diff options
| author | Viktor Dukhovni <viktor@dukhovni.org> | 2014-05-21 10:57:44 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2014-05-21 11:31:28 +0100 |
| commit | 397a8e747dc3f964196caed5ca4e08d4b598362a (patch) | |
| tree | 5830abbfbe6e1918e47adf8719b0da9657b4266f /crypto/x509 | |
| parent | 558c94efc00ce15a9fcc9370598d8841392ff0f3 (diff) | |
| download | openssl-397a8e747dc3f964196caed5ca4e08d4b598362a.tar.gz | |
Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/vpm_int.h | 1 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 3 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.h | 2 | ||||
| -rw-r--r-- | crypto/x509/x509_vpm.c | 9 |
4 files changed, 13 insertions, 2 deletions
diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h index af998212a1..d18a4d48e9 100644 --- a/crypto/x509/vpm_int.h +++ b/crypto/x509/vpm_int.h @@ -62,6 +62,7 @@ struct X509_VERIFY_PARAM_ID_st { unsigned char *host; /* If not NULL hostname to match */ size_t hostlen; + unsigned int hostflags; /* Flags to control matching features */ unsigned char *email; /* If not NULL email address to match */ size_t emaillen; unsigned char *ip; /* If not NULL IP address to match */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 32b07a0306..350c3475fe 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -744,7 +744,8 @@ static int check_id(X509_STORE_CTX *ctx) X509_VERIFY_PARAM *vpm = ctx->param; X509_VERIFY_PARAM_ID *id = vpm->id; X509 *x = ctx->cert; - if (id->host && !X509_check_host(x, id->host, id->hostlen, 0)) + if (id->host && !X509_check_host(x, id->host, id->hostlen, + id->hostflags)) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 24115ccfa2..4b61d28d74 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -560,6 +560,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const unsigned char *name, size_t namelen); +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 14336a7ef7..9b22093277 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -239,6 +239,7 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, { if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen)) return 0; + dest->id->hostflags = id->hostflags; } if (test_x509_verify_param_copy_id(email, NULL)) @@ -402,6 +403,12 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, name, namelen); } +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags) + { + param->id->hostflags = flags; + } + int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen) { @@ -437,7 +444,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) return param->name; } -static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, NULL, 0, NULL, 0}; +static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, 0U, NULL, 0, NULL, 0}; #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id |