mirror of
https://github.com/ARMmbed/mbedtls.git
synced 2025-07-25 01:58:41 +08:00
Access ssl->hostname through abstractions in certificate verification
New abstractions to access ssl->hostname: mbedtls_ssl_has_set_hostname_been_called(), mbedtls_ssl_free_hostname(). Use these abstractions to access the hostname with the opportunity for extra checks in mbedtls_ssl_verify_certificate(). No behavior change except for a new log message. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
parent
e5054e495a
commit
4ac4008fa0
@ -2516,6 +2516,36 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/** Whether mbedtls_ssl_set_hostname() has been called.
|
||||
*
|
||||
* \param[in] ssl SSL context
|
||||
*
|
||||
* \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
|
||||
* (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
|
||||
* otherwise \c 0.
|
||||
*/
|
||||
static int mbedtls_ssl_has_set_hostname_been_called(
|
||||
const mbedtls_ssl_context *ssl)
|
||||
{
|
||||
/* We can't tell the difference between the case where
|
||||
* mbedtls_ssl_set_hostname() has not been called at all, and
|
||||
* the case where it was last called with NULL. For the time
|
||||
* being, we assume the latter, i.e. we behave as if there had
|
||||
* been an implicit call to mbedtls_ssl_set_hostname(ssl, NULL). */
|
||||
return ssl->hostname != NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
if (ssl->hostname != NULL) {
|
||||
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
|
||||
}
|
||||
ssl->hostname = NULL;
|
||||
}
|
||||
|
||||
int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
|
||||
{
|
||||
/* Initialize to suppress unnecessary compiler warning */
|
||||
@ -2533,10 +2563,7 @@ int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
|
||||
|
||||
/* Now it's clear that we will overwrite the old hostname,
|
||||
* so we can free it safely */
|
||||
|
||||
if (ssl->hostname != NULL) {
|
||||
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
|
||||
}
|
||||
mbedtls_ssl_free_hostname(ssl);
|
||||
|
||||
/* Passing NULL as hostname shall clear the old one */
|
||||
|
||||
@ -5295,9 +5322,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
if (ssl->hostname != NULL) {
|
||||
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
|
||||
}
|
||||
mbedtls_ssl_free_hostname(ssl);
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
|
||||
@ -8845,6 +8870,21 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
|
||||
const char **hostname)
|
||||
{
|
||||
if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
|
||||
}
|
||||
|
||||
*hostname = ssl->hostname;
|
||||
if (*hostname == NULL) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
|
||||
int authmode,
|
||||
mbedtls_x509_crt *chain,
|
||||
@ -8870,7 +8910,13 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
|
||||
p_vrfy = ssl->conf->p_vrfy;
|
||||
}
|
||||
|
||||
int ret = 0;
|
||||
const char *hostname = "";
|
||||
int ret = get_hostname_for_verification(ssl, &hostname);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int have_ca_chain_or_callback = 0;
|
||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||
if (ssl->conf->f_ca_cb != NULL) {
|
||||
@ -8883,7 +8929,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
|
||||
ssl->conf->f_ca_cb,
|
||||
ssl->conf->p_ca_cb,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
f_vrfy, p_vrfy);
|
||||
} else
|
||||
@ -8910,7 +8956,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
|
||||
chain,
|
||||
ca_chain, ca_crl,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
f_vrfy, p_vrfy, rs_ctx);
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user