SSL: add config option for skipping common name check

ESP-Marius · ESP-Marius · commit 5e8950e681e5 · 2020-06-09T14:23:40.000+08:00
Closes IDFGH-3408 Closes #158
diff --git a/include/mqtt_client.h b/include/mqtt_client.h
@@ -182,6 +182,7 @@ typedef struct {
     int clientkey_password_len;             /*!< String length of the password pointed to by clientkey_password */
     esp_mqtt_protocol_ver_t protocol_ver;   /*!< MQTT protocol version used for connection, defaults to value from menuconfig*/
     int out_buffer_size;                    /*!< size of MQTT output buffer. If not defined, both output and input buffers have the same size defined as ``buffer_size`` */
+    bool skip_cert_common_name_check;       /*!< Skip any validation of server certificate CN field, this reduces the security of TLS and makes the mqtt client susceptible to MITM attacks  */
 } esp_mqtt_client_config_t;
 
 /**
diff --git a/include/mqtt_supported_features.h b/include/mqtt_supported_features.h
@@ -31,6 +31,7 @@
 #if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(3, 3, 0)
 // Features supported from 3.3
 #define MQTT_SUPPORTED_FEATURE_EVENT_LOOP
+#define MQTT_SUPPORTED_FEATURE_SKIP_CRT_CMN_NAME_CHECK
 #endif
 
 #if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 0, 0)
@@ -48,4 +49,4 @@
 #endif
 #endif
 
-#endif // _MQTT_SUPPORTED_FEATURES_H_
+#endif // _MQTT_SUPPORTED_FEATURES_H_
diff --git a/mqtt_client.c b/mqtt_client.c
@@ -80,6 +80,7 @@ typedef struct {
     const char *clientkey_buf;
     size_t clientkey_bytes;
     const struct psk_key_hint *psk_hint_key;
+    bool skip_cert_common_name_check;
 } mqtt_config_storage_t;
 
 typedef enum {
@@ -239,6 +240,16 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
 #endif
     }
 
+
+    if (cfg->skip_cert_common_name_check) {
+#if defined(MQTT_SUPPORTED_FEATURE_SKIP_CRT_CMN_NAME_CHECK) && MQTT_ENABLE_SSL
+        esp_transport_ssl_skip_common_name_check(ssl);
+#else
+        ESP_LOGE(TAG, "Skip certificate common name check is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif
+    }
+
     return ESP_OK;
 
     esp_mqtt_set_transport_failed:
@@ -416,6 +427,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     cfg->clientkey_buf = config->client_key_pem;
     cfg->clientkey_bytes = config->client_key_len;
     cfg->psk_hint_key = config->psk_hint_key;
+    cfg->skip_cert_common_name_check = config->skip_cert_common_name_check;
 
     if (config->clientkey_password && config->clientkey_password_len) {
         cfg->clientkey_password_len = config->clientkey_password_len;
