1*4724848cSchristos=pod 2*4724848cSchristos 3*4724848cSchristos=head1 NAME 4*4724848cSchristos 5*4724848cSchristosX509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 certificate matching 6*4724848cSchristos 7*4724848cSchristos=head1 SYNOPSIS 8*4724848cSchristos 9*4724848cSchristos #include <openssl/x509v3.h> 10*4724848cSchristos 11*4724848cSchristos int X509_check_host(X509 *, const char *name, size_t namelen, 12*4724848cSchristos unsigned int flags, char **peername); 13*4724848cSchristos int X509_check_email(X509 *, const char *address, size_t addresslen, 14*4724848cSchristos unsigned int flags); 15*4724848cSchristos int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, 16*4724848cSchristos unsigned int flags); 17*4724848cSchristos int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); 18*4724848cSchristos 19*4724848cSchristos=head1 DESCRIPTION 20*4724848cSchristos 21*4724848cSchristosThe certificate matching functions are used to check whether a 22*4724848cSchristoscertificate matches a given hostname, email address, or IP address. 23*4724848cSchristosThe validity of the certificate and its trust level has to be checked by 24*4724848cSchristosother means. 25*4724848cSchristos 26*4724848cSchristosX509_check_host() checks if the certificate Subject Alternative 27*4724848cSchristosName (SAN) or Subject CommonName (CN) matches the specified hostname, 28*4724848cSchristoswhich must be encoded in the preferred name syntax described 29*4724848cSchristosin section 3.5 of RFC 1034. By default, wildcards are supported 30*4724848cSchristosand they match only in the left-most label; but they may match 31*4724848cSchristospart of that label with an explicit prefix or suffix. For example, 32*4724848cSchristosby default, the host B<name> "www.example.com" would match a 33*4724848cSchristoscertificate with a SAN or CN value of "*.example.com", "w*.example.com" 34*4724848cSchristosor "*w.example.com". 35*4724848cSchristos 36*4724848cSchristosPer section 6.4.2 of RFC 6125, B<name> values representing international 37*4724848cSchristosdomain names must be given in A-label form. The B<namelen> argument 38*4724848cSchristosmust be the number of characters in the name string or zero in which 39*4724848cSchristoscase the length is calculated with strlen(B<name>). When B<name> starts 40*4724848cSchristoswith a dot (e.g. ".example.com"), it will be matched by a certificate 41*4724848cSchristosvalid for any sub-domain of B<name>, (see also 42*4724848cSchristosB<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below). 43*4724848cSchristos 44*4724848cSchristosWhen the certificate is matched, and B<peername> is not NULL, a 45*4724848cSchristospointer to a copy of the matching SAN or CN from the peer certificate 46*4724848cSchristosis stored at the address passed in B<peername>. The application 47*4724848cSchristosis responsible for freeing the peername via OPENSSL_free() when it 48*4724848cSchristosis no longer needed. 49*4724848cSchristos 50*4724848cSchristosX509_check_email() checks if the certificate matches the specified 51*4724848cSchristosemail B<address>. Only the mailbox syntax of RFC 822 is supported, 52*4724848cSchristoscomments are not allowed, and no attempt is made to normalize quoted 53*4724848cSchristoscharacters. The B<addresslen> argument must be the number of 54*4724848cSchristoscharacters in the address string or zero in which case the length 55*4724848cSchristosis calculated with strlen(B<address>). 56*4724848cSchristos 57*4724848cSchristosX509_check_ip() checks if the certificate matches a specified IPv4 or 58*4724848cSchristosIPv6 address. The B<address> array is in binary format, in network 59*4724848cSchristosbyte order. The length is either 4 (IPv4) or 16 (IPv6). Only 60*4724848cSchristosexplicitly marked addresses in the certificates are considered; IP 61*4724848cSchristosaddresses stored in DNS names and Common Names are ignored. 62*4724848cSchristos 63*4724848cSchristosX509_check_ip_asc() is similar, except that the NUL-terminated 64*4724848cSchristosstring B<address> is first converted to the internal representation. 65*4724848cSchristos 66*4724848cSchristosThe B<flags> argument is usually 0. It can be the bitwise OR of the 67*4724848cSchristosflags: 68*4724848cSchristos 69*4724848cSchristos=over 4 70*4724848cSchristos 71*4724848cSchristos=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, 72*4724848cSchristos 73*4724848cSchristos=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>, 74*4724848cSchristos 75*4724848cSchristos=item B<X509_CHECK_FLAG_NO_WILDCARDS>, 76*4724848cSchristos 77*4724848cSchristos=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, 78*4724848cSchristos 79*4724848cSchristos=item B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS>. 80*4724848cSchristos 81*4724848cSchristos=item B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>. 