values:
+
+  * ``0`` - None.
+    Do not authenticate the peer.
+  * ``1`` - Optional.
+    Optionally authenticate the peer.
+  * ``2`` - Required (default).
+    Authenticate the peer.
+
+* The ``<hostname_verify>`` parameter accepts the following values:
+
+  * ``0`` - Do not verify the hostname against the received certificate.
+  * ``1`` - Verify the hostname against the received certificate (default).
+
+See `nRF socket options`_ ``peer_verify`` and ``tls_hostname`` for more information on ``<peer_verify>`` and ``<hostname_verify>``.
 
 
 Response syntax
@@ -100,7 +115,7 @@ Example
 ::
 
    AT#XHTTPCCON=?
-   #XHTTPCCON: (0,1),<host>,<port>,<sec_tag>
+   #XHTTPCCON: (0,1),<host>,<port>,<sec_tag>,<peer_verify>,<hostname_verify>
    OK
 
 HTTP request #XHTTPCREQ

applications/serial_lte_modem/doc/TCPUDP_AT_commands.rst

@@ -174,7 +174,7 @@ Syntax
 
 ::
 
-   #XTCPCLI=<op>[,<url>,<port>[,[sec_tag]]
+   #XTCPCLI=<op>[,<url>,<port>[,sec_tag[,peer_verify[,hostname_verify]]]]
 
 * The ``<op>`` parameter can accept one of the following values:
 
@@ -191,6 +191,21 @@ Syntax
 * The ``<sec_tag>`` parameter is an integer.
   If it is given, a TLS client will be started.
   It indicates to the modem the credential of the security tag used for establishing a secure connection.
+* The ``<peer_verify>`` parameter accepts the following values:
+
+  * ``0`` - None.
+    Do not authenticate the peer.
+  * ``1`` - Optional.
+    Optionally authenticate the peer.
+  * ``2`` - Required (default).
+    Authenticate the peer.
+
+* The ``<hostname_verify>`` parameter accepts the following values:
+
+  * ``0`` - Do not verify the hostname against the received certificate.
+  * ``1`` - Verify the hostname against the received certificate (default).
+
+See `nRF socket options`_ ``peer_verify`` and ``tls_hostname`` for more information on ``<peer_verify>`` and ``<hostname_verify>``.
 
 Response syntax
 ~~~~~~~~~~~~~~~
@@ -260,15 +275,15 @@ Response syntax
 
 ::
 
-   #XTCPCLI: <list of ops>,<url>,<port>,<sec_tag>
+   #XTCPCLI: <list of ops>,<url>,<port>,<sec_tag>,<peer_verify>,<hostname_verify>
 
 Examples
 ~~~~~~~~
 
 ::
 
    AT#XTCPCLI=?
-   #XTCPCLI: (0,1,2),<url>,<port>,<sec_tag>
+   #XTCPCLI: (0,1,2),<url>,<port>,<sec_tag>,<peer_verify>,<hostname_verify>
    OK
 
 TCP send data #XTCPSEND
@@ -532,7 +547,7 @@ Syntax
 
 ::
 
-   #XUDPCLI=<op>[,<url>,<port>[,<sec_tag>[,<use_dtls_cid>]]]
+   #XUDPCLI=<op>[,<url>,<port>[,<sec_tag>[,<use_dtls_cid>[,peer_verify[,hostname_verify]]]]]
 
 * The ``<op>`` parameter can accept one of the following values:
 
@@ -554,6 +569,21 @@ Syntax
   This parameter is only supported with modem firmware 1.3.5 and newer.
   See :ref:`SLM_AT_SSOCKETOPT` for more details regarding the allowed values.
   The command will fail (with ``<error>`` equal to ``-134`` (``-ENOTSUP``) if the requested connection identifier is not accepted by the server.
+* The ``<peer_verify>`` parameter accepts the following values:
+
+  * ``0`` - None.
+    Do not authenticate the peer.
+  * ``1`` - Optional.
+    Optionally authenticate the peer.
+  * ``2`` - Required (default).
+    Authenticate the peer.
+
+* The ``<hostname_verify>`` parameter accepts the following values:
+
+  * ``0`` - Do not verify the hostname against the received certificate.
+  * ``1`` - Verify the hostname against the received certificate (default).
+
+See `nRF socket options`_ ``peer_verify`` and ``tls_hostname`` for more information on ``<peer_verify>`` and ``<hostname_verify>``.
 
