#1580 Also using optional SSL serverName for certificate verification.

Author: fpagliughi

src/MQTTAsyncUtils.c

@@ -2851,6 +2851,8 @@ static int MQTTAsync_connecting(MQTTAsyncs* m)
 	char* serverURI = m->serverURI;
 #if defined(OPENSSL)
 	int default_port = MQTT_DEFAULT_PORT;
+	const char* hostname = NULL;  // Host name for SNI & verification
+	size_t hostname_len = 0;
 #endif
 
 	FUNC_ENTRY;
@@ -2918,7 +2920,6 @@ static int MQTTAsync_connecting(MQTTAsyncs* m)
 		if (m->ssl)
 		{
 			int port;
-			size_t hostname_len;
 			int setSocketForSSLrc = 0;
 
 			if (m->c->net.https_proxy) {
@@ -2927,19 +2928,19 @@ static int MQTTAsync_connecting(MQTTAsyncs* m)
 					goto exit;
 			}
 
-			hostname_len = MQTTProtocol_addressPort(serverURI, &port, NULL, default_port);
+			hostname = SSLSocket_getHostName(serverURI, m->c->sslopts, &hostname_len);
 			setSocketForSSLrc = SSLSocket_setSocketForSSL(&m->c->net, m->c->sslopts,
-					serverURI, hostname_len);
+					hostname, hostname_len);
 
 			if (setSocketForSSLrc != MQTTASYNC_SUCCESS)
 			{
 				if (m->c->session != NULL)
 					if ((rc = SSL_set_session(m->c->net.ssl, m->c->session)) != 1)
 						Log(TRACE_MIN, -1, "Failed to set SSL session with stored data, non critical");
 				rc = m->c->sslopts->struct_version >= 3 ?
-					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, serverURI,
+					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 						m->c->sslopts->verify, m->c->sslopts->ssl_error_cb, m->c->sslopts->ssl_error_context) :
-					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, serverURI,
+					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 						m->c->sslopts->verify, NULL, NULL);
 				if (rc == TCPSOCKET_INTERRUPTED)
 				{
@@ -3009,10 +3010,12 @@ static int MQTTAsync_connecting(MQTTAsyncs* m)
 #if defined(OPENSSL)
 	else if (m->c->connect_state == SSL_IN_PROGRESS) /* SSL connect sent - wait for completion */
 	{
+		hostname = SSLSocket_getHostName(serverURI, m->c->sslopts, &hostname_len);
+
 		rc = m->c->sslopts->struct_version >= 3 ?
-			SSLSocket_connect(m->c->net.ssl, m->c->net.socket, serverURI,
+			SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 				m->c->sslopts->verify, m->c->sslopts->ssl_error_cb, m->c->sslopts->ssl_error_context) :
-			SSLSocket_connect(m->c->net.ssl, m->c->net.socket, serverURI,
+			SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 				m->c->sslopts->verify, NULL, NULL);
 		if (rc != 1)
 			goto exit;

src/MQTTClient.c

@@ -995,10 +995,14 @@ static thread_return_type WINAPI MQTTClient_run(void* n)
 #if defined(OPENSSL)
 			else if (m->c->connect_state == SSL_IN_PROGRESS)
 			{
+				const char* hostname;
+				size_t hostname_len;
+
+				hostname = SSLSocket_getHostName(m->serverURI, m->c->sslopts, &hostname_len);
 				rc = m->c->sslopts->struct_version >= 3 ?
-					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, m->serverURI,
+					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 						m->c->sslopts->verify, m->c->sslopts->ssl_error_cb, m->c->sslopts->ssl_error_context) :
-					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, m->serverURI,
+					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 						m->c->sslopts->verify, NULL, NULL);
 				if (rc == 1 || rc == SSL_FATAL)
 				{
@@ -1282,7 +1286,7 @@ static MQTTResponse MQTTClient_connectURIVersion(MQTTClient handle, MQTTClient_c
 #if defined(OPENSSL)
 		if (m->ssl)
 		{
-			int port1;
+			const char* hostname;
 			size_t hostname_len;
 			const char *topic;
 			int setSocketForSSLrc = 0;
@@ -1293,19 +1297,20 @@ static MQTTResponse MQTTClient_connectURIVersion(MQTTClient handle, MQTTClient_c
 					goto exit;
 			}
 
