Integrate host, email and IP address checks into X509_verify.

 Changes between 1.0.x and 1.1.0  [xx XXX xxxx]

  *) Integrate hostname, email address and IP address checking with certificate

     verification. New verify options supporting checking in opensl utility.

     [Steve Henson]

  *) New function X509_CRL_diff to generate a delta CRL from the difference

     of two full CRLs. Add support to "crl" utility.

     [Steve Henson]

	char *arg = **pargs, *argn = (*pargs)[1];

	const X509_VERIFY_PARAM *vpm = NULL;

	time_t at_time = 0;

	const unsigned char *hostname = NULL, *email = NULL;

	char *ipasc = NULL;

	if (!strcmp(arg, "-policy"))

		{

		if (!argn)

			}

		(*pargs)++;

		}

	else if (strcmp(arg,"-verify_hostname") == 0)

		{

		if (!argn)

			*badarg = 1;

		hostname = (unsigned char *)argn;

		(*pargs)++;

		}

	else if (strcmp(arg,"-verify_email") == 0)

		{

		if (!argn)

			*badarg = 1;

		email = (unsigned char *)argn;

		(*pargs)++;

		}

	else if (strcmp(arg,"-verify_ip") == 0)

		{

		if (!argn)

			*badarg = 1;

		ipasc = argn;

		(*pargs)++;

		}

	else if (!strcmp(arg, "-ignore_critical"))

		flags |= X509_V_FLAG_IGNORE_CRITICAL;

	else if (!strcmp(arg, "-issuer_checks"))

	if (at_time) 

		X509_VERIFY_PARAM_set_time(*pm, at_time);

	if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))

		*badarg = 1;

	if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))

		*badarg = 1;

	if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))

		*badarg = 1;

	end:

	(*pargs)++;

	BIO_printf(bio_err," -host host     - use -connect instead\n");

	BIO_printf(bio_err," -port port     - use -connect instead\n");

	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);

	BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");

	BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");

	BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");

	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");

	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");

	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");

#endif

	SSL_EXCERT *exc = NULL;

	unsigned char *checkhost = NULL, *checkemail = NULL;

	char *checkip = NULL;

	SSL_CONF_CTX *cctx = NULL;

	STACK_OF(OPENSSL_STRING) *ssl_args = NULL;

			/* meth=TLSv1_client_method(); */

			}

#endif

		else if (strcmp(*argv,"-checkhost") == 0)

			{

			if (--argc < 1) goto bad;

			checkhost=(unsigned char *)*(++argv);

			}

		else if (strcmp(*argv,"-checkemail") == 0)

			{

			if (--argc < 1) goto bad;

			checkemail=(unsigned char *)*(++argv);

			}

		else if (strcmp(*argv,"-checkip") == 0)

			{

			if (--argc < 1) goto bad;

			checkip=*(++argv);

			}

#ifndef OPENSSL_NO_JPAKE

		else if (strcmp(*argv,"-jpake") == 0)

			{

						"CONNECTION ESTABLISHED\n");

					print_ssl_summary(bio_err, con);

					}

				print_ssl_cert_checks(bio_err, con, checkhost,

							checkemail, checkip);

				print_stuff(bio_c_out,con,full_log);

				if (full_log > 0) full_log--;

	BIO_printf(bio_err,"usage: s_server [args ...]\n");

	BIO_printf(bio_err,"\n");

	BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);

	BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");

	BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");

	BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");

	BIO_printf(bio_err," -context arg  - set session ID context\n");

	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");

	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");

	static srpsrvparm srp_callback_parm;

#endif

static char *srtp_profiles = NULL;

static unsigned char *checkhost = NULL, *checkemail = NULL;

static char *checkip = NULL;

int MAIN(int argc, char *argv[])

	{

				}

			}

#endif

		else if (strcmp(*argv,"-checkhost") == 0)

			{

			if (--argc < 1) goto bad;

			checkhost=(unsigned char *)*(++argv);

			}

		else if (strcmp(*argv,"-checkemail") == 0)

			{

			if (--argc < 1) goto bad;

			checkemail=(unsigned char *)*(++argv);

			}

		else if (strcmp(*argv,"-checkip") == 0)

			{

			if (--argc < 1) goto bad;

			checkip=*(++argv);

			}

		else if	(strcmp(*argv,"-msg") == 0)

			{ s_msg=1; }

		else if	(strcmp(*argv,"-msgfile") == 0)

	if (s_brief)

		print_ssl_summary(bio_err, con);

	print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip);

	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));

	peer=SSL_get_peer_certificate(con);

		return("Suite B: curve not allowed for this LOS");

	case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:

		return("Suite B: cannot sign P-384 with P-256");

	case X509_V_ERR_HOSTNAME_MISMATCH:

		return("Hostname mismatch");

	case X509_V_ERR_EMAIL_MISMATCH:

		return("Email address mismatch");

	case X509_V_ERR_IP_ADDRESS_MISMATCH:

		return("IP address mismatch");

	default:

		BIO_snprintf(buf,sizeof buf,"error number %ld",n);