New functions to check a hostname email or IP address against a (a70da5b3) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,11 @@

		Changes between 1.0.x and 1.1.0 [xx XXX xxxx]

		*) New functions to check a hostname email or IP address against a
		certificate. Add options to s_client, s_server and x509 utilities
		to print results of checks against a certificate.
		[Steve Henson]

		*) Add -rev test option to s_server to just reverse order of characters
		received by client and send back to server. Also prints an abbreviated
		summary of the connection parameters.

+29 −0

Original line number	Diff line number	Diff line
		@@ -2791,6 +2791,35 @@ unsigned char next_protos_parse(unsigned short outlen, const char *in)
		}
		#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */

		void print_cert_checks(BIO bio, X509 x,
		const unsigned char *checkhost,
		const unsigned char *checkemail,
		const char *checkip)
		{
		if (x == NULL)
		return;
		if (checkhost)
		{
		BIO_printf(bio, "Hostname %s does%s match certificate\n",
		checkhost, X509_check_host(x, checkhost, 0, 0)
		? "" : " NOT");
		}

		if (checkemail)
		{
		BIO_printf(bio, "Email %s does%s match certificate\n",
		checkemail, X509_check_email(x, checkemail, 0,
		0) ? "" : " NOT");
		}

		if (checkip)
		{
		BIO_printf(bio, "IP %s does%s match certificate\n",
		checkip, X509_check_ip_asc(x, checkip,
		0) ? "" : " NOT");
		}
		}

		/*
		* Platform-specific sections
		*/

+5 −0

Original line number	Diff line number	Diff line
		@@ -335,6 +335,11 @@ void jpake_server_auth(BIO out, BIO conn, const char *secret);
		unsigned char next_protos_parse(unsigned short outlen, const char *in);
		#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */

		void print_cert_checks(BIO bio, X509 x,
		const unsigned char *checkhost,
		const unsigned char *checkemail,
		const char *checkip);

		#define FORMAT_UNDEF 0
		#define FORMAT_ASN1 1
		#define FORMAT_TEXT 2

+4 −0

Original line number	Diff line number	Diff line
		@@ -191,3 +191,7 @@ int args_excert(char **pargs, int pargc,
		int badarg, BIO err, SSL_EXCERT **pexc);
		int load_excert(SSL_EXCERT *pexc, BIO err);
		void print_ssl_summary(BIO bio, SSL s);
		void print_ssl_cert_checks(BIO bio, SSL s,
		const unsigned char *checkhost,
		const unsigned char *checkemail,
		const char *checkip);

+13 −0

Original line number	Diff line number	Diff line
		@@ -1533,3 +1533,16 @@ void print_ssl_summary(BIO bio, SSL s)
		ssl_print_tmp_key(bio, s);
		}

		void print_ssl_cert_checks(BIO bio, SSL s,
		const unsigned char *checkhost,
		const unsigned char *checkemail,
		const char *checkip)
		{
		X509 *peer;
		peer = SSL_get_peer_certificate(s);
		if (peer)
		{
		print_cert_checks(bio, peer, checkhost, checkemail, checkip);
		X509_free(peer);
		}
		}