diff options
author | Adam Langley <agl@chromium.org> | 2014-06-20 23:00:00 +0400 |
---|---|---|
committer | Adam Langley <agl@chromium.org> | 2014-06-21 00:17:40 +0400 |
commit | dc160f84f5d9a552d047241a0b51d87e507f16bc (patch) | |
tree | 2c3c926d121b5783c7b10400b80a01bf62bd3997 /crypto/x509 | |
parent | 3e449b1b0560b2214cf5a6cd553fd6171cada7aa (diff) |
Fixes to host checking.
Fixes to host checking wild card support and add support for setting
host checking flags when verifying a certificate chain.
(Imported from upstream's a2219f6be36d12f02b6420dd95f819cf364baf1d)
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/vpm_int.h | 1 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 3 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 2 | ||||
-rw-r--r-- | crypto/x509/x509_vpm.c | 9 |
4 files changed, 13 insertions, 2 deletions
diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h index af998212..d18a4d48 100644 --- a/crypto/x509/vpm_int.h +++ b/crypto/x509/vpm_int.h @@ -62,6 +62,7 @@ struct X509_VERIFY_PARAM_ID_st { unsigned char *host; /* If not NULL hostname to match */ size_t hostlen; + unsigned int hostflags; /* Flags to control matching features */ unsigned char *email; /* If not NULL email address to match */ size_t emaillen; unsigned char *ip; /* If not NULL IP address to match */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f4fb3d50..c1910c41 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -713,7 +713,8 @@ static int check_id(X509_STORE_CTX *ctx) X509_VERIFY_PARAM *vpm = ctx->param; X509_VERIFY_PARAM_ID *id = vpm->id; X509 *x = ctx->cert; - if (id->host && !X509_check_host(x, id->host, id->hostlen, 0)) + if (id->host && !X509_check_host(x, id->host, id->hostlen, + id->hostflags)) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 6054250f..7675ed67 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -555,6 +555,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const unsigned char *name, size_t namelen); +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index cf9bed01..1841335b 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -233,6 +233,7 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, { if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen)) return 0; + dest->id->hostflags = id->hostflags; } if (test_x509_verify_param_copy_id(email, NULL)) @@ -396,6 +397,12 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, name, namelen); } +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags) + { + param->id->hostflags = flags; + } + int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen) { @@ -431,7 +438,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) return param->name; } -static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, NULL, 0, NULL, 0}; +static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, 0U, NULL, 0, NULL, 0}; #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id |