From: Viktor Dukhovni Date: Sat, 5 Jul 2014 15:44:30 +0000 (+1000) Subject: New peername element in X509_VERIFY_PARAM_ID X-Git-Tag: OpenSSL_1_0_2-beta2~36 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1eb57ae2b78c119bfba7ab647951130e968d1664;p=openssl New peername element in X509_VERIFY_PARAM_ID Declaration, memory management, accessor and documentation. (cherry picked from commit 6e661d458f5aa8f52bf3d9098bd10025de5f08ea) --- diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h index 6b670af5b3..4ec629f710 100644 --- a/crypto/x509/vpm_int.h +++ b/crypto/x509/vpm_int.h @@ -62,6 +62,7 @@ struct X509_VERIFY_PARAM_ID_st { STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ unsigned int hostflags; /* Flags to control matching features */ + char *peername; /* Matching hostname in peer certificate */ unsigned char *email; /* If not NULL email address to match */ size_t emaillen; unsigned char *ip; /* If not NULL IP address to match */ diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 5f13ee2967..524d830df0 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -564,6 +564,7 @@ int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const unsigned char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); +char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index a39220ca88..1d5434aa75 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -149,6 +149,8 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) string_stack_free(paramid->hosts); paramid->hosts = NULL; } + if (paramid->peername) + OPENSSL_free(paramid->peername); if (paramid->email) { OPENSSL_free(paramid->email); @@ -482,6 +484,11 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, param->id->hostflags = flags; } +char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) + { + return param->id->peername; + } + int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen) { @@ -517,7 +524,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) return param->name; } -static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, 0, NULL, 0}; +static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0}; #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 18c0f6eac9..f22dd80a9c 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters +X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters =head1 SYNOPSIS @@ -32,6 +32,7 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge const unsigned char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); + char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, @@ -95,6 +96,16 @@ are retained, no change is made if B is NULL or empty. When multiple names are configured, the peer is considered verified when any name matches. +X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject +CommonName from the peer certificate that matched one of the reference +identifiers. When wildcard matching is not disabled, or when a +reference identifier specifies a parent domain (starts with ".") +rather than a hostname, the peer name may be a wildcard name or a +sub-domain of the reference identifier respectively. The return +string is allocated by the library and is no longer valid once the +associated B argument is freed. Applications must not free +the return value. + X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to B. If B is NUL-terminated, B may be zero, otherwise B must be set to the length of B. When an email address