Expose mbedtls_ssl_get_hostname_pointer()

In 2.28, the `hostname` field of `mbedtls_ssl_context` is part of the public API. We've slightly changed its meaning in order to fix a security issue. Document the new function mbedtls_ssl_get_hostname_pointer() which returns what used to be the value of this field. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-30 22:43:08 +03:00 · 2025-02-20 17:44:48 +01:00
parent 7d193acf01
commit 6310e98fa5
4 changed files with 7 additions and 8 deletions
--- a/ChangeLog.d/mbedtls_ssl_set_hostname.txt
+++ b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
@ -8,6 +8,9 @@ Default behavior changes
     call mbedtls_ssl_set_hostname() with NULL as the hostname, or
     enable the new compile-time option
     MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
+     The content of ssl->hostname after mbedtls_ssl_set_hostname(ssl, NULL)
+     has changed, see the documentation of the hostname field in the
+     mbedtls_ssl_context struct type for details.

 Security
   * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1449,7 +1449,10 @@ struct mbedtls_ssl_context {
     *  \p hostname argument.
     * - A special value to indicate that mbedtls_ssl_set_hostname()
     *   was called with \p NULL (as opposed to never having been called).
-     *   See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`.
+     *
+     * If you need to obtain the value passed to
+     * mbedtls_ssl_set_hostname() even if it may have been called with
+     * \p NULL, call mbedtls_ssl_get_hostname_pointer().
     *
     * If this field contains the value \p NULL and the configuration option
     * #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -1214,7 +1214,6 @@ static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
    return 4;
 }

-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
 /** Get the host name from the SSL context.
 *
 * \param[in]   ssl     SSL context
@ -1224,7 +1223,6 @@ static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
 *         \p ssl or if it was last called with \p NULL.
 */
 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -62,11 +62,6 @@ static int mbedtls_ssl_has_set_hostname_been_called(
 }
 #endif

-/* Micro-optimization: don't export this function if it isn't needed outside
- * of this source file. */
-#if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-static
-#endif
 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
 {
    if (ssl->hostname == ssl_hostname_skip_cn_verification) {