New peername element in X509_VERIFY_PARAM_ID

Declaration, memory management, accessor and documentation.

(cherry picked from commit 6e661d458f5aa8f52bf3d9098bd10025de5f08ea)

diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h
index 6b670af5b30c84acee726612ac859918f58025b5..4ec629f710b9704dd3c3d4243a38727e69821b20 100644 (file)
--- a/crypto/x509/vpm_int.h
+++ b/crypto/x509/vpm_int.h
@@ -62,6 +62,7 @@ struct X509_VERIFY_PARAM_ID_st
        {
        STACK_OF(OPENSSL_STRING) *hosts;        /* Set of acceptable names */
        unsigned int hostflags; /* Flags to control matching features */
+       char *peername;         /* Matching hostname in peer certificate */
        unsigned char *email;   /* If not NULL email address to match */
        size_t emaillen;
        unsigned char *ip;      /* If not NULL IP address to match */

diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 5f13ee296708575a869c20a0ff3e35cbcdb04e6a..524d830df02e1852054a280902f50eb08b7b9539 100644 (file)
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -564,6 +564,7 @@ int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
                                const unsigned char *name, size_t namelen);
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
                                        unsigned int flags);
+char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *);
 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
                                const unsigned char *email, size_t emaillen);
 int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index a39220ca880b4cfecb03c3580d5e4df5f92812bd..1d5434aa7582545b53ef75bbd524d134bc2d75c6 100644 (file)
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -149,6 +149,8 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
                string_stack_free(paramid->hosts);
                paramid->hosts = NULL;
                }
+       if (paramid->peername)
+               OPENSSL_free(paramid->peername);
        if (paramid->email)
                {
                OPENSSL_free(paramid->email);
@@ -482,6 +484,11 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
        param->id->hostflags = flags;
        }
 
+char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
+       {
+       return param->id->peername;
+       }
+
 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
                                const unsigned char *email, size_t emaillen)
        {
@@ -517,7 +524,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
        return param->name;
        }
 
-static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, 0, NULL, 0};
+static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0};
 
 #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
 

diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 18c0f6eac93e8806c691bed9a41814dda22da2f2..f22dd80a9c7882195ef96102226ed8a5ea09d236 100644 (file)
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters
+X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters
 
 =head1 SYNOPSIS
 
@@ -32,6 +32,7 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge
                                  const unsigned char *name, size_t namelen);
  void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
                                      unsigned int flags);
+ char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
  int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
                                 const unsigned char *email, size_t emaillen);
  int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
@@ -95,6 +96,16 @@ are retained, no change is made if B<name> is NULL or empty.  When
 multiple names are configured, the peer is considered verified when
 any name matches.
 
+X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject
+CommonName from the peer certificate that matched one of the reference
+identifiers.  When wildcard matching is not disabled, or when a
+reference identifier specifies a parent domain (starts with ".")
+rather than a hostname, the peer name may be a wildcard name or a
+sub-domain of the reference identifier respectively.  The return
+string is allocated by the library and is no longer valid once the
+associated B<param> argument is freed.  Applications must not free
+the return value.
+
 X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to
 B<email>.  If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise
 B<emaillen> must be set to the length of B<email>.  When an email address