-			hostname_len = MQTTProtocol_addressPort(serverURI, &port1, &topic, MQTT_DEFAULT_PORT);
+			hostname = SSLSocket_getHostName(serverURI, m->c->sslopts, &hostname_len);
+
 			setSocketForSSLrc = SSLSocket_setSocketForSSL(&m->c->net, m->c->sslopts,
-				serverURI, hostname_len);
+				hostname, hostname_len);
 
 			if (setSocketForSSLrc != MQTTCLIENT_SUCCESS)
 			{
 				if (m->c->session != NULL)
 					if ((rc = SSL_set_session(m->c->net.ssl, m->c->session)) != 1)
 						Log(TRACE_MIN, -1, "Failed to set SSL session with stored data, non critical");
 				rc = m->c->sslopts->struct_version >= 3 ?
-					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, serverURI,
+					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 						m->c->sslopts->verify, m->c->sslopts->ssl_error_cb, m->c->sslopts->ssl_error_context) :
-					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, serverURI,
+					SSLSocket_connect(m->c->net.ssl, m->c->net.socket, hostname, hostname_len,
 						m->c->sslopts->verify, NULL, NULL);
 				if (rc == TCPSOCKET_INTERRUPTED)
 					m->c->connect_state = SSL_IN_PROGRESS;  /* the connect is still in progress */
@@ -2759,11 +2764,15 @@ static MQTTPacket* MQTTClient_waitfor(MQTTClient handle, int packet_type, int* r
 #if defined(OPENSSL)
 				else if (m->c->connect_state == SSL_IN_PROGRESS)
 				{
+					const char* hostname;
+					size_t hostname_len;
+
+					hostname = SSLSocket_getHostName(m->currentServerURI, m->c->sslopts, &hostname_len);
 
 					*rc = m->c->sslopts->struct_version >= 3 ?
-						SSLSocket_connect(m->c->net.ssl, sock, m->currentServerURI,
+						SSLSocket_connect(m->c->net.ssl, sock, hostname, hostname_len,
 							m->c->sslopts->verify, m->c->sslopts->ssl_error_cb, m->c->sslopts->ssl_error_context) :
-						SSLSocket_connect(m->c->net.ssl, sock, m->currentServerURI,
+						SSLSocket_connect(m->c->net.ssl, sock, hostname, hostname_len,
 							m->c->sslopts->verify, NULL, NULL);
 					if (*rc == SSL_FATAL)
 						break;

src/MQTTProtocolOut.c

@@ -290,16 +290,21 @@ int MQTTProtocol_connect(const char* address, Clients* aClient, int unixsock, in
 #if defined(OPENSSL)
 		if (ssl)
 		{
+			const char* hostname;
+			size_t hostname_len;
+
 			if (aClient->net.https_proxy) {
 				aClient->connect_state = PROXY_CONNECT_IN_PROGRESS;
 				rc = Proxy_connect( &aClient->net, 1, address);
 			}
-			if (rc == 0 && SSLSocket_setSocketForSSL(&aClient->net, aClient->sslopts, address, addr_len) == 1)
+
+			hostname = SSLSocket_getHostName(address, aClient->sslopts, &hostname_len);
+			if (rc == 0 && SSLSocket_setSocketForSSL(&aClient->net, aClient->sslopts, hostname, hostname_len) == 1)
 			{
 				rc = aClient->sslopts->struct_version >= 3 ?
-					SSLSocket_connect(aClient->net.ssl, aClient->net.socket, address,
+					SSLSocket_connect(aClient->net.ssl, aClient->net.socket, hostname, hostname_len,
 						aClient->sslopts->verify, aClient->sslopts->ssl_error_cb, aClient->sslopts->ssl_error_context) :
-					SSLSocket_connect(aClient->net.ssl, aClient->net.socket, address,
+					SSLSocket_connect(aClient->net.ssl, aClient->net.socket, hostname, hostname_len,
 						aClient->sslopts->verify, NULL, NULL);
 				if (rc == TCPSOCKET_INTERRUPTED)
 					aClient->connect_state = SSL_IN_PROGRESS; /* SSL connect called - wait for completion */

src/SSLSocket.c

@@ -85,6 +85,32 @@ static int tls_ex_index_ssl_opts;
 #define snprintf _snprintf
 #endif
 
