eProsima · EduPonz · Sep 28, 2022 · Apr 4, 2022 · Sep 12, 2022 · Sep 13, 2022
diff --git a/include/fastrtps/xmlparser/XMLParserCommon.h b/include/fastrtps/xmlparser/XMLParserCommon.h
@@ -409,6 +409,7 @@ extern const char* TLS_DEFAULT_VERIFY_PATH;
 extern const char* TLS_VERIFY_DEPTH;
 extern const char* TLS_RSA_PRIVATE_KEY_FILE;
 extern const char* TLS_HANDSHAKE_ROLE;
+extern const char* TLS_SERVER_NAME;
 
 // TLS HandShake Role
 extern const char* TLS_HANDSHAKE_ROLE_DEFAULT;

diff --git a/resources/xsd/fastRTPS_profiles.xsd b/resources/xsd/fastRTPS_profiles.xsd
@@ -117,6 +117,7 @@
             <xs:element name="verify_depth" type="xs:int" minOccurs="0" maxOccurs="1"/>
             <xs:element name="rsa_private_key_file" type="stringType" minOccurs="0" maxOccurs="1"/>
             <xs:element name="handshake_role" type="tlsHandShakeRole" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="server_name" type="stringType" minOccurs="0" maxOccurs="1"/>
         </xs:all>
     </xs:complexType>
 

diff --git a/src/cpp/rtps/transport/TCPChannelResourceSecure.cpp b/src/cpp/rtps/transport/TCPChannelResourceSecure.cpp
@@ -59,6 +59,7 @@ TCPChannelResourceSecure::TCPChannelResourceSecure(
     , secure_socket_(socket)
 {
     set_tls_verify_mode(parent->configuration());
+    set_tls_sni(parent->configuration());
 }
 
 TCPChannelResourceSecure::~TCPChannelResourceSecure()
@@ -87,6 +88,7 @@ void TCPChannelResourceSecure::connect(
             TCPTransportInterface* parent = parent_;
             secure_socket_ = std::make_shared<asio::ssl::stream<asio::ip::tcp::socket>>(service_, ssl_context_);
             set_tls_verify_mode(parent->configuration());
+            set_tls_sni(parent->configuration());
             std::weak_ptr<TCPChannelResource> channel_weak_ptr = myself;
             const auto secure_socket = secure_socket_;
 
@@ -296,6 +298,20 @@ void TCPChannelResourceSecure::set_tls_verify_mode(
             }
             secure_socket_->set_verify_mode(vm);
         }
+
+    }
+}
+
+void TCPChannelResourceSecure::set_tls_sni(
+        const TCPTransportDescriptor* options)
+{
+    if (options->apply_security)
+    {
+        if (!options->tls_config.server_name.empty())
+        {
+            // This is not done through asio because it seems it is not supported, so call directly to OpenSSL
+            SSL_set_tlsext_host_name(secure_socket_->native_handle(), options->tls_config.server_name.c_str());
+        }
     }
 }
 

diff --git a/src/cpp/rtps/transport/TCPChannelResourceSecure.h b/src/cpp/rtps/transport/TCPChannelResourceSecure.h
@@ -72,6 +72,9 @@ class TCPChannelResourceSecure : public TCPChannelResource
     void set_tls_verify_mode(
             const TCPTransportDescriptor* options);
 
+    void set_tls_sni(
+            const TCPTransportDescriptor* options);
+
     void cancel() override;
     void close() override;
     void shutdown(

diff --git a/src/cpp/rtps/xmlparser/XMLParser.cpp b/src/cpp/rtps/xmlparser/XMLParser.cpp
@@ -979,6 +979,13 @@ XMLP_ret XMLParser::parse_tls_config(
                 }
             }
         }
+        else if (config.compare(TLS_SERVER_NAME) == 0)
+        {
+            if (XMLP_ret::XML_OK != getXMLString(p_aux0, &pTCPDesc->tls_config.server_name, 0))
+            {
+                ret = XMLP_ret::XML_ERROR;
+            }
+        }
         else if (config.compare(TLS_VERIFY_MODE) == 0)
         {
             tinyxml2::XMLElement* p_verify = p_aux0->FirstChildElement();

