Added support to set server common name.

espressif · Jun 8, 2023 · 6195762 · 6195762
1 parent ffd7d4d
commit 6195762
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/include/mqtt_client.h b/include/mqtt_client.h
@@ -260,6 +260,10 @@ typedef struct esp_mqtt_client_config_t {
             bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field, this reduces the
                                       security of TLS and makes the *MQTT* client susceptible to MITM attacks  */
             const char **alpn_protos;        /*!< NULL-terminated list of supported application protocols to be used for ALPN */
+			const char *common_name;         /*!< Pointer to the string containing server certificate common name.
+                                                               If non-NULL, server certificate CN must match this name,
+                                                               If NULL, server certificate CN must match hostname.
+                                                               This is ignored if skip_cert_common_name_check=true. */
         } verification; /*!< Security verification of the broker */
     } broker; /*!< Broker address and security verification */
     /**

diff --git a/include/mqtt_supported_features.h b/include/mqtt_supported_features.h
@@ -64,5 +64,11 @@
 #define MQTT_SUPPORTED_FEATURE_CERTIFICATE_BUNDLE
 #endif
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 1, 0)
+// Features supported in 5.1.0
+#define MQTT_SUPPORTED_FEATURE_CRT_CMN_NAME
+#endif
+
+
 #endif /* ESP_IDF_VERSION */
 #endif // _MQTT_SUPPORTED_FEATURES_H_
diff --git a/lib/include/mqtt_client_priv.h b/lib/include/mqtt_client_priv.h
@@ -88,6 +88,7 @@ typedef struct {
     size_t clientkey_bytes;
     const struct psk_key_hint *psk_hint_key;
     bool skip_cert_common_name_check;
+    const char *common_name;
     bool use_secure_element;
     void *ds_data;
     int message_retransmit_timeout;

diff --git a/mqtt_client.c b/mqtt_client.c
@@ -181,6 +181,15 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
 #endif
     }
 
+    if (cfg->common_name) {
+#if defined(MQTT_SUPPORTED_FEATURE_CRT_CMN_NAME) && MQTT_ENABLE_SSL
+        esp_transport_ssl_set_common_name(ssl, cfg->common_name);
+#else
+        ESP_LOGE(TAG, "Setting expected certificate common name is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif
+    }
+
     if (cfg->use_secure_element) {
 #ifdef MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
@@ -509,6 +518,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     client->config->clientkey_buf = config->credentials.authentication.key;
     client->config->clientkey_bytes = config->credentials.authentication.key_len;
     client->config->skip_cert_common_name_check = config->broker.verification.skip_cert_common_name_check;
+    client->config->common_name = config->broker.verification.common_name;
     client->config->use_secure_element = config->credentials.authentication.use_secure_element;
     client->config->ds_data = config->credentials.authentication.ds_data;