From aa4d426b4d3527d7e166df1a05058c9a4a0f6683 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Fri, 30 Apr 2021 00:33:56 +0200 Subject: initial/final commit --- openssl-1.1.0h/doc/crypto/X509_check_host.pod | 157 ++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 openssl-1.1.0h/doc/crypto/X509_check_host.pod (limited to 'openssl-1.1.0h/doc/crypto/X509_check_host.pod') diff --git a/openssl-1.1.0h/doc/crypto/X509_check_host.pod b/openssl-1.1.0h/doc/crypto/X509_check_host.pod new file mode 100644 index 0000000..9384815 --- /dev/null +++ b/openssl-1.1.0h/doc/crypto/X509_check_host.pod @@ -0,0 +1,157 @@ +=pod + +=head1 NAME + +X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 certificate matching + +=head1 SYNOPSIS + + #include + + int X509_check_host(X509 *, const char *name, size_t namelen, + unsigned int flags, char **peername); + int X509_check_email(X509 *, const char *address, size_t addresslen, + unsigned int flags); + int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, + unsigned int flags); + int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); + +=head1 DESCRIPTION + +The certificate matching functions are used to check whether a +certificate matches a given host name, email address, or IP address. +The validity of the certificate and its trust level has to be checked by +other means. + +X509_check_host() checks if the certificate Subject Alternative +Name (SAN) or Subject CommonName (CN) matches the specified host +name, which must be encoded in the preferred name syntax described +in section 3.5 of RFC 1034. By default, wildcards are supported +and they match only in the left-most label; but they may match +part of that label with an explicit prefix or suffix. For example, +by default, the host B "www.example.com" would match a +certificate with a SAN or CN value of "*.example.com", "w*.example.com" +or "*w.example.com". + +Per section 6.4.2 of RFC 6125, B values representing international +domain names must be given in A-label form. The B argument +must be the number of characters in the name string or zero in which +case the length is calculated with strlen(B). When B starts +with a dot (e.g ".example.com"), it will be matched by a certificate +valid for any sub-domain of B, (see also +B below). + +When the certificate is matched, and B is not NULL, a +pointer to a copy of the matching SAN or CN from the peer certificate +is stored at the address passed in B. The application +is responsible for freeing the peername via OPENSSL_free() when it +is no longer needed. + +X509_check_email() checks if the certificate matches the specified +email B
. Only the mailbox syntax of RFC 822 is supported, +comments are not allowed, and no attempt is made to normalize quoted +characters. The B argument must be the number of +characters in the address string or zero in which case the length +is calculated with strlen(B
). + +X509_check_ip() checks if the certificate matches a specified IPv4 or +IPv6 address. The B
array is in binary format, in network +byte order. The length is either 4 (IPv4) or 16 (IPv6). Only +explicitly marked addresses in the certificates are considered; IP +addresses stored in DNS names and Common Names are ignored. + +X509_check_ip_asc() is similar, except that the NUL-terminated +string B
is first converted to the internal representation. + +The B argument is usually 0. It can be the bitwise OR of the +flags: + +=over 4 + +=item B, + +=item B, + +=item B, + +=item B, + +=item B. + +=item B. + +=back + +The B flag causes the function +to consider the subject DN even if the certificate contains at least +one subject alternative name of the right type (DNS name or email +address as appropriate); the default is to ignore the subject DN +when at least one corresponding subject alternative names is present. + +The B flag causes the function to never +consider the subject DN even if the certificate contains no subject alternative +names of the right type (DNS name or email address as appropriate); the default +is to use the subject DN when no corresponding subject alternative names are +present. + +If set, B disables wildcard +expansion; this only applies to B. + +If set, B suppresses support +for "*" as wildcard pattern in labels that have a prefix or suffix, +such as: "www*" or "*www"; this only applies to B. + +If set, B allows a "*" that +constitutes the complete label of a DNS name (e.g. "*.example.com") +to match more than one label in B; this flag only applies +to B. + +If set, B restricts B +values which start with ".", that would otherwise match any sub-domain +in the peer certificate, to only match direct child sub-domains. +Thus, for instance, with this flag set a B of ".example.com" +would match a peer certificate with a DNS name of "www.example.com", +but would not match a peer certificate with a DNS name of +"www.sub.example.com"; this flag only applies to B. + +=head1 RETURN VALUES + +The functions return 1 for a successful match, 0 for a failed match +and -1 for an internal error: typically a memory allocation failure +or an ASN.1 decoding error. + +All functions can also return -2 if the input is malformed. For example, +X509_check_host() returns -2 if the provided B contains embedded +NULs. + +=head1 NOTES + +Applications are encouraged to use X509_VERIFY_PARAM_set1_host() +rather than explicitly calling L. Host name +checks are out of scope with the DANE-EE(3) certificate usage, +and the internal checks will be suppressed as appropriate when +DANE support is added to OpenSSL. + +=head1 SEE ALSO + +L, +L, +L, +L, +L, +L + +=head1 HISTORY + +These functions were added in OpenSSL 1.0.2. + +=head1 COPYRIGHT + +Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut -- cgit v1.2.3