Keep track of whether mbedtls_ssl_set_hostname() has been called
Use a special marker as ssl->hostname if mbedtls_ssl_set_hostname() has been
called with NULL. If mbedtls_ssl_set_hostname() has never been called, the
field is NULL, as before.
No behavior change apart from now emitting a different log message depending
on whether mbedtls_ssl_set_hostname() has been called with NULL or not at all.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0d25ab4..576bc07 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4655,9 +4655,11 @@
run_test "Authentication: hostname match, client required" \
"$P_SRV" \
- "$P_CLI auth_mode=required server_name=localhost debug_level=1" \
+ "$P_CLI auth_mode=required server_name=localhost debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -4709,7 +4711,7 @@
run_test "Authentication: hostname mismatch, client optional" \
"$P_SRV" \
- "$P_CLI auth_mode=optional server_name=wrong-name debug_level=1" \
+ "$P_CLI auth_mode=optional server_name=wrong-name debug_level=2" \
0 \
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
@@ -4717,75 +4719,93 @@
run_test "Authentication: hostname mismatch, client none" \
"$P_SRV" \
- "$P_CLI auth_mode=none server_name=wrong-name debug_level=1" \
+ "$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client required" \
"$P_SRV" \
- "$P_CLI auth_mode=required set_hostname=NULL debug_level=1" \
+ "$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client optional" \
"$P_SRV" \
- "$P_CLI auth_mode=optional set_hostname=NULL debug_level=1" \
+ "$P_CLI auth_mode=optional set_hostname=NULL debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client none" \
"$P_SRV" \
- "$P_CLI auth_mode=none set_hostname=NULL debug_level=1" \
+ "$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client required" \
"$P_SRV" \
- "$P_CLI auth_mode=required set_hostname=no debug_level=1" \
+ "$P_CLI auth_mode=required set_hostname=no debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client optional" \
"$P_SRV" \
- "$P_CLI auth_mode=optional set_hostname=no debug_level=1" \
+ "$P_CLI auth_mode=optional set_hostname=no debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client none" \
"$P_SRV" \
- "$P_CLI auth_mode=none set_hostname=no debug_level=1" \
+ "$P_CLI auth_mode=none set_hostname=no debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client default, server picks cert" \
"$P_SRV force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
- "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=1" \
+ "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client default, server picks PSK" \
"$P_SRV force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
- "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=1" \
+ "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=2" \
0 \
-C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"