Commit 45da1efc authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Backport X509 hostname, IP address and email checking code from HEAD.

parent 54a0076e

CHANGES

+9 −0
Original line number Diff line number Diff line
@@ -4,6 +4,15 @@ 


 Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]



  *) Fixes and wildcard matching support to hostname and email checking

     functions. Add manual page.

     [Florian Weimer (Red Hat Product Security Team)]



  *) New functions to check a hostname email or IP address against a

     certificate. Add options x509 utility to print results of checks against

     a certificate.

     [Steve Henson]



  *) Fix OCSP checking.

     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]

apps/apps.c

+29 −0
Original line number Diff line number Diff line
@@ -2771,6 +2771,35 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in) 
	}

#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */



void print_cert_checks(BIO *bio, X509 *x,

				const unsigned char *checkhost,

				const unsigned char *checkemail,

				const char *checkip)

	{

	if (x == NULL)

		return;

	if (checkhost)

		{

		BIO_printf(bio, "Hostname %s does%s match certificate\n",

				checkhost, X509_check_host(x, checkhost, 0, 0)

						? "" : " NOT");

		}



	if (checkemail)

		{

		BIO_printf(bio, "Email %s does%s match certificate\n",

				checkemail, X509_check_email(x, checkemail, 0,

						0) ? "" : " NOT");

		}



	if (checkip)

		{

		BIO_printf(bio, "IP %s does%s match certificate\n",

				checkip, X509_check_ip_asc(x, checkip,

						0) ? "" : " NOT");

		}

	}



/*

 * Platform-specific sections

 */

apps/apps.h

+5 −0
Original line number Diff line number Diff line
@@ -335,6 +335,11 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret); 
unsigned char *next_protos_parse(unsigned short *outlen, const char *in);

#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */



void print_cert_checks(BIO *bio, X509 *x,

				const unsigned char *checkhost,

				const unsigned char *checkemail,

				const char *checkip);



#define FORMAT_UNDEF    0

#define FORMAT_ASN1     1

#define FORMAT_TEXT     2

apps/x509.c

+19 −0
Original line number Diff line number Diff line
@@ -207,6 +207,8 @@ int MAIN(int argc, char **argv) 
	int need_rand = 0;

	int checkend=0,checkoffset=0;

	unsigned long nmflag = 0, certflag = 0;

	unsigned char *checkhost = NULL, *checkemail = NULL;

	char *checkip = NULL;

#ifndef OPENSSL_NO_ENGINE

	char *engine=NULL;

#endif
@@ -450,6 +452,21 @@ int MAIN(int argc, char **argv) 
			checkoffset=atoi(*(++argv));

			checkend=1;

			}

		else if (strcmp(*argv,"-checkhost") == 0)

			{

			if (--argc < 1) goto bad;

			checkhost=(unsigned char *)*(++argv);

			}

		else if (strcmp(*argv,"-checkemail") == 0)

			{

			if (--argc < 1) goto bad;

			checkemail=(unsigned char *)*(++argv);

			}

		else if (strcmp(*argv,"-checkip") == 0)

			{

			if (--argc < 1) goto bad;

			checkip=*(++argv);

			}

		else if (strcmp(*argv,"-noout") == 0)

			noout= ++num;

		else if (strcmp(*argv,"-trustout") == 0)
@@ -1044,6 +1061,8 @@ bad: 
		goto end;

		}



	print_cert_checks(STDout, x, checkhost, checkemail, checkip);



	if (noout)

		{

		ret=0;

crypto/x509v3/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -13,7 +13,7 @@ AR= ar r 
CFLAGS= $(INCLUDES) $(CFLAG)



GENERAL=Makefile README

TEST=

TEST=v3nametest.c

APPS=



LIB=$(TOP)/libcrypto.a