 Response syntax
 ~~~~~~~~~~~~~~~
@@ -616,15 +646,15 @@ Syntax
 
 ::
 
-   #XUDPCLI: <list of ops>,<url>,<port>,<sec_tag>,<use_dtls_cid>
+   #XUDPCLI: <list of ops>,<url>,<port>,<sec_tag>,<use_dtls_cid>,<peer_verify>,<hostname_verify>
 
 Examples
 ~~~~~~~~
 
 ::
 
    AT#XUDPCLI=?
-   #XUDPCLI: (0,1,2),<url>,<port>,<sec_tag>,<use_dtls_cid>
+   #XUDPCLI: (0,1,2),<url>,<port>,<sec_tag>,<use_dtls_cid>,<peer_verify>,<tls_hostname_verify>
    OK
 
 UDP send data #XUDPSEND

applications/serial_lte_modem/src/http_c/slm_at_httpc.c

@@ -48,6 +48,8 @@ static struct slm_httpc_ctx {
 	int fd;				/* HTTPC socket */
 	int family;			/* Socket address family */
 	uint32_t sec_tag;		/* security tag to be used */
+	int peer_verify;		/* Peer verification level for TLS connection. */
+	bool hostname_verify;		/* Verify hostname against the certificate. */
 	char host[SLM_MAX_URL];		/* HTTP server address */
 	uint16_t port;			/* HTTP server port */
 	char *method_str;		/* request method */
@@ -253,7 +255,6 @@ static int do_http_connect(void)
 	}
 	if (httpc.sec_tag != INVALID_SEC_TAG) {
 		sec_tag_t sec_tag_list[] = { httpc.sec_tag };
-		int peer_verify = TLS_PEER_VERIFY_REQUIRED;
 
 		ret = setsockopt(httpc.fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
 				 sizeof(sec_tag_t));
@@ -262,15 +263,19 @@ static int do_http_connect(void)
 			ret = -errno;
 			goto exit_cli;
 		}
-		ret = setsockopt(httpc.fd, SOL_TLS, TLS_PEER_VERIFY, &peer_verify,
-				 sizeof(peer_verify));
+		ret = setsockopt(httpc.fd, SOL_TLS, TLS_PEER_VERIFY, &httpc.peer_verify,
+				 sizeof(httpc.peer_verify));
 		if (ret) {
 			LOG_ERR("setsockopt(TLS_PEER_VERIFY) error: %d", -errno);
 			ret = -errno;
 			goto exit_cli;
 		}
-		ret = setsockopt(httpc.fd, SOL_TLS, TLS_HOSTNAME, httpc.host,
-				 strlen(httpc.host));
+		if (httpc.hostname_verify) {
+			ret = setsockopt(httpc.fd, SOL_TLS, TLS_HOSTNAME, httpc.host,
+					 strlen(httpc.host));
+		} else {
+			ret = setsockopt(httpc.fd, SOL_TLS, TLS_HOSTNAME, NULL, 0);
+		}
 		if (ret) {
 			LOG_ERR("setsockopt(TLS_HOSTNAME) error: %d", -errno);
 			ret = -errno;
@@ -327,21 +332,25 @@ static int do_http_connect(void)
 static int do_http_disconnect(void)
 {
 	/* Close socket if it is connected. */
-	if (httpc.fd != INVALID_SOCKET) {
+	if (httpc.fd == INVALID_SOCKET) {
+		return 0;
+	}
 #if defined(CONFIG_SLM_NATIVE_TLS)
-		if (httpc.sec_tag != INVALID_SEC_TAG) {
-			(void)slm_tls_unloadcrdl(httpc.sec_tag);
-			httpc.sec_tag = INVALID_SEC_TAG;
-		}
+	if (httpc.sec_tag != INVALID_SEC_TAG) {
+		(void)slm_tls_unloadcrdl(httpc.sec_tag);
+		httpc.sec_tag = INVALID_SEC_TAG;
+	}
 #endif
-		close(httpc.fd);
-		httpc.fd = INVALID_SOCKET;
-	} else {
-		return -ENOTCONN;
+	int ret = close(httpc.fd);
+
+	if (ret) {
+		LOG_WRN("close() failed: %d", -errno);
+		ret = -errno;
 	}
-	rsp_send("\r\n#XHTTPCCON: 0\r\n");
+	httpc.fd = INVALID_SOCKET;
+	rsp_send("\r\n#XHTTPCCON: %d\r\n", ret);
 
