lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-06-25 12:41:56 +03:00
Code Activity

Create error code for mbedtls_ssl_set_hostname not called

Browse Source 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
2025-02-13 13:46:03 +01:00
parent 6b8859467c
commit 0178dc9946
2 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/mbedtls/error.h
View File

@ -81,7 +81,7 @@
* MD 5 5 * MD 5 5
* HKDF 5 1 (Started from top) * HKDF 5 1 (Started from top)
* PKCS7 5 12 (Started from 0x5300) * PKCS7 5 12 (Started from 0x5300)
* SSL 5 2 (Started from 0x5F00) * SSL 5 3 (Started from 0x5F00)
* CIPHER 6 8 (Started from 0x6080) * CIPHER 6 8 (Started from 0x6080)
* SSL 6 22 (Started from top, plus 0x6000) * SSL 6 22 (Started from top, plus 0x6000)
* SSL 7 20 (Started from 0x7000, gaps at * SSL 7 20 (Started from 0x7000, gaps at

33
include/mbedtls/ssl.h
View File

@ -166,6 +166,39 @@
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 #define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00
/** Invalid value in SSL config */ /** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 #define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
/* Error space gap */
/** Attempt to verify a certificate without an expected hostname.
* This is usually insecure.
*
* In TLS clients, when a client authenticates a server through its
* certificate, the client normally checks three things:
* - the certificate chain must be valid;
* - the chain must start from a trusted CA;
* - the certificate must cover the server name that is expected by the client.
*
* Omitting any of these checks is generally insecure, and can allow a
* malicious server to impersonate a legitimate server.
*
* The third check may be safely skipped in some unusual scenarios,
* such as networks where eavesdropping is a risk but not active attacks,
* or a private PKI where the client equally trusts all servers that are
* accredited by the root CA.
*
* You should call mbedtls_ssl_set_hostname() with the expected server name
* before starting a TLS handshake on a client (unless the client is
* set up to only use PSK-based authentication, which does not rely on the
* host name). If you have determined that server name verification is not
* required for security in your scenario, call mbedtls_ssl_set_hostname()
* with \p NULL as the server name.
*
* This error is raised if all of the following conditions are met:
*
* - A TLS client is configured with the authentication mode
* #MBEDTLS_SSL_VERIFY_REQUIRED (default).
* - Certificate authentication is enabled.
* - The client does not call mbedtls_ssl_set_hostname().
*/
#define MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME -0x5D80
/* /*
* Constants from RFC 8446 for TLS 1.3 PSK modes * Constants from RFC 8446 for TLS 1.3 PSK modes