openssl wrapper: introduce X509_VERIFY_PARAM_set/clear_hostflags

This defines the OpenSSL X509_CHECK_FLAG_...s and the set/clear accessors. Since none of them are supported, the set / clear accessor currently always does nothing and returns error. This call is often part of the generic openssl user code to set up certificate verification. This patch allows it to compile for ESP32 and decide at runtime what to do about unsupported flags. Merges https://github.com/espressif/esp-idf/pull/980
2017-09-10 08:05:09 +08:00 · 2017-09-10 08:05:09 +08:00 · ae1f1e9b84
parent effc6c6d0d
commit ae1f1e9b84
2 changed files with 54 additions and 0 deletions
--- a/components/openssl/include/openssl/ssl.h
+++ b/components/openssl/include/openssl/ssl.h
@ -26,6 +26,14 @@
 {
 */

+#define SSL_CB_ALERT 0x4000
+
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT		(1 << 0)
+#define X509_CHECK_FLAG_NO_WILDCARDS			(1 << 1)
+#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS		(1 << 2)
+#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS		(1 << 3)
+#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS		(1 << 4)
+
 /**
 * @brief create a SSL context
 *
@ -1546,6 +1554,30 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
                                const char *name, size_t namelen);

+/**
+ * @brief set parameters for X509 host verify action
+ *
+ * @param param -verify parameters from SSL_get0_param()
+ *
+ * @param flags - bitfield of X509_CHECK_FLAG_... parameters to set
+ *
+ * @return 1 for success, 0 for failure
+ */
+int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
+                    unsigned long flags);
+
+/**
+ * @brief clear parameters for X509 host verify action
+ *
+ * @param param -verify parameters from SSL_get0_param()
+ *
+ * @param flags - bitfield of X509_CHECK_FLAG_... parameters to clear
+ *
+ * @return 1 for success, 0 for failure
+ */
+int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
+                      unsigned long flags);
+
 /**
 * @brief get SSL write only IO handle
 *
--- a/components/openssl/library/ssl_x509.c
+++ b/components/openssl/library/ssl_x509.c
@ -126,6 +126,28 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
    return &ssl->param;
 }

+/**
+ * @brief set X509 host verification flags
+ */
+
+int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
+                    unsigned long flags)
+{
+    /* flags not supported yet */
+    return 0;
+}
+
+/**
+ * @brief clear X509 host verification flags
+ */
+
+int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
+                      unsigned long flags)
+{
+    /* flags not supported yet */
+    return 0;
+}
+
 /**
 * @brief set SSL context client CA certification
 */