1 |
.\" $MidnightBSD$ |
2 |
.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) |
3 |
.\" |
4 |
.\" Standard preamble: |
5 |
.\" ======================================================================== |
6 |
.de Sp \" Vertical space (when we can't use .PP) |
7 |
.if t .sp .5v |
8 |
.if n .sp |
9 |
.. |
10 |
.de Vb \" Begin verbatim text |
11 |
.ft CW |
12 |
.nf |
13 |
.ne \\$1 |
14 |
.. |
15 |
.de Ve \" End verbatim text |
16 |
.ft R |
17 |
.fi |
18 |
.. |
19 |
.\" Set up some character translations and predefined strings. \*(-- will |
20 |
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
21 |
.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
22 |
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
23 |
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
24 |
.\" nothing in troff, for use with C<>. |
25 |
.tr \(*W- |
26 |
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
27 |
.ie n \{\ |
28 |
. ds -- \(*W- |
29 |
. ds PI pi |
30 |
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
31 |
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
32 |
. ds L" "" |
33 |
. ds R" "" |
34 |
. ds C` "" |
35 |
. ds C' "" |
36 |
'br\} |
37 |
.el\{\ |
38 |
. ds -- \|\(em\| |
39 |
. ds PI \(*p |
40 |
. ds L" `` |
41 |
. ds R" '' |
42 |
. ds C` |
43 |
. ds C' |
44 |
'br\} |
45 |
.\" |
46 |
.\" Escape single quotes in literal strings from groff's Unicode transform. |
47 |
.ie \n(.g .ds Aq \(aq |
48 |
.el .ds Aq ' |
49 |
.\" |
50 |
.\" If the F register is >0, we'll generate index entries on stderr for |
51 |
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
52 |
.\" entries marked with X<> in POD. Of course, you'll have to process the |
53 |
.\" output yourself in some meaningful fashion. |
54 |
.\" |
55 |
.\" Avoid warning from groff about undefined register 'F'. |
56 |
.de IX |
57 |
.. |
58 |
.if !\nF .nr F 0 |
59 |
.if \nF>0 \{\ |
60 |
. de IX |
61 |
. tm Index:\\$1\t\\n%\t"\\$2" |
62 |
.. |
63 |
. if !\nF==2 \{\ |
64 |
. nr % 0 |
65 |
. nr F 2 |
66 |
. \} |
67 |
.\} |
68 |
.\" |
69 |
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
70 |
.\" Fear. Run. Save yourself. No user-serviceable parts. |
71 |
. \" fudge factors for nroff and troff |
72 |
.if n \{\ |
73 |
. ds #H 0 |
74 |
. ds #V .8m |
75 |
. ds #F .3m |
76 |
. ds #[ \f1 |
77 |
. ds #] \fP |
78 |
.\} |
79 |
.if t \{\ |
80 |
. ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
81 |
. ds #V .6m |
82 |
. ds #F 0 |
83 |
. ds #[ \& |
84 |
. ds #] \& |
85 |
.\} |
86 |
. \" simple accents for nroff and troff |
87 |
.if n \{\ |
88 |
. ds ' \& |
89 |
. ds ` \& |
90 |
. ds ^ \& |
91 |
. ds , \& |
92 |
. ds ~ ~ |
93 |
. ds / |
94 |
.\} |
95 |
.if t \{\ |
96 |
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
97 |
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
98 |
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
99 |
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
100 |
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
101 |
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
102 |
.\} |
103 |
. \" troff and (daisy-wheel) nroff accents |
104 |
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
105 |
.ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
106 |
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
107 |
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
108 |
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
109 |
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
110 |
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
111 |
.ds ae a\h'-(\w'a'u*4/10)'e |
112 |
.ds Ae A\h'-(\w'A'u*4/10)'E |
113 |
. \" corrections for vroff |
114 |
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
115 |
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
116 |
. \" for low resolution devices (crt and lpr) |
117 |
.if \n(.H>23 .if \n(.V>19 \ |
118 |
\{\ |
119 |
. ds : e |
120 |
. ds 8 ss |
121 |
. ds o a |
122 |
. ds d- d\h'-1'\(ga |
123 |
. ds D- D\h'-1'\(hy |
124 |
. ds th \o'bp' |
125 |
. ds Th \o'LP' |
