Fix hostname validation in the command-line tool to honour negative return values.

Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion and result in a negative return value, which the "x509 -checkhost" command-line option incorrectly interpreted as success. Also update X509_check_host docs to reflect reality. Thanks to Sean Burford (Google) for reporting this issue. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 0923e7df9eafec6db9c75405d7085ec8581f01bd)
author: Emilia Kasper <emilia@openssl.org> 2015-02-05 16:38:54 +0100
committer: Emilia Kasper <emilia@openssl.org> 2015-02-10 15:36:03 +0100
commit: 95929797a01eb4ad42694f1f848bdbb9decbcefe (patch)
tree: 56cf46001e6839c97bf5a172321afa23ea24e930 /doc
parent: bcfaa4eeee5bbb2ddf9545e41b62cbfc10ad60b0 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index f8b530df9b..0def17aac1 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -109,9 +109,12 @@ but would not match a peer certificate with a DNS name of
 =head1 RETURN VALUES
 
 The functions return 1 for a successful match, 0 for a failed match
-and -1 for an internal error: typically a memory allocation failure.
+and -1 for an internal error: typically a memory allocation failure
+or an ASN.1 decoding error.
 
-X509_check_ip_asc() can also return -2 if the IP address string is malformed.
+All functions can also return -2 if the input is malformed. For example,
+X509_check_host() returns -2 if the provided B<name> contains embedded
+NULs.
 
 =head1 NOTES
author	Emilia Kasper <emilia@openssl.org>	2015-02-05 16:38:54 +0100
committer	Emilia Kasper <emilia@openssl.org>	2015-02-10 15:36:03 +0100
commit	95929797a01eb4ad42694f1f848bdbb9decbcefe (patch)
tree	56cf46001e6839c97bf5a172321afa23ea24e930 /doc
parent	bcfaa4eeee5bbb2ddf9545e41b62cbfc10ad60b0 (diff)