Make function mbedtls_ssl_set_hostname(...) as optional
Now function mbedtls_ssl_set_hostname is compile-time configurable
in config.h with define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION.
This affects to many x509 API's. See config.h for details.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 5da4f11..0b43802 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1979,6 +1979,44 @@
//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
/**
+ * \def MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+ *
+ * Remove hostname verification from APIs related to X.509 certificate validation.
+ *
+ * \warning Uncommenting this affects parsing and verification of
+ * X.509 certificate by leaving Common Name and Subject Alternative Name fields out
+ * of parsing and verification.
+ *
+ * Affected API's:
+ * - mbedtls_ssl_set_hostname() not available.
+ * - mbedtls_x509_crt_get_subject_alt_names() not available.
+ * - mbedtls_x509_crt_parse_der(): Subject Alternative Name field
+ * is not parsed.
+ * - mbedtls_x509_crt_parse_der_nocopy(): Subject Alternative Name field
+ * is not parsed.
+ * - mbedtls_x509_crt_parse(): Subject Alternative Name field
+ * is not parsed.
+ * - mbedtls_x509_crt_parse_file(): Subject Alternative Name field
+ * is not parsed.
+ * - mbedtls_x509_crt_parse_path(): Subject Alternative Name field
+ * is not parsed.
+ * - mbedtls_x509_crt_info(): Subject Alternative Name field
+ * is not parsed.
+ * - mbedtls_x509_crt_verify(): param \c cn is omitted from the API.
+ * - mbedtls_x509_crt_verify_with_profile(): param \c cn is omitted from the API.
+ * - mbedtls_x509_crt_verify_restartable(): param \c cn is omitted from the API.
+ * -
+ *
+ * Affected structs
+ * - ::mbedtls_x509_crt_frame: subject_alt_raw is defined out.
+ * - ::mbedtls_x509_crt: subject_alt_names is defined out.
+ *
+ * Uncomment this to save some code and RAM on constrained systems which
+ * don't need hostname verification.
+ */
+//#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+
+/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b6a3b60..7efb411 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1386,10 +1386,10 @@
/*
* User settings
*/
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
char *hostname; /*!< expected peer CN for verification
(and SNI if available) */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_ALPN)
const char *alpn_chosen; /*!< negotiated protocol */
@@ -2921,7 +2921,7 @@
const int *hashes );
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/**
* \brief Set or reset the hostname to check against the received
* server certificate. It sets the ServerName TLS extension,
@@ -2941,7 +2941,7 @@
* On too long input failure, old hostname is unchanged.
*/
int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/**
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index c8f488c..f3ef572 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -96,9 +96,10 @@
mbedtls_x509_buf_raw v3_ext; /**< The raw data for the extension list in the certificate.
* Might be useful for manual inspection of extensions that
* Mbed TLS doesn't yet support. */
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_buf_raw subject_alt_raw; /**< The raw data for the SubjectAlternativeNames extension. */
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
mbedtls_x509_buf_raw ext_key_usage_raw; /**< The raw data for the ExtendedKeyUsage extension. */
-
} mbedtls_x509_crt_frame;
/**
@@ -140,7 +141,9 @@
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
int ext_types; /**< Bit string containing detected and parsed extensions */
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@@ -499,7 +502,10 @@
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
- const char *cn, uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
+ const char *cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
+ uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
@@ -534,7 +540,10 @@
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile,
- const char *cn, uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
+ const char *cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
+ uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
@@ -564,7 +573,10 @@
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile,
- const char *cn, uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
+ const char *cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
+ uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
mbedtls_x509_crt_restart_ctx *rs_ctx );
@@ -747,6 +759,7 @@
int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt,
mbedtls_x509_name **issuer );
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/**
* \brief Request the subject alternative name of a CRT, presented
* as a dynamically allocated linked list.
@@ -771,6 +784,7 @@
*/
int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt,
mbedtls_x509_sequence **subj_alt );
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/**
* \brief Request the ExtendedKeyUsage extension of a CRT,