Make function mbedtls_ssl_set_hostname(...) as optional
Now function mbedtls_ssl_set_hostname is compile-time configurable
in config.h with define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION.
This affects to many x509 API's. See config.h for details.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 8903431..a90303d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -51,7 +51,7 @@
#include "mbedtls/platform_util.h"
#endif
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -119,7 +119,7 @@
*olen = hostname_len + 9;
}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
@@ -1057,7 +1057,7 @@
// First write extensions, then the total length
//
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a6492f4..c8bd66b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6910,7 +6910,9 @@
chain,
ca_chain, ca_crl,
ssl->conf->cert_profile,
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ssl->hostname,
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&ssl->session_negotiate->verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
@@ -8991,7 +8993,7 @@
#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
#endif /* MBEDTLS_ECP_C */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
{
/* Initialize to suppress unnecessary compiler warning */
@@ -9035,7 +9037,7 @@
return( 0 );
}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
@@ -11789,7 +11791,7 @@
mbedtls_free( ssl->session );
}
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ssl->hostname != NULL )
{
mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
diff --git a/library/version_features.c b/library/version_features.c
index 102b521..bb655c0 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -573,6 +573,9 @@
#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
"MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID",
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION",
+#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
diff --git a/library/x509.c b/library/x509.c
index a6c6584..19cc64b 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1250,7 +1250,11 @@
if( verbose != 0 )
mbedtls_printf( "passed\n X.509 signature verify: ");
- ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
+ ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ NULL,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ &flags, NULL, NULL );
if( ret != 0 )
{
if( verbose != 0 )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 0c158f8..1c4237b 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -102,8 +102,10 @@
mbedtls_x509_name *subject );
static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_name *issuer );
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *subject_alt );
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *ext_key_usage );
@@ -333,6 +335,7 @@
memset( cache, 0, sizeof( *cache ) );
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt,
mbedtls_x509_sequence **subj_alt )
{
@@ -355,6 +358,7 @@
*subj_alt = seq;
return( ret );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
int mbedtls_x509_crt_get_ext_key_usage( mbedtls_x509_crt const *crt,
mbedtls_x509_sequence **ext_key_usage )
@@ -613,6 +617,7 @@
return( -1 );
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/*
* Return 0 if name matches wildcard, -1 otherwise
*/
@@ -648,6 +653,7 @@
return( -1 );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/*
* Reset (init or clear) a verify_chain
@@ -934,6 +940,7 @@
(void *) &ext_key_usage ) );
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/*
* SubjectAltName ::= GeneralNames
*
@@ -972,6 +979,7 @@
asn1_build_sequence_cb,
(void *) &subject_alt_name ) );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/*
* X.509 v3 extensions
@@ -1077,10 +1085,10 @@
break;
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* Copy reference to raw subject alt name data. */
frame->subject_alt_raw.p = p;
frame->subject_alt_raw.len = end_ext_octet - p;
-
ret = mbedtls_asn1_traverse_sequence_of( &p, end_ext_octet,
MBEDTLS_ASN1_TAG_CLASS_MASK,
MBEDTLS_ASN1_CONTEXT_SPECIFIC,
@@ -1089,6 +1097,7 @@
NULL, NULL );
if( ret != 0 )
goto err;
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
break;
case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
@@ -1470,6 +1479,7 @@
issuer ) );
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *subject_alt )
{
@@ -1487,6 +1497,7 @@
ret += MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
return( ret );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *ext_key_usage )
@@ -1663,9 +1674,11 @@
if( ret != 0 )
goto exit;
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ret = x509_crt_subject_alt_from_frame( frame, &crt->subject_alt_names );
if( ret != 0 )
goto exit;
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
ret = x509_crt_ext_key_usage_from_frame( frame, &crt->ext_key_usage );
if( ret != 0 )
@@ -2104,6 +2117,7 @@
}
#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static int x509_info_subject_alt_name( char **buf, size_t *size,
const mbedtls_x509_sequence *subject_alt_name )
{
@@ -2141,6 +2155,7 @@
return( 0 );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#define PRINT_ITEM(i) \
{ \
@@ -2249,7 +2264,11 @@
mbedtls_pk_context pk;
mbedtls_x509_name *issuer = NULL, *subject = NULL;
- mbedtls_x509_sequence *ext_key_usage = NULL, *subject_alt_names = NULL;
+ mbedtls_x509_sequence *ext_key_usage = NULL;
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ mbedtls_x509_sequence *subject_alt_names = NULL;
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+
mbedtls_x509_crt_sig_info sig_info;
p = buf;
@@ -2287,12 +2306,14 @@
goto cleanup;
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ret = mbedtls_x509_crt_get_subject_alt_names( crt, &subject_alt_names );
if( ret != 0 )
{
ret = MBEDTLS_ERR_X509_FATAL_ERROR;
goto cleanup;
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
ret = mbedtls_x509_crt_get_ext_key_usage( crt, &ext_key_usage );
if( ret != 0 )
@@ -2391,6 +2412,7 @@
}
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( frame.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
{
ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix );
@@ -2400,6 +2422,7 @@
subject_alt_names ) ) != 0 )
return( ret );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
if( frame.ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
{
@@ -2441,7 +2464,9 @@
mbedtls_x509_name_free( issuer );
mbedtls_x509_name_free( subject );
mbedtls_x509_sequence_free( ext_key_usage );
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence_free( subject_alt_names );
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
return( ret );
}
@@ -3399,6 +3424,7 @@
}
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/*
* Check for CN match
*/
@@ -3510,6 +3536,7 @@
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
return( ret );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/*
* Merge the flags for all certs in the chain, after calling callback
@@ -3546,12 +3573,19 @@
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
- const char *cn, uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ const char *cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
- &mbedtls_x509_crt_profile_default, cn, flags,
+ &mbedtls_x509_crt_profile_default,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ flags,
f_vrfy, p_vrfy, NULL ) );
}
@@ -3562,12 +3596,19 @@
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile,
- const char *cn, uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ const char *cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
- profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
+ profile,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ flags, f_vrfy, p_vrfy, NULL ) );
}
/*
@@ -3584,7 +3625,10 @@
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile,
- const char *cn, uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ const char *cn,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
mbedtls_x509_crt_restart_ctx *rs_ctx )
@@ -3603,6 +3647,7 @@
goto exit;
}
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* check name if requested */
if( cn != NULL )
{
@@ -3610,6 +3655,7 @@
if( ret != 0 )
return( ret );
}
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
{
mbedtls_pk_context *pk;
@@ -3703,7 +3749,10 @@
mbedtls_x509_name_free( cert_cur->issuer.next );
mbedtls_x509_name_free( cert_cur->subject.next );
mbedtls_x509_sequence_free( cert_cur->ext_key_usage.next );
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence_free( cert_cur->subject_alt_names.next );
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
if( cert_cur->raw.p != NULL && cert_cur->own_buffer )