diff --git a/src/cpp/rtps/xmlparser/XMLParserCommon.cpp b/src/cpp/rtps/xmlparser/XMLParserCommon.cpp
@@ -395,6 +395,7 @@ const char* TLS_DEFAULT_VERIFY_PATH = "default_verify_path";
 const char* TLS_VERIFY_DEPTH = "verify_depth";
 const char* TLS_RSA_PRIVATE_KEY_FILE = "rsa_private_key_file";
 const char* TLS_HANDSHAKE_ROLE = "handshake_role";
+const char* TLS_SERVER_NAME = "server_name";
 
 // TLS HandShake Role
 const char* TLS_HANDSHAKE_ROLE_DEFAULT = "DEFAULT";

diff --git a/test/mock/rtps/TCPTransportDescriptor/fastrtps/transport/TCPTransportDescriptor.h b/test/mock/rtps/TCPTransportDescriptor/fastrtps/transport/TCPTransportDescriptor.h
@@ -71,6 +71,7 @@ typedef struct TCPTransportDescriptor : public SocketTransportDescriptor
         int32_t verify_depth = -1; // don't override
         std::string rsa_private_key_file;
         TLSHandShakeRole handshake_role;
+        std::string server_name;
 
         void add_verify_mode(
                 const TLSVerifyMode verify)
@@ -117,6 +118,7 @@ typedef struct TCPTransportDescriptor : public SocketTransportDescriptor
             , verify_depth(t.verify_depth)
             , rsa_private_key_file(t.rsa_private_key_file)
             , handshake_role(t.handshake_role)
+            , server_name(t.server_name)
         {
         }
 
@@ -134,6 +136,7 @@ typedef struct TCPTransportDescriptor : public SocketTransportDescriptor
             , verify_depth(std::move(t.verify_depth))
             , rsa_private_key_file(std::move(t.rsa_private_key_file))
             , handshake_role(std::move(t.handshake_role))
+            , server_name(std::move(t.server_name))
         {
         }
 
@@ -152,6 +155,7 @@ typedef struct TCPTransportDescriptor : public SocketTransportDescriptor
             verify_depth = t.verify_depth;
             rsa_private_key_file = t.rsa_private_key_file;
             handshake_role = t.handshake_role;
+            server_name = t.server_name;
 
