From ae1f1e9b846b87fe0d07500d1c10ff3f29038184 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Sun, 10 Sep 2017 08:05:09 +0800 Subject: [PATCH] openssl wrapper: introduce X509_VERIFY_PARAM_set/clear_hostflags This defines the OpenSSL X509_CHECK_FLAG_...s and the set/clear accessors. Since none of them are supported, the set / clear accessor currently always does nothing and returns error. This call is often part of the generic openssl user code to set up certificate verification. This patch allows it to compile for ESP32 and decide at runtime what to do about unsupported flags. Merges https://github.com/espressif/esp-idf/pull/980 --- components/openssl/include/openssl/ssl.h | 32 ++++++++++++++++++++++++ components/openssl/library/ssl_x509.c | 22 ++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/components/openssl/include/openssl/ssl.h b/components/openssl/include/openssl/ssl.h index ad25f908b..95fd6e9eb 100755 --- a/components/openssl/include/openssl/ssl.h +++ b/components/openssl/include/openssl/ssl.h @@ -26,6 +26,14 @@ { */ +#define SSL_CB_ALERT 0x4000 + +#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT (1 << 0) +#define X509_CHECK_FLAG_NO_WILDCARDS (1 << 1) +#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS (1 << 2) +#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS (1 << 3) +#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS (1 << 4) + /** * @brief create a SSL context * @@ -1546,6 +1554,30 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen); +/** + * @brief set parameters for X509 host verify action + * + * @param param -verify parameters from SSL_get0_param() + * + * @param flags - bitfield of X509_CHECK_FLAG_... parameters to set + * + * @return 1 for success, 0 for failure + */ +int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned long flags); + +/** + * @brief clear parameters for X509 host verify action + * + * @param param -verify parameters from SSL_get0_param() + * + * @param flags - bitfield of X509_CHECK_FLAG_... parameters to clear + * + * @return 1 for success, 0 for failure + */ +int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param, + unsigned long flags); + /** * @brief get SSL write only IO handle * diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c index bd811e0a9..50cf2203e 100644 --- a/components/openssl/library/ssl_x509.c +++ b/components/openssl/library/ssl_x509.c @@ -126,6 +126,28 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) return &ssl->param; } +/** + * @brief set X509 host verification flags + */ + +int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned long flags) +{ + /* flags not supported yet */ + return 0; +} + +/** + * @brief clear X509 host verification flags + */ + +int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param, + unsigned long flags) +{ + /* flags not supported yet */ + return 0; +} + /** * @brief set SSL context client CA certification */