126 |
. ds ae ae |
127 |
. ds Ae AE |
128 |
.\} |
129 |
.rm #[ #] #H #V #F C |
130 |
.\" ======================================================================== |
131 |
.\" |
132 |
.IX Title "X509_check_host 3" |
133 |
.TH X509_check_host 3 "2018-11-20" "1.0.2q" "OpenSSL" |
134 |
.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
135 |
.\" way too many mistakes in technical documents. |
136 |
.if n .ad l |
137 |
.nh |
138 |
.SH "NAME" |
139 |
X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc \- X.509 certificate matching |
140 |
.SH "SYNOPSIS" |
141 |
.IX Header "SYNOPSIS" |
142 |
.Vb 1 |
143 |
\& #include <openssl/x509.h> |
144 |
\& |
145 |
\& int X509_check_host(X509 *, const char *name, size_t namelen, |
146 |
\& unsigned int flags, char **peername); |
147 |
\& int X509_check_email(X509 *, const char *address, size_t addresslen, |
148 |
\& unsigned int flags); |
149 |
\& int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, |
150 |
\& unsigned int flags); |
151 |
\& int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); |
152 |
.Ve |
153 |
.SH "DESCRIPTION" |
154 |
.IX Header "DESCRIPTION" |
155 |
The certificate matching functions are used to check whether a |
156 |
certificate matches a given host name, email address, or \s-1IP\s0 address. |
157 |
The validity of the certificate and its trust level has to be checked by |
158 |
other means. |
159 |
.PP |
160 |
\&\fIX509_check_host()\fR checks if the certificate Subject Alternative |
161 |
Name (\s-1SAN\s0) or Subject CommonName (\s-1CN\s0) matches the specified host |
162 |
name, which must be encoded in the preferred name syntax described |
163 |
in section 3.5 of \s-1RFC 1034.\s0 By default, wildcards are supported |
164 |
and they match only in the left-most label; but they may match |
165 |
part of that label with an explicit prefix or suffix. For example, |
166 |
by default, the host \fBname\fR \*(L"www.example.com\*(R" would match a |
167 |
certificate with a \s-1SAN\s0 or \s-1CN\s0 value of \*(L"*.example.com\*(R", \*(L"w*.example.com\*(R" |
168 |
or \*(L"*w.example.com\*(R". |
169 |
.PP |
170 |
Per section 6.4.2 of \s-1RFC 6125,\s0 \fBname\fR values representing international |
171 |
domain names must be given in A\-label form. The \fBnamelen\fR argument |
172 |
must be the number of characters in the name string or zero in which |
173 |
case the length is calculated with strlen(\fBname\fR). When \fBname\fR starts |
174 |
with a dot (e.g \*(L".example.com\*(R"), it will be matched by a certificate |
175 |
valid for any sub-domain of \fBname\fR, (see also |
176 |
\&\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR below). |
177 |
.PP |
178 |
When the certificate is matched, and \fBpeername\fR is not \s-1NULL,\s0 a |
179 |
pointer to a copy of the matching \s-1SAN\s0 or \s-1CN\s0 from the peer certificate |
180 |
is stored at the address passed in \fBpeername\fR. The application |
181 |
is responsible for freeing the peername via \fIOPENSSL_free()\fR when it |
182 |
is no longer needed. |
183 |
.PP |
184 |
\&\fIX509_check_email()\fR checks if the certificate matches the specified |
185 |
email \fBaddress\fR. Only the mailbox syntax of \s-1RFC 822\s0 is supported, |
186 |
comments are not allowed, and no attempt is made to normalize quoted |
187 |
characters. The \fBaddresslen\fR argument must be the number of |
188 |
characters in the address string or zero in which case the length |
189 |
is calculated with strlen(\fBaddress\fR). |
190 |
.PP |
191 |
\&\fIX509_check_ip()\fR checks if the certificate matches a specified IPv4 or |
192 |
IPv6 address. The \fBaddress\fR array is in binary format, in network |
193 |
byte order. The length is either 4 (IPv4) or 16 (IPv6). Only |
194 |
explicitly marked addresses in the certificates are considered; \s-1IP\s0 |
195 |
addresses stored in \s-1DNS\s0 names and Common Names are ignored. |
196 |
.PP |
197 |
\&\fIX509_check_ip_asc()\fR is similar, except that the NUL-terminated |
198 |