             return *this;
         }

diff --git a/test/unittest/transport/TCPv4Tests.cpp b/test/unittest/transport/TCPv4Tests.cpp
@@ -1152,6 +1152,114 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_untrusted_server)
         sem.wait();
     }
 }
+
+/**
+ * @brief This test replicates the test \c send_and_receive_between_both_secure_ports but adds SNI server name
+ * to client to check that this does not affect communication
+ */
+TEST_F(TCPv4Tests, send_and_receive_between_both_secure_ports_with_sni)
+{
+    eprosima::fastdds::dds::Log::SetVerbosity(eprosima::fastdds::dds::Log::Kind::Info);
+
+    using TLSOptions = TCPTransportDescriptor::TLSConfig::TLSOptions;
+    using TLSVerifyMode = TCPTransportDescriptor::TLSConfig::TLSVerifyMode;
+
+    TCPv4TransportDescriptor recvDescriptor;
+    recvDescriptor.add_listener_port(g_default_port);
+    recvDescriptor.apply_security = true;
+    recvDescriptor.tls_config.password = "testkey";
+    recvDescriptor.tls_config.cert_chain_file = "mainpubcert.pem";
+    recvDescriptor.tls_config.private_key_file = "mainpubkey.pem";
+    recvDescriptor.tls_config.verify_file = "maincacert.pem";
+    // Server doesn't accept clients without certs
+    recvDescriptor.tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER | TLSVerifyMode::VERIFY_FAIL_IF_NO_PEER_CERT;
+    recvDescriptor.tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS);
+    recvDescriptor.tls_config.add_option(TLSOptions::SINGLE_DH_USE);
+    recvDescriptor.tls_config.add_option(TLSOptions::NO_COMPRESSION);
+    recvDescriptor.tls_config.add_option(TLSOptions::NO_SSLV2);
+    recvDescriptor.tls_config.add_option(TLSOptions::NO_SSLV3);
+    TCPv4Transport receiveTransportUnderTest(recvDescriptor);
+    receiveTransportUnderTest.init();
+
+    TCPv4TransportDescriptor sendDescriptor;
+    sendDescriptor.apply_security = true;
+    sendDescriptor.tls_config.password = "testkey";
+    sendDescriptor.tls_config.cert_chain_file = "mainsubcert.pem";
+    sendDescriptor.tls_config.private_key_file = "mainsubkey.pem";
+    sendDescriptor.tls_config.verify_file = "maincacert.pem";
+    sendDescriptor.tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER;
+    sendDescriptor.tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS);
+    sendDescriptor.tls_config.add_option(TLSOptions::SINGLE_DH_USE);
+    sendDescriptor.tls_config.add_option(TLSOptions::NO_COMPRESSION);
+    sendDescriptor.tls_config.add_option(TLSOptions::NO_SSLV2);
+    sendDescriptor.tls_config.add_option(TLSOptions::NO_SSLV3);
+    sendDescriptor.tls_config.server_name = "specific_server.com";
+    TCPv4Transport sendTransportUnderTest(sendDescriptor);
+    sendTransportUnderTest.init();
+
+    Locator_t inputLocator;
+    inputLocator.kind = LOCATOR_KIND_TCPv4;
+    inputLocator.port = g_default_port;
+    IPLocator::setIPv4(inputLocator, 127, 0, 0, 1);
+    IPLocator::setLogicalPort(inputLocator, 7410);
+
+    LocatorList_t locator_list;
+    locator_list.push_back(inputLocator);
+
+    Locator_t outputLocator;
+    outputLocator.kind = LOCATOR_KIND_TCPv4;
+    IPLocator::setIPv4(outputLocator, 127, 0, 0, 1);
+    outputLocator.port = g_default_port;
+    IPLocator::setLogicalPort(outputLocator, 7410);
+
+    {
+        MockReceiverResource receiver(receiveTransportUnderTest, inputLocator);
+        MockMessageReceiver* msg_recv = dynamic_cast<MockMessageReceiver*>(receiver.CreateMessageReceiver());
+        ASSERT_TRUE(receiveTransportUnderTest.IsInputChannelOpen(inputLocator));
+
+        SendResourceList send_resource_list;
+        ASSERT_TRUE(sendTransportUnderTest.OpenOutputChannel(send_resource_list, outputLocator));
+        ASSERT_FALSE(send_resource_list.empty());
+        octet message[5] = { 'H', 'e', 'l', 'l', 'o' };
+
+        Semaphore sem;
+        std::function<void()> recCallback = [&]()
+                {
+                    EXPECT_EQ(memcmp(message, msg_recv->data, 5), 0);
+                    sem.post();
+                };
+
+        msg_recv->setCallback(recCallback);
+
+        auto sendThreadFunction = [&]()
+                {
+                    Locators input_begin(locator_list.begin());
+                    Locators input_end(locator_list.end());
+
+                    bool sent =
+                            send_resource_list.at(0)->send(message, 5, &input_begin, &input_end,
+                                    (std::chrono::steady_clock::now() + std::chrono::microseconds(100)));
+                    while (!sent)
+                    {
+                        Locators l_input_begin(locator_list.begin());
+                        Locators l_input_end(locator_list.end());
+
+                        sent =
+                                send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end,
+                                        (std::chrono::steady_clock::now() + std::chrono::microseconds(100)));
+                        std::this_thread::sleep_for(std::chrono::milliseconds(100));
+                    }
+                    EXPECT_TRUE(sent);
+                    //EXPECT_TRUE(transportUnderTest.send(message, 5, outputLocator, inputLocator));
+                };
+
+        senderThread.reset(new std::thread(sendThreadFunction));
+        std::this_thread::sleep_for(std::chrono::milliseconds(1));
+        senderThread->join();
+        sem.wait();
+    }
+}
+
 #endif //TLS_FOUND
 
