Tweaks to ssl hostname verification

Return SSL_FATAL, not SOCKET_ERROR so that connecting fails with a host we can't verify. Also return an error for OpenSSL internal errors. Free peername to avoid a memory leak. Signed-off-by: Jasper Wallace <jasper@arcolaenergy.com>

Tweaks to ssl hostname verification
Return SSL_FATAL, not SOCKET_ERROR so that connecting fails with a host we can't verify. Also return an error for OpenSSL internal errors. Free peername to avoid a memory leak. Signed-off-by: Jasper Wallace <jasper@arcolaenergy.com>
b1a0199c · Jasper Wallace · c897ebac · b1a0199c
Unverified Commit b1a0199c authored May 25, 2018 by Jasper Wallace
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

SSLSocket.c src/SSLSocket.c +7 -2

No files found.
--- a/src/SSLSocket.c
+++ b/src/SSLSocket.c
@@ -691,11 +691,16 @@ int SSLSocket_connect(SSL* ssl, int sock, const char* hostname, int verify)
 		hostname_len = MQTTProtocol_addressPort(hostname, &port, NULL);

 		rc = X509_check_host(cert, hostname, hostname_len, 0, &peername);
-		if (rc == 0)
-			rc = SOCKET_ERROR;
 		Log(TRACE_MIN, -1, "rc from X509_check_host is %d", rc);
 		Log(TRACE_MIN, -1, "peername from X509_check_host is %s", peername);
 		
+		if (peername != NULL)
+			OPENSSL_free(peername);
+
+		// 0 == fail, -1 == SSL internal error
+		if (rc == 0 || rc == -1)
+			rc = SSL_FATAL;
+
 		if (cert)
 			X509_free(cert);
 	}