82*4724848cSchristos 83*4724848cSchristos=back 84*4724848cSchristos 85*4724848cSchristosThe B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag causes the function 86*4724848cSchristosto consider the subject DN even if the certificate contains at least 87*4724848cSchristosone subject alternative name of the right type (DNS name or email 88*4724848cSchristosaddress as appropriate); the default is to ignore the subject DN 89*4724848cSchristoswhen at least one corresponding subject alternative names is present. 90*4724848cSchristos 91*4724848cSchristosThe B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never 92*4724848cSchristosconsider the subject DN even if the certificate contains no subject alternative 93*4724848cSchristosnames of the right type (DNS name or email address as appropriate); the default 94*4724848cSchristosis to use the subject DN when no corresponding subject alternative names are 95*4724848cSchristospresent. 96*4724848cSchristosIf both B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> and 97*4724848cSchristosB<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> are specified, the latter takes 98*4724848cSchristosprecedence and the subject DN is not checked for matching names. 99*4724848cSchristos 100*4724848cSchristosIf set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard 101*4724848cSchristosexpansion; this only applies to B<X509_check_host>. 102*4724848cSchristos 103*4724848cSchristosIf set, B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS> suppresses support 104*4724848cSchristosfor "*" as wildcard pattern in labels that have a prefix or suffix, 105*4724848cSchristossuch as: "www*" or "*www"; this only applies to B<X509_check_host>. 106*4724848cSchristos 107*4724848cSchristosIf set, B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS> allows a "*" that 108*4724848cSchristosconstitutes the complete label of a DNS name (e.g. "*.example.com") 109*4724848cSchristosto match more than one label in B<name>; this flag only applies 110*4724848cSchristosto B<X509_check_host>. 111*4724848cSchristos 112*4724848cSchristosIf set, B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> restricts B<name> 113*4724848cSchristosvalues which start with ".", that would otherwise match any sub-domain 114*4724848cSchristosin the peer certificate, to only match direct child sub-domains. 115*4724848cSchristosThus, for instance, with this flag set a B<name> of ".example.com" 116*4724848cSchristoswould match a peer certificate with a DNS name of "www.example.com", 117*4724848cSchristosbut would not match a peer certificate with a DNS name of 118*4724848cSchristos"www.sub.example.com"; this flag only applies to B<X509_check_host>. 119*4724848cSchristos 120*4724848cSchristos=head1 RETURN VALUES 121*4724848cSchristos 122*4724848cSchristosThe functions return 1 for a successful match, 0 for a failed match 123*4724848cSchristosand -1 for an internal error: typically a memory allocation failure 124*4724848cSchristosor an ASN.1 decoding error. 125*4724848cSchristos 126*4724848cSchristosAll functions can also return -2 if the input is malformed. For example, 127*4724848cSchristosX509_check_host() returns -2 if the provided B<name> contains embedded 128*4724848cSchristosNULs. 129*4724848cSchristos 130*4724848cSchristos=head1 NOTES 131*4724848cSchristos 132*4724848cSchristosApplications are encouraged to use X509_VERIFY_PARAM_set1_host() 133*4724848cSchristosrather than explicitly calling L<X509_check_host(3)>. Host name 134*4724848cSchristoschecks may be out of scope with the DANE-EE(3) certificate usage, 135*4724848cSchristosand the internal checks will be suppressed as appropriate when 136*4724848cSchristosDANE support is enabled. 137*4724848cSchristos 138*4724848cSchristos=head1 SEE ALSO 139*4724848cSchristos 140*4724848cSchristosL<SSL_get_verify_result(3)>, 141*4724848cSchristosL<X509_VERIFY_PARAM_set1_host(3)>, 142*4724848cSchristosL<X509_VERIFY_PARAM_add1_host(3)>, 143*4724848cSchristosL<X509_VERIFY_PARAM_set1_email(3)>, 144*4724848cSchristosL<X509_VERIFY_PARAM_set1_ip(3)>, 145*4724848cSchristosL<X509_VERIFY_PARAM_set1_ipasc(3)> 146*4724848cSchristos 147*4724848cSchristos=head1 HISTORY 148*4724848cSchristos 149*4724848cSchristosThese functions were added in OpenSSL 1.0.2. 150*4724848cSchristos 151*4724848cSchristos=head1 COPYRIGHT 152*4724848cSchristos 153*4724848cSchristosCopyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. 154*4724848cSchristos 155*4724848cSchristosLicensed under the OpenSSL license (the "License"). You may not use 156*4724848cSchristosthis file except in compliance with the License. You can obtain a copy 157*4724848cSchristosin the file LICENSE in the source distribution or at 158*4724848cSchristosL<https://www.openssl.org/source/license.html>. 159*4724848cSchristos 160*4724848cSchristos=cut 161