Add definitions that help with hostname checking (#4492)

* Add definitions for SSL_get0_param and X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS

* remove unnecessary parameter name

* Add version conditionals and more flags

* extend cryptography_has_102_verification_params

* X509_CHECK_FLAG_NEVER_CHECK_SUBJECT only available with openssl 1.1.0+

* add missing declaration

3 files changed, 56 insertions, 0 deletions

diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 2e32b8f3..f9481af1 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -185,6 +185,9 @@ X509 *SSL_get_certificate(const SSL *);
 X509 *SSL_get_peer_certificate(const SSL *);
 int SSL_get_ex_data_X509_STORE_CTX_idx(void);
 
+/* Added in 1.0.2 */
+X509_VERIFY_PARAM *SSL_get0_param(SSL *);
+
 int SSL_use_certificate(SSL *, X509 *);
 int SSL_use_certificate_ASN1(SSL *, const unsigned char *, int);
 int SSL_use_certificate_file(SSL *, const char *, int);
@@ -620,6 +623,12 @@ static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
 static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
 static const long Cryptography_HAS_NEXTPROTONEG = 1;
 
+/* SSL_get0_param was added in OpenSSL 1.0.2. */
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER
+X509_VERIFY_PARAM *(*SSL_get0_param)(SSL *) = NULL;
+#else
+#endif
+
 /* ALPN was added in OpenSSL 1.0.2. */
 #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL
 int (*SSL_CTX_set_alpn_protos)(SSL_CTX *,
diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py
index 618b5c21..42da3b1e 100644
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -21,6 +21,7 @@ typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT;
 TYPES = """
 static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES;
 static const long Cryptography_HAS_102_VERIFICATION_PARAMS;
+static const long Cryptography_HAS_110_VERIFICATION_PARAMS;
 static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST;
 static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN;
 static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER;
@@ -128,6 +129,13 @@ static const long X509_V_FLAG_PARTIAL_CHAIN;
 
 static const long X509_LU_X509;
 static const long X509_LU_CRL;
+
+static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
+static const long X509_CHECK_FLAG_NO_WILDCARDS;
+static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
+static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
+static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
 """
 
 FUNCTIONS = """
@@ -239,6 +247,21 @@ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
 #ifndef X509_V_ERR_IP_ADDRESS_MISMATCH
 static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
 #endif
+#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
+static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 0;
+#endif
+#ifndef X509_CHECK_FLAG_NO_WILDCARDS
+static const long X509_CHECK_FLAG_NO_WILDCARDS = 0;
+#endif
+#ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0;
+#endif
+#ifndef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
+static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = 0;
+#endif
+#ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = 0;
+#endif
 
 /* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
    below because it shows up in some earlier 3rd party OpenSSL packages. */
@@ -259,6 +282,15 @@ void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *,
 #endif
 #endif
 
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0;
+#ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
+static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0;
+#endif
+#else
+static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1;
+#endif
+
 /* OpenSSL 1.0.2+ or Solaris's backport */
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
 static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1;
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index 4170f3a1..19acdaef 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -98,6 +98,18 @@ def cryptography_has_102_verification_params():
         "X509_VERIFY_PARAM_set1_ip",
         "X509_VERIFY_PARAM_set1_ip_asc",
         "X509_VERIFY_PARAM_set_hostflags",
+        "SSL_get0_param",
+        "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT",
+        "X509_CHECK_FLAG_NO_WILDCARDS",
+        "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS",
+        "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS",
+        "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS"
+    ]
+
+
+def cryptography_has_110_verification_params():
+    return [
+        "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT"
     ]
 
 
@@ -301,6 +313,9 @@ CONDITIONAL_NAMES = {
     "Cryptography_HAS_102_VERIFICATION_PARAMS": (
         cryptography_has_102_verification_params
     ),
+    "Cryptography_HAS_110_VERIFICATION_PARAMS": (
+        cryptography_has_110_verification_params
+    ),
     "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": (
         cryptography_has_x509_v_flag_trusted_first
     ),