static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
unsigned int flags,
- const unsigned char *b, size_t blen)
+ const unsigned char *b, size_t blen,
+ char **peername)
{
+ int rv = 0;
+
if (!a->data || !a->length)
return 0;
if (cmp_type > 0)
if (cmp_type != a->type)
return 0;
if (cmp_type == V_ASN1_IA5STRING)
- return equal(a->data, a->length, b, blen, flags);
- if (a->length == (int)blen && !memcmp(a->data, b, blen))
- return 1;
- else
- return 0;
+ rv = equal(a->data, a->length, b, blen, flags);
+ else if (a->length == (int)blen && !memcmp(a->data, b, blen))
+ rv = 1;
+ if (rv > 0 && peername)
+ *peername = BUF_strndup((char *)a->data, a->length);
}
else
{
- int astrlen, rv;
+ int astrlen;
unsigned char *astr;
astrlen = ASN1_STRING_to_UTF8(&astr, a);
if (astrlen < 0)
return -1;
rv = equal(astr, astrlen, b, blen, flags);
OPENSSL_free(astr);
- return rv;
+ if (rv > 0 && peername)
+ *peername = BUF_strndup((char *)astr, astrlen);
}
+ return rv;
}
static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags, int check_type)
+ unsigned int flags, int check_type,
+ char **peername)
{
GENERAL_NAMES *gens = NULL;
X509_NAME *name = NULL;
int cnid;
int alt_type;
int san_present = 0;
+ int rv = 0;
equal_fn equal;
/* See below, this flag is internal-only */
gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gens)
{
- int rv = 0;
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
{
GENERAL_NAME *gen;
cstr = gen->d.dNSName;
else
cstr = gen->d.iPAddress;
- if (do_check_string(cstr, alt_type, equal, flags,
- chk, chklen))
- {
- rv = 1;
+ /* Positive on success, negative on error! */
+ if ((rv = do_check_string(cstr, alt_type, equal, flags,
+ chk, chklen, peername)) != 0)
break;
- }
}
GENERAL_NAMES_free(gens);
- if (rv)
- return 1;
+ if (rv != 0)
+ return rv;
if (!cnid
|| (san_present
&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
ASN1_STRING *str;
ne = X509_NAME_get_entry(name, i);
str = X509_NAME_ENTRY_get_data(ne);
- if (do_check_string(str, -1, equal, flags, chk, chklen))
- return 1;
+ /* Positive on success, negative on error! */
+ if ((rv = do_check_string(str, -1, equal, flags,
+ chk, chklen, peername)) != 0)
+ return rv;
}
return 0;
}
int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags)
+ unsigned int flags, char **peername)
{
if (chk == NULL)
return -2;
return -2;
if (chklen > 1 && chk[chklen-1] == '\0')
--chklen;
- return do_x509_check(x, chk, chklen, flags, GEN_DNS);
+ return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
}
int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
return -2;
if (chklen > 1 && chk[chklen-1] == '\0')
--chklen;
- return do_x509_check(x, chk, chklen, flags, GEN_EMAIL);
+ return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
}
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
{
if (chk == NULL)
return -2;
- return do_x509_check(x, chk, chklen, flags, GEN_IPADD);
+ return do_x509_check(x, chk, chklen, flags, GEN_IPADD, NULL);
}
int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
iplen = a2i_ipadd(ipout, ipasc);
if (iplen == 0)
return -2;
- return do_x509_check(x, ipout, (size_t)iplen, flags, GEN_IPADD);
+ return do_x509_check(x, ipout, (size_t)iplen, flags, GEN_IPADD, NULL);
}
/* Convert IP addresses both IPv4 and IPv6 into an
#include <openssl/x509.h>
int X509_check_host(X509 *, const unsigned char *name,
- size_t namelen, unsigned int flags);
+ size_t namelen, unsigned int flags, char **peername);
int X509_check_email(X509 *, const unsigned char *address,
size_t addresslen, unsigned int flags);
int X509_check_ip(X509 *, const unsigned char *address,
calculated with strlen(name). When B<name> starts with a dot (e.g
".example.com"), it will be matched by a certificate valid for any
sub-domain of B<name>, (see also B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>
-below). Applications are strongly advised to use
-X509_VERIFY_PARAM_set1_host() in preference to explicitly calling
-L<X509_check_host(3)>, hostname checks are out of scope with the
-DANE-EE(3) certificate usage, and the internal check will be
-suppressed as appropriate when DANE support is added to OpenSSL.
+below). When the certificate is matched and B<peername> is not
+NULL a pointer to a copy of the matching hostname or CommonName
+from the peer certificate is stored at the address passed in
+B<peername>. The application is responsible for freeing the peername
+via OPENSSL_free() when it is no longer needed. Applications are
+advised to use X509_VERIFY_PARAM_set1_host() in preference to
+explicitly calling L<X509_check_host(3)>, hostname checks are out
+of scope with the DANE-EE(3) certificate usage, and the internal
+check will be suppressed as appropriate when DANE support is added
+to OpenSSL.
X509_check_email() checks if the certificate matches the specified
email address. Only the mailbox syntax of RFC 822 is supported,