1
0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-07-25 01:58:41 +08:00

Access ssl->hostname through abstractions in certificate verification

New abstractions to access ssl->hostname:
mbedtls_ssl_has_set_hostname_been_called(), mbedtls_ssl_free_hostname().

Use these abstractions to access the hostname with the opportunity for
extra checks in mbedtls_ssl_verify_certificate().

No behavior change except for a new log message.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2025-02-20 18:13:58 +01:00
parent e5054e495a
commit 4ac4008fa0

View File

@ -2516,6 +2516,36 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
/** Whether mbedtls_ssl_set_hostname() has been called.
*
* \param[in] ssl SSL context
*
* \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
* (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
* otherwise \c 0.
*/
static int mbedtls_ssl_has_set_hostname_been_called(
const mbedtls_ssl_context *ssl)
{
/* We can't tell the difference between the case where
* mbedtls_ssl_set_hostname() has not been called at all, and
* the case where it was last called with NULL. For the time
* being, we assume the latter, i.e. we behave as if there had
* been an implicit call to mbedtls_ssl_set_hostname(ssl, NULL). */
return ssl->hostname != NULL;
}
#endif
static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
{
if (ssl->hostname != NULL) {
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
}
ssl->hostname = NULL;
}
int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
{
/* Initialize to suppress unnecessary compiler warning */
@ -2533,10 +2563,7 @@ int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
/* Now it's clear that we will overwrite the old hostname,
* so we can free it safely */
if (ssl->hostname != NULL) {
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
}
mbedtls_ssl_free_hostname(ssl);
/* Passing NULL as hostname shall clear the old one */
@ -5295,9 +5322,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if (ssl->hostname != NULL) {
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
}
mbedtls_ssl_free_hostname(ssl);
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
@ -8845,6 +8870,21 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
return ret;
}
static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
const char **hostname)
{
if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
}
*hostname = ssl->hostname;
if (*hostname == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
}
return 0;
}
int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
int authmode,
mbedtls_x509_crt *chain,
@ -8870,7 +8910,13 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
p_vrfy = ssl->conf->p_vrfy;
}
int ret = 0;
const char *hostname = "";
int ret = get_hostname_for_verification(ssl, &hostname);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
return ret;
}
int have_ca_chain_or_callback = 0;
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if (ssl->conf->f_ca_cb != NULL) {
@ -8883,7 +8929,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
ssl->conf->f_ca_cb,
ssl->conf->p_ca_cb,
ssl->conf->cert_profile,
ssl->hostname,
hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy);
} else
@ -8910,7 +8956,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
chain,
ca_chain, ca_crl,
ssl->conf->cert_profile,
ssl->hostname,
hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy, rs_ctx);
}