+/**
+ * Gets the hostname to use for SNI and host verification.
+ * This will use the `serverName` in the SSL options if one is provided,
+ * otherise will extract the host name from the URI and use that.
+ * @param serverURI The server URI
+ * @param opts The SSL options
+ * @param hostname_len Gets the string length of the returned host name.
+ * @return The host name to use for SNI and verification.
+ */
+const char* SSLSocket_getHostName(const char* serverURI, MQTTClient_SSLOptions* opts, size_t* hostname_len)
+{
+	const char *hostname = NULL;
+	int port;
+
+	/* If servername is set in the SSL options, use that for the hostname */
+	if (opts->struct_version >= 6 && opts->serverName != NULL) {
+		hostname = opts->serverName;
+		*hostname_len = strnlen(hostname, MAXHOSTNAMELEN);
+	}
+	else {
+		hostname = serverURI;
+		*hostname_len = MQTTProtocol_addressPort(serverURI, &port, NULL, 0);
+	}
+	return hostname;
+}
+
 /**
  * Gets the specific error corresponding to SOCKET_ERROR
  * @param aString the function that was being used when the error occurred
@@ -740,11 +766,6 @@ int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts,
 			else
 				SSLSocket_error("SSL_set_fd", net->ssl, net->socket, rc, NULL, NULL);
 		}
-		/* If servername is set in the options, use that for the hostname */
-		if (opts->struct_version >= 6 && opts->serverName != NULL) {
-			hostname = opts->serverName;
-			hostname_len = strnlen(hostname, MAXHOSTNAMELEN);
-		}
 		hostname_plus_null = malloc(hostname_len + 1u );
 		if (hostname_plus_null)
 		{
@@ -769,7 +790,8 @@ int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts,
 /*
  * Return value: 1 - success, TCPSOCKET_INTERRUPTED - try again, anything else is failure
  */
-int SSLSocket_connect(SSL* ssl, SOCKET sock, const char* hostname, int verify, int (*cb)(const char *str, size_t len, void *u), void* u)
+int SSLSocket_connect(SSL* ssl, SOCKET sock, const char* hostname, size_t hostname_len,
+					  int verify, int (*cb)(const char *str, size_t len, void *u), void* u)
 {
 	int rc = 0;
 
@@ -790,12 +812,10 @@ int SSLSocket_connect(SSL* ssl, SOCKET sock, const char* hostname, int verify, i
 	else if (verify)
 	{
 		char* peername = NULL;
-		int port;
-		size_t hostname_len;
 
 		X509* cert = SSL_get_peer_certificate(ssl);
-		hostname_len = MQTTProtocol_addressPort(hostname, &port, NULL, MQTT_DEFAULT_PORT);
 
+		Log(TRACE_PROTOCOL, -1, "X509_check_host for hostname %s", hostname);
 		rc = X509_check_host(cert, hostname, hostname_len, 0, &peername);
 		if (rc == 1)
 			Log(TRACE_PROTOCOL, -1, "peername from X509_check_host is %s", peername);

src/SSLSocket.h

@@ -36,16 +36,22 @@
 /** if we should handle openssl initialization (bool_value == 1) or depend on it to be initalized externally (bool_value == 0) */
 void SSLSocket_handleOpensslInit(int bool_value);
 
+/** Get the host name to use for verification either from the URI or options */
+const char* SSLSocket_getHostName(const char* serverURI, MQTTClient_SSLOptions* opts,
+								  size_t* hostname_len);
+
 int SSLSocket_initialize(void);
 void SSLSocket_terminate(void);
-int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts, const char* hostname, size_t hostname_len);
+int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts,
+							  const char* hostname, size_t hostname_len);
 
 int SSLSocket_getch(SSL* ssl, SOCKET socket, char* c);
 char *SSLSocket_getdata(SSL* ssl, SOCKET socket, size_t bytes, size_t* actual_len, int* rc);
 
 int SSLSocket_close(networkHandles* net);
 int SSLSocket_putdatas(SSL* ssl, SOCKET socket, char* buf0, size_t buf0len, PacketBuffers bufs);
-int SSLSocket_connect(SSL* ssl, SOCKET sock, const char* hostname, int verify, int (*cb)(const char *str, size_t len, void *u), void* u);
+int SSLSocket_connect(SSL* ssl, SOCKET sock, const char* hostname, size_t hostname_len,
+					  int verify, int (*cb)(const char *str, size_t len, void *u), void* u);
 
 SOCKET SSLSocket_getPendingRead(void);
 int SSLSocket_continueWrite(pending_writes* pw);