openssl wrapper: introduce X509_VERIFY_PARAM_set/clear_hostflags

This defines the OpenSSL X509_CHECK_FLAG_...s and the set/clear
accessors.  Since none of them are supported, the set / clear
accessor currently always does nothing and returns error.

This call is often part of the generic openssl user code to
set up certificate verification.  This patch allows it to
compile for ESP32 and decide at runtime what to do about
unsupported flags.

Merges https://github.com/espressif/esp-idf/pull/980

diff --git a/components/openssl/include/openssl/ssl.h b/components/openssl/include/openssl/ssl.h
index ad25f908b7109caacf9a827b7696b2568cf19d4b..95fd6e9eb94538d9ab4dbdf04acb01dfd7156789 100755 (executable)
--- a/components/openssl/include/openssl/ssl.h
+++ b/components/openssl/include/openssl/ssl.h
@@ -26,6 +26,14 @@
 {\r
 */\r
 \r
+#define SSL_CB_ALERT 0x4000\r
+\r
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT           (1 << 0)\r
+#define X509_CHECK_FLAG_NO_WILDCARDS                   (1 << 1)\r
+#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS           (1 << 2)\r
+#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS          (1 << 3)\r
+#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS                (1 << 4)\r
+\r
 /**\r
  * @brief create a SSL context\r
  *\r
@@ -1546,6 +1554,30 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,\r
                                 const char *name, size_t namelen);\r
 \r
+/**\r
+ * @brief set parameters for X509 host verify action\r
+ *\r
+ * @param param -verify parameters from SSL_get0_param()\r
+ *\r
+ * @param flags - bitfield of X509_CHECK_FLAG_... parameters to set\r
+ *\r
+ * @return 1 for success, 0 for failure\r
+ */\r
+int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,\r
+                    unsigned long flags);\r
+\r
+/**\r
+ * @brief clear parameters for X509 host verify action\r
+ *\r
+ * @param param -verify parameters from SSL_get0_param()\r
+ *\r
+ * @param flags - bitfield of X509_CHECK_FLAG_... parameters to clear\r
+ *\r
+ * @return 1 for success, 0 for failure\r
+ */\r
+int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,\r
+                      unsigned long flags);\r
+\r
 /**\r
  * @brief get SSL write only IO handle\r
  *\r

diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c
index bd811e0a92d58eebfcb42818742b517adb42aaa8..50cf2203e5dca509208c5f9f712976bb192626cd 100644 (file)
--- a/components/openssl/library/ssl_x509.c
+++ b/components/openssl/library/ssl_x509.c
@@ -126,6 +126,28 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
     return &ssl->param;
 }
 
+/**
+ * @brief set X509 host verification flags
+ */
+
+int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
+                    unsigned long flags)
+{
+    /* flags not supported yet */
+    return 0;
+}
+
+/**
+ * @brief clear X509 host verification flags
+ */
+
+int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
+                      unsigned long flags)
+{
+    /* flags not supported yet */
+    return 0;
+}
+
 /**
  * @brief set SSL context client CA certification
  */