-	return 0;
+	return ret;
 }
 
 static int http_method_str_enum(uint8_t *method_str)
@@ -430,26 +439,48 @@ int handle_at_httpc_connect(enum at_cmd_type cmd_type)
 			if (err) {
 				return err;
 			}
-			err = at_params_unsigned_short_get(&slm_at_param_list, 3, &httpc.port);
-			if (err) {
-				return err;
+			if (at_params_unsigned_short_get(&slm_at_param_list, 3, &httpc.port)) {
+				return -EINVAL;
 			}
+			const int param_count = at_params_valid_count_get(&slm_at_param_list);
+
 			httpc.sec_tag = INVALID_SEC_TAG;
-			if (at_params_valid_count_get(&slm_at_param_list) > 4) {
-				err = at_params_unsigned_int_get(&slm_at_param_list, 4,
-							&httpc.sec_tag);
-				if (err) {
-					return err;
+			if (param_count > 4) {
+				if (at_params_unsigned_int_get(&slm_at_param_list, 4,
+							       &httpc.sec_tag)) {
+					return -EINVAL;
+				}
+			}
+			httpc.peer_verify = TLS_PEER_VERIFY_REQUIRED;
+			if (param_count > 5) {
+				if (at_params_unsigned_int_get(&slm_at_param_list, 5,
+							       &httpc.peer_verify) ||
+				    (httpc.peer_verify != TLS_PEER_VERIFY_NONE &&
+				     httpc.peer_verify != TLS_PEER_VERIFY_OPTIONAL &&
+				     httpc.peer_verify != TLS_PEER_VERIFY_REQUIRED)) {
+					return -EINVAL;
 				}
 			}
+			httpc.hostname_verify = true;
+			if (param_count > 6) {
+				uint16_t hostname_verify;
+
+				if (at_params_unsigned_short_get(&slm_at_param_list, 6,
+								 &hostname_verify) ||
+				    (hostname_verify != 0 && hostname_verify != 1)) {
+					return -EINVAL;
+				}
+				httpc.hostname_verify = (bool)hostname_verify;
+			}
 			httpc.family = (op == HTTPC_CONNECT) ? AF_INET : AF_INET6;
 			err = do_http_connect();
 			break;
 		} else if (op == HTTPC_DISCONNECT) {
 			err = do_http_disconnect();
 		} else {
 			err = -EINVAL;
-		} break;
+		}
+		break;
 
 	case AT_CMD_TYPE_READ_COMMAND:
 		if (httpc.sec_tag != INVALID_SEC_TAG) {
@@ -465,8 +496,9 @@ int handle_at_httpc_connect(enum at_cmd_type cmd_type)
 		break;
 
 	case AT_CMD_TYPE_TEST_COMMAND:
-		rsp_send("\r\n#XHTTPCCON: (%d,%d,%d),<host>,<port>,<sec_tag>\r\n",
-			HTTPC_DISCONNECT, HTTPC_CONNECT, HTTPC_CONNECT6);
+		rsp_send("\r\n#XHTTPCCON: (%d,%d,%d),<host>,<port>,"
+			 "<sec_tag>,<peer_verify>,<hostname_verify>\r\n",
+			 HTTPC_DISCONNECT, HTTPC_CONNECT, HTTPC_CONNECT6);
 		err = 0;
 		break;
 

applications/serial_lte_modem/src/slm_at_tcp_proxy.c

@@ -47,6 +47,8 @@ static struct tcp_proxy {
 	sec_tag_t sec_tag;	/* Security tag of the credential */
 	int sock_peer;		/* Socket descriptor for peer. */
 	enum slm_tcp_role role;	/* Client or Server proxy */
+	int peer_verify;	/* Peer verification level for TLS connection. */
+	bool hostname_verify;	/* Verify hostname against the certificate. */
 } proxy;
 
