lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Expose mbedtls_ssl_get_hostname_pointer()

Browse Source 
In 2.28, the `hostname` field of `mbedtls_ssl_context` is part of the public
API. We've slightly changed its meaning in order to fix a security issue.
Document the new function mbedtls_ssl_get_hostname_pointer() which
returns what used to be the value of this field.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
2025-02-20 17:44:48 +01:00
parent 7d193acf01
commit 6310e98fa5
4 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/mbedtls_ssl_set_hostname.txt
View File

@ -8,6 +8,9 @@ Default behavior changes
call mbedtls_ssl_set_hostname() with NULL as the hostname, or call mbedtls_ssl_set_hostname() with NULL as the hostname, or
enable the new compile-time option enable the new compile-time option
MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
The content of ssl->hostname after mbedtls_ssl_set_hostname(ssl, NULL)
has changed, see the documentation of the hostname field in the
mbedtls_ssl_context struct type for details.
Security Security
* Note that TLS clients should generally call mbedtls_ssl_set_hostname() * Note that TLS clients should generally call mbedtls_ssl_set_hostname()

5
include/mbedtls/ssl.h
View File

@ -1449,7 +1449,10 @@ struct mbedtls_ssl_context {
* \p hostname argument. * \p hostname argument.
* - A special value to indicate that mbedtls_ssl_set_hostname() * - A special value to indicate that mbedtls_ssl_set_hostname()
* was called with \p NULL (as opposed to never having been called). * was called with \p NULL (as opposed to never having been called).
* See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. *
* If you need to obtain the value passed to
* mbedtls_ssl_set_hostname() even if it may have been called with
* \p NULL, call mbedtls_ssl_get_hostname_pointer().
* *
* If this field contains the value \p NULL and the configuration option * If this field contains the value \p NULL and the configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME * #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME

2
include/mbedtls/ssl_internal.h
View File

@ -1214,7 +1214,6 @@ static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
return 4; return 4;
} }
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/** Get the host name from the SSL context. /** Get the host name from the SSL context.
* *
* \param[in] ssl SSL context * \param[in] ssl SSL context
@ -1224,7 +1223,6 @@ static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
* \p ssl or if it was last called with \p NULL. * \p ssl or if it was last called with \p NULL.
*/ */
const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl); const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);

5
library/ssl_tls.c
View File

@ -62,11 +62,6 @@ static int mbedtls_ssl_has_set_hostname_been_called(
} }
#endif #endif
/* Micro-optimization: don't export this function if it isn't needed outside
* of this source file. */
#if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
static
#endif
const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl) const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
{ {
if (ssl->hostname == ssl_hostname_skip_cn_verification) { if (ssl->hostname == ssl_hostname_skip_cn_verification) {