openssl wrapper: introduce X509_VERIFY_PARAM_set1_host
This lets the user code set the mbedtls hostname using the standard OpenSSL X509_VERIFY_PARAM_set1_host() API semantics. The API takes an X509_VERIFY_PARAM pointer. We use the fact that is a composed member of the SSL struct to derive the SSL pointer. The X509_VERIFY_PARAM_set1_host() is unusual in that it can accept a NUL terminated C string as usual, or a nonterminated pointer + length. This implementation converts the latter to the former if given, before using it. This is enough for user code to get the openssl wrapper to make mbedtls confirm the CN on the peer cert belongs to the hostname used to reach it, by doing, eg X509_VERIFY_PARAM_set1_host(SSL_get0_param(myssl), myhostname, 0); Merges https://github.com/espressif/esp-idf/pull/980
This commit is contained in:
parent
0f02a38262
commit
effc6c6d0d
2 changed files with 43 additions and 0 deletions
|
@ -1532,6 +1532,20 @@ int SSL_get_verify_mode(const SSL *ssl);
|
|||
*/
|
||||
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
|
||||
|
||||
/**
|
||||
* @brief set expected hostname the peer cert CN should have
|
||||
*
|
||||
* @param param - verify parameters from SSL_get0_param()
|
||||
*
|
||||
* @param name - the expected hostname
|
||||
*
|
||||
* @param namelen - the length of the hostname, or 0 if NUL terminated
|
||||
*
|
||||
* @return verify parameters
|
||||
*/
|
||||
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
||||
const char *name, size_t namelen);
|
||||
|
||||
/**
|
||||
* @brief get SSL write only IO handle
|
||||
*
|
||||
|
|
|
@ -669,3 +669,32 @@ long ssl_pm_get_verify_result(const SSL *ssl)
|
|||
|
||||
return verify_result;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief set expected hostname on peer cert CN
|
||||
*/
|
||||
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
||||
const char *name, size_t namelen)
|
||||
{
|
||||
SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param));
|
||||
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
|
||||
char *name_cstr = NULL;
|
||||
|
||||
if (namelen) {
|
||||
name_cstr = malloc(namelen + 1);
|
||||
if (!name_cstr) {
|
||||
return 0;
|
||||
}
|
||||
memcpy(name_cstr, name, namelen);
|
||||
name_cstr[namelen] = '\0';
|
||||
name = name_cstr;
|
||||
}
|
||||
|
||||
mbedtls_ssl_set_hostname(&ssl_pm->ssl, name);
|
||||
|
||||
if (namelen) {
|
||||
free(name_cstr);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue