diff options
author | Viktor Dukhovni <viktor@dukhovni.org> | 2014-05-21 10:57:44 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-05-21 11:32:19 +0100 |
commit | a2219f6be36d12f02b6420dd95f819cf364baf1d (patch) | |
tree | 258ec0db01286f41e36f3b10ffcee2c43fa8252b /crypto/x509 | |
parent | 03b5b78c09fb10839a565f341cdc527c675e89ce (diff) |
Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747dc3f964196caed5ca4e08d4b598362a)
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/vpm_int.h | 1 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 3 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 2 | ||||
-rw-r--r-- | crypto/x509/x509_vpm.c | 9 |
4 files changed, 13 insertions, 2 deletions
diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h index af998212a1..d18a4d48e9 100644 --- a/crypto/x509/vpm_int.h +++ b/crypto/x509/vpm_int.h @@ -62,6 +62,7 @@ struct X509_VERIFY_PARAM_ID_st { unsigned char *host; /* If not NULL hostname to match */ size_t hostlen; + unsigned int hostflags; /* Flags to control matching features */ unsigned char *email; /* If not NULL email address to match */ size_t emaillen; unsigned char *ip; /* If not NULL IP address to match */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 0693c609ce..2917819cc9 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -724,7 +724,8 @@ static int check_id(X509_STORE_CTX *ctx) X509_VERIFY_PARAM *vpm = ctx->param; X509_VERIFY_PARAM_ID *id = vpm->id; X509 *x = ctx->cert; - if (id->host && !X509_check_host(x, id->host, id->hostlen, 0)) + if (id->host && !X509_check_host(x, id->host, id->hostlen, + id->hostflags)) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 4482210d4e..a4ed24d150 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -560,6 +560,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const unsigned char *name, size_t namelen); +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 97789119ef..e5e258a9d3 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -239,6 +239,7 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, { if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen)) return 0; + dest->id->hostflags = id->hostflags; } if (test_x509_verify_param_copy_id(email, NULL)) @@ -402,6 +403,12 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, name, namelen); } +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags) + { + param->id->hostflags = flags; + } + int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen) { @@ -437,7 +444,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) return param->name; } -static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, NULL, 0, NULL, 0}; +static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, 0U, NULL, 0, NULL, 0}; #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id |