 TEST_F(TCPv4Tests, send_and_receive_between_allowed_localhost_interfaces_ports)

diff --git a/test/unittest/xmlparser/XMLParserTests.cpp b/test/unittest/xmlparser/XMLParserTests.cpp
@@ -1527,7 +1527,8 @@ TEST_F(XMLParserTests, parseTLSConfigPositiveClauses)
 /*
  * This test checks the negative cases of the TLS configuration via XML.
  * 1. Check that elements <password>, <private_key_file>, <rsa_private_key_file>, <cert_chain_file>, <tmp_dh_file>,
- * <verify_file>, <verify_depth>, <default_verify_path>, and <bad_element> return an xml error if their value is empty.
+ * <verify_file>, <verify_depth>, <default_verify_path>, <bad_element>, <server_name>
+ * return an xml error if their value is empty.
  * 2. Check all possible wrong configurations of <verify_paths>.
  * 3. Check all possible wrong configurations of <verify_mode>.
  * 4. Check all possible wrong configurations of <handshake_role>.
@@ -1543,7 +1544,8 @@ TEST_F(XMLParserTests, parseTLSConfigNegativeClauses)
     char xml[600];
 
     // Check that elements <password>, <private_key_file>, <rsa_private_key_file>, <cert_chain_file>, <tmp_dh_file>,
-    // <verify_file>, <verify_depth>, <default_verify_path>, and <bad_element> return an xml error if their value is empty.
+    // <verify_file>, <verify_depth>, <default_verify_path>, <bad_element>, <server_name>
+    // return an xml error if their value is empty.
     {
         // Parametrized XML
         const char* xml_p =
@@ -1557,6 +1559,7 @@ TEST_F(XMLParserTests, parseTLSConfigNegativeClauses)
             "password",
             "private_key_file",
             "rsa_private_key_file",
+            "server_name",
             "cert_chain_file",
             "tmp_dh_file",
             "verify_file",

diff --git a/test/unittest/xmlparser/XMLProfileParserTests.cpp b/test/unittest/xmlparser/XMLProfileParserTests.cpp
@@ -931,6 +931,7 @@ TEST_F(XMLProfileParserTests, tls_config)
     EXPECT_EQ("Chain.pem", descriptor->tls_config.cert_chain_file);
     EXPECT_EQ("DH.pem", descriptor->tls_config.tmp_dh_file);
     EXPECT_EQ("verify.pem", descriptor->tls_config.verify_file);
+    EXPECT_EQ("my_server.com", descriptor->tls_config.server_name);
     EXPECT_EQ(TCPTransportDescriptor::TLSConfig::TLSVerifyMode::VERIFY_PEER, descriptor->tls_config.verify_mode);
     EXPECT_TRUE(descriptor->tls_config.get_option(TCPTransportDescriptor::TLSConfig::TLSOptions::NO_TLSV1));
     EXPECT_TRUE(descriptor->tls_config.get_option(TCPTransportDescriptor::TLSConfig::TLSOptions::NO_TLSV1_1));

diff --git a/test/unittest/xmlparser/tls_config.xml b/test/unittest/xmlparser/tls_config.xml
@@ -12,6 +12,7 @@
                     <cert_chain_file>Chain.pem</cert_chain_file>
                     <tmp_dh_file>DH.pem</tmp_dh_file>
                     <verify_file>verify.pem</verify_file>
+                    <server_name>my_server.com</server_name>
                     <verify_mode>
                         <verify>VERIFY_PEER</verify>
                     </verify_mode>

diff --git a/versions.md b/versions.md
@@ -5,6 +5,7 @@ Forthcoming
 * Support `propagate` attribute for Properties in PropertyQoSPolicies so they could be
   set by user and sent in PDP
 * Added possibility to configure Ownership and Ownership Strength QoS Policies from XML profiles file
+* Added Server Name Indication (SNI) support for TLS-TCP communication
 
 Version 2.7.1
 -------------