Fix hostname validation in the command-line tool to honour negative return values.

Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion and result in a negative return value, which the "x509 -checkhost" command-line option incorrectly interpreted as success. Also update X509_check_host docs to reflect reality. Thanks to Sean Burford (Google) for reporting this issue. Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2015-02-05 16:38:54 +0100
committer: Emilia Kasper <emilia@openssl.org> 2015-02-10 15:35:20 +0100
commit: 0923e7df9eafec6db9c75405d7085ec8581f01bd (patch)
tree: 11b45d8564c5886867afd633ea04d3e6b56737aa /apps
parent: efb4597345a0ae31ac81f9dfb783f3eef420122b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/apps.c b/apps/apps.c
index 97f0c0e182..bf044d40f8 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2780,7 +2780,7 @@ void print_cert_checks(BIO *bio, X509 *x,
         return;
     if (checkhost) {
         BIO_printf(bio, "Hostname %s does%s match certificate\n",
-                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL)
+                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1
                    ? "" : " NOT");
     }
author	Emilia Kasper <emilia@openssl.org>	2015-02-05 16:38:54 +0100
committer	Emilia Kasper <emilia@openssl.org>	2015-02-10 15:35:20 +0100
commit	0923e7df9eafec6db9c75405d7085ec8581f01bd (patch)
tree	11b45d8564c5886867afd633ea04d3e6b56737aa /apps
parent	efb4597345a0ae31ac81f9dfb783f3eef420122b (diff)