string \fBaddress\fR is first converted to the internal representation. |
199 |
.PP |
200 |
The \fBflags\fR argument is usually 0. It can be the bitwise \s-1OR\s0 of the |
201 |
flags: |
202 |
.IP "\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR," 4 |
203 |
.IX Item "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT," |
204 |
.PD 0 |
205 |
.IP "\fBX509_CHECK_FLAG_NO_WILDCARDS\fR," 4 |
206 |
.IX Item "X509_CHECK_FLAG_NO_WILDCARDS," |
207 |
.IP "\fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR," 4 |
208 |
.IX Item "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS," |
209 |
.IP "\fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR." 4 |
210 |
.IX Item "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS." |
211 |
.IP "\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR." 4 |
212 |
.IX Item "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS." |
213 |
.PD |
214 |
.PP |
215 |
The \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag causes the function |
216 |
to consider the subject \s-1DN\s0 even if the certificate contains at least |
217 |
one subject alternative name of the right type (\s-1DNS\s0 name or email |
218 |
address as appropriate); the default is to ignore the subject \s-1DN\s0 |
219 |
when at least one corresponding subject alternative names is present. |
220 |
.PP |
221 |
If set, \fBX509_CHECK_FLAG_NO_WILDCARDS\fR disables wildcard |
222 |
expansion; this only applies to \fBX509_check_host\fR. |
223 |
.PP |
224 |
If set, \fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR suppresses support |
225 |
for \*(L"*\*(R" as wildcard pattern in labels that have a prefix or suffix, |
226 |
such as: \*(L"www*\*(R" or \*(L"*www\*(R"; this only aplies to \fBX509_check_host\fR. |
227 |
.PP |
228 |
If set, \fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR allows a \*(L"*\*(R" that |
229 |
constitutes the complete label of a \s-1DNS\s0 name (e.g. \*(L"*.example.com\*(R") |
230 |
to match more than one label in \fBname\fR; this flag only applies |
231 |
to \fBX509_check_host\fR. |
232 |
.PP |
233 |
If set, \fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR restricts \fBname\fR |
234 |
values which start with \*(L".\*(R", that would otherwise match any sub-domain |
235 |
in the peer certificate, to only match direct child sub-domains. |
236 |
Thus, for instance, with this flag set a \fBname\fR of \*(L".example.com\*(R" |
237 |
would match a peer certificate with a \s-1DNS\s0 name of \*(L"www.example.com\*(R", |
238 |
but would not match a peer certificate with a \s-1DNS\s0 name of |
239 |
\&\*(L"www.sub.example.com\*(R"; this flag only applies to \fBX509_check_host\fR. |
240 |
.SH "RETURN VALUES" |
241 |
.IX Header "RETURN VALUES" |
242 |
The functions return 1 for a successful match, 0 for a failed match |
243 |
and \-1 for an internal error: typically a memory allocation failure |
244 |
or an \s-1ASN.1\s0 decoding error. |
245 |
.PP |
246 |
All functions can also return \-2 if the input is malformed. For example, |
247 |
\&\fIX509_check_host()\fR returns \-2 if the provided \fBname\fR contains embedded |
248 |
NULs. |
249 |
.SH "NOTES" |
250 |
.IX Header "NOTES" |
251 |
Applications are encouraged to use \fIX509_VERIFY_PARAM_set1_host()\fR |
252 |
rather than explicitly calling \fIX509_check_host\fR\|(3). Host name |
253 |
checks are out of scope with the \s-1\fIDANE\-EE\s0\fR\|(3) certificate usage, |
254 |
and the internal checks will be suppressed as appropriate when |
255 |
\&\s-1DANE\s0 support is added to OpenSSL. |
256 |
.SH "SEE ALSO" |
257 |
.IX Header "SEE ALSO" |
258 |
\&\fISSL_get_verify_result\fR\|(3), |
259 |
\&\fIX509_VERIFY_PARAM_set1_host\fR\|(3), |
260 |
\&\fIX509_VERIFY_PARAM_add1_host\fR\|(3), |
261 |
\&\fIX509_VERIFY_PARAM_set1_email\fR\|(3), |
262 |
\&\fIX509_VERIFY_PARAM_set1_ip\fR\|(3), |
263 |
\&\fIX509_VERIFY_PARAM_set1_ipasc\fR\|(3) |
264 |
.SH "HISTORY" |
265 |
.IX Header "HISTORY" |
266 |
These functions were added in OpenSSL 1.0.2. |