Integrate host, email and IP address checks into X509_verify.

Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.

3 files changed, 32 insertions, 46 deletions

diff --git a/apps/apps.c b/apps/apps.c
index 34dc70b354..adf78665b0 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2382,6 +2382,8 @@ int args_verify(char ***pargs, int *pargc,
 	char *arg = **pargs, *argn = (*pargs)[1];
 	const X509_VERIFY_PARAM *vpm = NULL;
 	time_t at_time = 0;
+	const unsigned char *hostname = NULL, *email = NULL;
+	char *ipasc = NULL;
 	if (!strcmp(arg, "-policy"))
 		{
 		if (!argn)
@@ -2470,6 +2472,27 @@ int args_verify(char ***pargs, int *pargc,
 			}
 		(*pargs)++;
 		}
+	else if (strcmp(arg,"-verify_hostname") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		hostname = (unsigned char *)argn;
+		(*pargs)++;
+		}
+	else if (strcmp(arg,"-verify_email") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		email = (unsigned char *)argn;
+		(*pargs)++;
+		}
+	else if (strcmp(arg,"-verify_ip") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		ipasc = argn;
+		(*pargs)++;
+		}
 	else if (!strcmp(arg, "-ignore_critical"))
 		flags |= X509_V_FLAG_IGNORE_CRITICAL;
 	else if (!strcmp(arg, "-issuer_checks"))
@@ -2538,6 +2561,15 @@ int args_verify(char ***pargs, int *pargc,
 	if (at_time) 
 		X509_VERIFY_PARAM_set_time(*pm, at_time);
 
+	if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
+		*badarg = 1;
+
+	if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
+		*badarg = 1;
+
+	if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
+		*badarg = 1;
+
 	end:
 
 	(*pargs)++;
diff --git a/apps/s_client.c b/apps/s_client.c
index 7041fb49fe..27c1696bf3 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -293,10 +293,6 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -host host     - use -connect instead\n");
 	BIO_printf(bio_err," -port port     - use -connect instead\n");
 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
-	BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
-	BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
-	BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
-
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
@@ -634,8 +630,6 @@ int MAIN(int argc, char **argv)
 #endif
 	SSL_EXCERT *exc = NULL;
 
-	unsigned char *checkhost = NULL, *checkemail = NULL;
-	char *checkip = NULL;
 	SSL_CONF_CTX *cctx = NULL;
 	STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
@@ -999,21 +993,6 @@ int MAIN(int argc, char **argv)
 			/* meth=TLSv1_client_method(); */
 			}
 #endif
-		else if (strcmp(*argv,"-checkhost") == 0)
-			{
-			if (--argc < 1) goto bad;
-			checkhost=(unsigned char *)*(++argv);
-			}
-		else if (strcmp(*argv,"-checkemail") == 0)
-			{
-			if (--argc < 1) goto bad;
-			checkemail=(unsigned char *)*(++argv);
-			}
-		else if (strcmp(*argv,"-checkip") == 0)
-			{
-			if (--argc < 1) goto bad;
-			checkip=*(++argv);
-			}
 #ifndef OPENSSL_NO_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
 			{
@@ -1648,8 +1627,6 @@ SSL_set_tlsext_status_ids(con, ids);
 						"CONNECTION ESTABLISHED\n");
 					print_ssl_summary(bio_err, con);
 					}
-				print_ssl_cert_checks(bio_err, con, checkhost,
-							checkemail, checkip);
 				print_stuff(bio_c_out,con,full_log);
 				if (full_log > 0) full_log--;
 
diff --git a/apps/s_server.c b/apps/s_server.c
index b9f6f30b0a..2de8565367 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -473,9 +473,6 @@ static void sv_usage(void)
 	BIO_printf(bio_err,"usage: s_server [args ...]\n");
 	BIO_printf(bio_err,"\n");
 	BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
-	BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
-	BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
-	BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
 	BIO_printf(bio_err," -context arg  - set session ID context\n");
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
@@ -946,9 +943,6 @@ static char *jpake_secret = NULL;
 	static srpsrvparm srp_callback_parm;
 #endif
 static char *srtp_profiles = NULL;
-static unsigned char *checkhost = NULL, *checkemail = NULL;
-static char *checkip = NULL;
-
 
 int MAIN(int argc, char *argv[])
 	{
@@ -1268,21 +1262,6 @@ int MAIN(int argc, char *argv[])
 				}
 			}
 #endif
-		else if (strcmp(*argv,"-checkhost") == 0)
-			{
-			if (--argc < 1) goto bad;
-			checkhost=(unsigned char *)*(++argv);
-			}
-		else if (strcmp(*argv,"-checkemail") == 0)
-			{
-			if (--argc < 1) goto bad;
-			checkemail=(unsigned char *)*(++argv);
-			}
-		else if (strcmp(*argv,"-checkip") == 0)
-			{
-			if (--argc < 1) goto bad;
-			checkip=*(++argv);
-			}
 		else if	(strcmp(*argv,"-msg") == 0)
 			{ s_msg=1; }
 		else if	(strcmp(*argv,"-msgfile") == 0)
@@ -2578,8 +2557,6 @@ static int init_ssl_connection(SSL *con)
 	if (s_brief)
 		print_ssl_summary(bio_err, con);
 
-	print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip);
-
 	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
 
 	peer=SSL_get_peer_certificate(con);