 /** forward declaration of thread function **/
@@ -271,8 +273,6 @@ static int do_tcp_client_connect(const char *url, uint16_t port)
 
 	if (proxy.sec_tag != INVALID_SEC_TAG) {
 		sec_tag_t sec_tag_list[1] = { proxy.sec_tag };
-		int peer_verify = TLS_PEER_VERIFY_REQUIRED;
-
 #if defined(CONFIG_SLM_NATIVE_TLS)
 		ret = slm_tls_loadcrdl(proxy.sec_tag);
 		if (ret < 0) {
@@ -287,13 +287,23 @@ static int do_tcp_client_connect(const char *url, uint16_t port)
 			ret = -errno;
 			goto exit_cli;
 		}
-		ret = setsockopt(proxy.sock, SOL_TLS, TLS_PEER_VERIFY, &peer_verify,
-				 sizeof(peer_verify));
+		ret = setsockopt(proxy.sock, SOL_TLS, TLS_PEER_VERIFY, &proxy.peer_verify,
+				 sizeof(proxy.peer_verify));
 		if (ret) {
 			LOG_ERR("setsockopt(TLS_PEER_VERIFY) error: %d", errno);
 			ret = -errno;
 			goto exit_cli;
 		}
+		if (proxy.hostname_verify) {
+			ret = setsockopt(proxy.sock, SOL_TLS, TLS_HOSTNAME, url, strlen(url));
+		} else {
+			ret = setsockopt(proxy.sock, SOL_TLS, TLS_HOSTNAME, NULL, 0);
+		}
+		if (ret) {
+			LOG_ERR("setsockopt(TLS_HOSTNAME) error: %d", errno);
+			ret = -errno;
+			goto exit_cli;
+		}
 	}
 
 	/* Connect to remote host */
@@ -749,17 +759,36 @@ int handle_at_tcp_client(enum at_cmd_type cmd_type)
 			if (err) {
 				return err;
 			}
-			err = at_params_unsigned_short_get(&slm_at_param_list, 3, &port);
-			if (err) {
-				return err;
+			if (at_params_unsigned_short_get(&slm_at_param_list, 3, &port)) {
+				return -EINVAL;
 			}
 			proxy.sec_tag = INVALID_SEC_TAG;
 			if (param_count > 4) {
-				err = at_params_int_get(&slm_at_param_list, 4, &proxy.sec_tag);
-				if (err) {
-					return err;
+				if (at_params_int_get(&slm_at_param_list, 4, &proxy.sec_tag)) {
+					return -EINVAL;
 				}
 			}
+			proxy.peer_verify = TLS_PEER_VERIFY_REQUIRED;
+			if (param_count > 5) {
+				if (at_params_int_get(&slm_at_param_list, 5, &proxy.peer_verify) ||
+				    (proxy.peer_verify != TLS_PEER_VERIFY_NONE &&
+				     proxy.peer_verify != TLS_PEER_VERIFY_OPTIONAL &&
+				     proxy.peer_verify != TLS_PEER_VERIFY_REQUIRED)) {
+					return -EINVAL;
+				}
+			}
+			proxy.hostname_verify = true;
+			if (param_count > 6) {
+				uint16_t hostname_verify;
+
+				if (at_params_unsigned_short_get(&slm_at_param_list, 6,
+								 &hostname_verify) ||
+				    (hostname_verify != 0 && hostname_verify != 1)) {
+					return -EINVAL;
+				}
+				proxy.hostname_verify = (bool)hostname_verify;
+			}
+
 			proxy.family = (op == CLIENT_CONNECT) ? AF_INET : AF_INET6;
 			err = do_tcp_client_connect(url, port);
 		} else if (op == CLIENT_DISCONNECT) {
@@ -772,8 +801,9 @@ int handle_at_tcp_client(enum at_cmd_type cmd_type)
 		break;
 
 	case AT_CMD_TYPE_TEST_COMMAND:
-		rsp_send("\r\n#XTCPCLI: (%d,%d,%d),<url>,<port>,<sec_tag>\r\n",
-			CLIENT_DISCONNECT, CLIENT_CONNECT, CLIENT_CONNECT6);
+		rsp_send("\r\n#XTCPCLI: (%d,%d,%d),<url>,<port>,"
+			 "<sec_tag>,<peer_verify>,<hostname_verify>\r\n",
+			 CLIENT_DISCONNECT, CLIENT_CONNECT, CLIENT_CONNECT6);
 		err = 0;
 		break;