Access ssl->hostname through abstractions

New abstractions to access ssl->hostname: mbedtls_ssl_has_set_hostname_been_called() (only implemented approximatively for now), mbedtls_ssl_get_hostname_pointer(), mbedtls_ssl_free_hostname(). Only access ssl->hostname directly in these functions and in mbedtls_ssl_set_hostname(). Use these abstractions to access the hostname with the opportunity for extra checks in mbedtls_ssl_verify_certificate(). No behavior change except for a new log message. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-29 11:41:15 +03:00 · 2025-02-12 23:28:48 +01:00
parent b3de9da6b0
commit e61852e4d2
3 changed files with 88 additions and 18 deletions
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@ -29,19 +29,20 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
                                  size_t *olen)
 {
    unsigned char *p = buf;
+    const char *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
    size_t hostname_len;

    *olen = 0;

-    if (ssl->hostname == NULL) {
+    if (hostname == NULL) {
        return 0;
    }

    MBEDTLS_SSL_DEBUG_MSG(3,
                          ("client hello, adding server name extension: %s",
-                           ssl->hostname));
+                           hostname));

-    hostname_len = strlen(ssl->hostname);
+    hostname_len = strlen(hostname);

    MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);

@ -85,7 +86,7 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
    MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
    p += 2;

-    memcpy(p, ssl->hostname, hostname_len);
+    memcpy(p, hostname, hostname_len);

    *olen = hostname_len + 9;

@ -881,13 +882,14 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
    defined(MBEDTLS_SSL_SESSION_TICKETS) && \
    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    const char *context_hostname = mbedtls_ssl_get_hostname_pointer(ssl);
    if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3  &&
        ssl->handshake->resume) {
-        int hostname_mismatch = ssl->hostname != NULL ||
+        int hostname_mismatch = context_hostname != NULL ||
                                session_negotiate->hostname != NULL;
-        if (ssl->hostname != NULL && session_negotiate->hostname != NULL) {
+        if (context_hostname != NULL && session_negotiate->hostname != NULL) {
            hostname_mismatch = strcmp(
-                ssl->hostname, session_negotiate->hostname) != 0;
+                context_hostname, session_negotiate->hostname) != 0;
        }

        if (hostname_mismatch) {
@ -898,7 +900,7 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
        }
    } else {
        return mbedtls_ssl_session_set_hostname(session_negotiate,
-                                                ssl->hostname);
+                                                context_hostname);
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
          MBEDTLS_SSL_SESSION_TICKETS &&