Merge branch 'feature/openssl_cn_hostname_verification' into 'master'

openssl: Add CN hostname verification See merge request !1554
2024-10-05 20:47:46 -04:00 · 2017-11-20 15:59:15 +08:00 · 2017-11-20 15:59:15 +08:00 · 024e4c4337
commit 024e4c4337
parent 18f4696371 ae1f1e9b84
3 changed files with 115 additions and 0 deletions
--- a/components/openssl/include/openssl/ssl.h
+++ b/components/openssl/include/openssl/ssl.h
@ -26,6 +26,14 @@
 {
 */

+#define SSL_CB_ALERT 0x4000
+
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT		(1 << 0)
+#define X509_CHECK_FLAG_NO_WILDCARDS			(1 << 1)
+#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS		(1 << 2)
+#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS		(1 << 3)
+#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS		(1 << 4)
+
 /**
 * @brief create a SSL context
 *
@ -1523,6 +1531,53 @@ long SSL_get_timeout(const SSL *ssl);
 */
 int SSL_get_verify_mode(const SSL *ssl);

+/**
+ * @brief get SSL verify parameters
+ *
+ * @param ssl - SSL point
+ *
+ * @return verify parameters
+ */
+X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
+
+/**
+ * @brief set expected hostname the peer cert CN should have
+ *
+ * @param param - verify parameters from SSL_get0_param()
+ *
+ * @param name - the expected hostname
+ *
+ * @param namelen - the length of the hostname, or 0 if NUL terminated
+ *
+ * @return verify parameters
+ */
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
+                                const char *name, size_t namelen);
+
+/**
+ * @brief set parameters for X509 host verify action
+ *
+ * @param param -verify parameters from SSL_get0_param()
+ *
+ * @param flags - bitfield of X509_CHECK_FLAG_... parameters to set
+ *
+ * @return 1 for success, 0 for failure
+ */
+int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
+                    unsigned long flags);
+
+/**
+ * @brief clear parameters for X509 host verify action
+ *
+ * @param param -verify parameters from SSL_get0_param()
+ *
+ * @param flags - bitfield of X509_CHECK_FLAG_... parameters to clear
+ *
+ * @return 1 for success, 0 for failure
+ */
+int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
+                      unsigned long flags);
+
 /**
 * @brief get SSL write only IO handle
 *
--- a/components/openssl/library/ssl_x509.c
+++ b/components/openssl/library/ssl_x509.c
@ -117,6 +117,37 @@ failed1:
    return NULL;
 }

+/**
+ * @brief return SSL X509 verify parameters
+ */
+
+X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
+{
+    return &ssl->param;
+}
+
+/**
+ * @brief set X509 host verification flags
+ */
+
+int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
+                    unsigned long flags)
+{
+    /* flags not supported yet */
+    return 0;
+}
+
+/**
+ * @brief clear X509 host verification flags
+ */
+
+int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
+                      unsigned long flags)
+{
+    /* flags not supported yet */
+    return 0;
+}
+
 /**
 * @brief set SSL context client CA certification
 */
--- a/components/openssl/platform/ssl_pm.c
+++ b/components/openssl/platform/ssl_pm.c
@ -669,3 +669,32 @@ long ssl_pm_get_verify_result(const SSL *ssl)

    return verify_result;
 }
+
+/**
+ * @brief set expected hostname on peer cert CN
+ */
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
+                                const char *name, size_t namelen)
+{
+    SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param));
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+    char *name_cstr = NULL;
+
+    if (namelen) {
+        name_cstr = malloc(namelen + 1);
+        if (!name_cstr) {
+            return 0;
+        }
+        memcpy(name_cstr, name, namelen);
+        name_cstr[namelen] = '\0';
+        name = name_cstr;
+    }
+
+    mbedtls_ssl_set_hostname(&ssl_pm->ssl, name);
+
+    if (namelen) {
+        free(name_cstr);
+    }
+
+    return 1;
+}