From 45da1efcdb822d8ff992e13d5a1600fa62c96c6d Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 19 Dec 2012 15:01:59 +0000
Subject: Backport X509 hostname, IP address and email checking code from HEAD.

---
 apps/apps.c | 29 +++++++++++++++++++++++++++++
 apps/apps.h |  5 +++++
 apps/x509.c | 19 +++++++++++++++++++
 3 files changed, 53 insertions(+)

(limited to 'apps')

diff --git a/apps/apps.c b/apps/apps.c
index 4f12f3a196..fea5b25c1c 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2771,6 +2771,35 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
 	}
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
+void print_cert_checks(BIO *bio, X509 *x,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip)
+	{
+	if (x == NULL)
+		return;
+	if (checkhost)
+		{
+		BIO_printf(bio, "Hostname %s does%s match certificate\n",
+				checkhost, X509_check_host(x, checkhost, 0, 0)
+						? "" : " NOT");
+		}
+
+	if (checkemail)
+		{
+		BIO_printf(bio, "Email %s does%s match certificate\n",
+				checkemail, X509_check_email(x, checkemail, 0,
+						0) ? "" : " NOT");
+		}
+
+	if (checkip)
+		{
+		BIO_printf(bio, "IP %s does%s match certificate\n",
+				checkip, X509_check_ip_asc(x, checkip,
+						0) ? "" : " NOT");
+		}
+	}
+
 /*
  * Platform-specific sections
  */
diff --git a/apps/apps.h b/apps/apps.h
index c1ca99da12..4c9f95a1ce 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -335,6 +335,11 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
+void print_cert_checks(BIO *bio, X509 *x,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip);
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
diff --git a/apps/x509.c b/apps/x509.c
index 3863ab968d..361eca624e 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -207,6 +207,8 @@ int MAIN(int argc, char **argv)
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0, certflag = 0;
+	unsigned char *checkhost = NULL, *checkemail = NULL;
+	char *checkip = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
@@ -450,6 +452,21 @@ int MAIN(int argc, char **argv)
 			checkoffset=atoi(*(++argv));
 			checkend=1;
 			}
+		else if (strcmp(*argv,"-checkhost") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkhost=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkemail") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkemail=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkip") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkip=*(++argv);
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-trustout") == 0)
@@ -1044,6 +1061,8 @@ bad:
 		goto end;
 		}
 
+	print_cert_checks(STDout, x, checkhost, checkemail, checkip);
+
 	if (noout)
 		{
 		ret=0;
-- 
cgit v1.2.3