1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimX509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 certificate matching 6e71b7053SJung-uk Kim 7e71b7053SJung-uk Kim=head1 SYNOPSIS 8e71b7053SJung-uk Kim 9e71b7053SJung-uk Kim #include <openssl/x509v3.h> 10e71b7053SJung-uk Kim 11e71b7053SJung-uk Kim int X509_check_host(X509 *, const char *name, size_t namelen, 12e71b7053SJung-uk Kim unsigned int flags, char **peername); 13e71b7053SJung-uk Kim int X509_check_email(X509 *, const char *address, size_t addresslen, 14e71b7053SJung-uk Kim unsigned int flags); 15e71b7053SJung-uk Kim int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, 16e71b7053SJung-uk Kim unsigned int flags); 17e71b7053SJung-uk Kim int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); 18e71b7053SJung-uk Kim 19e71b7053SJung-uk Kim=head1 DESCRIPTION 20e71b7053SJung-uk Kim 21e71b7053SJung-uk KimThe certificate matching functions are used to check whether a 22e71b7053SJung-uk Kimcertificate matches a given hostname, email address, or IP address. 23e71b7053SJung-uk KimThe validity of the certificate and its trust level has to be checked by 24e71b7053SJung-uk Kimother means. 25e71b7053SJung-uk Kim 26e71b7053SJung-uk KimX509_check_host() checks if the certificate Subject Alternative 27*58f35182SJung-uk KimName (SAN) or Subject CommonName (CN) matches the specified hostname, 28*58f35182SJung-uk Kimwhich must be encoded in the preferred name syntax described 29e71b7053SJung-uk Kimin section 3.5 of RFC 1034. By default, wildcards are supported 30e71b7053SJung-uk Kimand they match only in the left-most label; but they may match 31e71b7053SJung-uk Kimpart of that label with an explicit prefix or suffix. For example, 32e71b7053SJung-uk Kimby default, the host B<name> "www.example.com" would match a 33e71b7053SJung-uk Kimcertificate with a SAN or CN value of "*.example.com", "w*.example.com" 34e71b7053SJung-uk Kimor "*w.example.com". 35e71b7053SJung-uk Kim 36e71b7053SJung-uk KimPer section 6.4.2 of RFC 6125, B<name> values representing international 37e71b7053SJung-uk Kimdomain names must be given in A-label form. The B<namelen> argument 38e71b7053SJung-uk Kimmust be the number of characters in the name string or zero in which 39e71b7053SJung-uk Kimcase the length is calculated with strlen(B<name>). When B<name> starts 40*58f35182SJung-uk Kimwith a dot (e.g. ".example.com"), it will be matched by a certificate 41e71b7053SJung-uk Kimvalid for any sub-domain of B<name>, (see also 42e71b7053SJung-uk KimB<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below). 43e71b7053SJung-uk Kim 44e71b7053SJung-uk KimWhen the certificate is matched, and B<peername> is not NULL, a 45e71b7053SJung-uk Kimpointer to a copy of the matching SAN or CN from the peer certificate 46e71b7053SJung-uk Kimis stored at the address passed in B<peername>. The application 47e71b7053SJung-uk Kimis responsible for freeing the peername via OPENSSL_free() when it 48e71b7053SJung-uk Kimis no longer needed. 49e71b7053SJung-uk Kim 50e71b7053SJung-uk KimX509_check_email() checks if the certificate matches the specified 51e71b7053SJung-uk Kimemail B<address>. Only the mailbox syntax of RFC 822 is supported, 52e71b7053SJung-uk Kimcomments are not allowed, and no attempt is made to normalize quoted 53e71b7053SJung-uk Kimcharacters. The B<addresslen> argument must be the number of 54e71b7053SJung-uk Kimcharacters in the address string or zero in which case the length 55e71b7053SJung-uk Kimis calculated with strlen(B<address>). 56e71b7053SJung-uk Kim 57e71b7053SJung-uk KimX509_check_ip() checks if the certificate matches a specified IPv4 or 58e71b7053SJung-uk KimIPv6 address. The B<address> array is in binary format, in network 59e71b7053SJung-uk Kimbyte order. The length is either 4 (IPv4) or 16 (IPv6). Only 60e71b7053SJung-uk Kimexplicitly marked addresses in the certificates are considered; IP 61e71b7053SJung-uk Kimaddresses stored in DNS names and Common Names are ignored. 62e71b7053SJung-uk Kim 63e71b7053SJung-uk KimX509_check_ip_asc() is similar, except that the NUL-terminated 64e71b7053SJung-uk Kimstring B<address> is first converted to the internal representation. 65e71b7053SJung-uk Kim 66e71b7053SJung-uk KimThe B<flags> argument is usually 0. It can be the bitwise OR of the 67e71b7053SJung-uk Kimflags: 68e71b7053SJung-uk Kim 69e71b7053SJung-uk Kim=over 4 70e71b7053SJung-uk Kim 71e71b7053SJung-uk Kim=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, 72e71b7053SJung-uk Kim 73e71b7053SJung-uk Kim=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>, 74e71b7053SJung-uk Kim 75e71b7053SJung-uk Kim=item B<X509_CHECK_FLAG_NO_WILDCARDS>, 76e71b7053SJung-uk Kim 77e71b7053SJung-uk Kim=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, 78e71b7053SJung-uk Kim 79e71b7053SJung-uk Kim=item B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS>. 80e71b7053SJung-uk Kim 81e71b7053SJung-uk Kim=item B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>. 82e71b7053SJung-uk Kim 83e71b7053SJung-uk Kim=back 84e71b7053SJung-uk Kim 85e71b7053SJung-uk KimThe B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag causes the function 86e71b7053SJung-uk Kimto consider the subject DN even if the certificate contains at least 87e71b7053SJung-uk Kimone subject alternative name of the right type (DNS name or email 88e71b7053SJung-uk Kimaddress as appropriate); the default is to ignore the subject DN 89e71b7053SJung-uk Kimwhen at least one corresponding subject alternative names is present. 90e71b7053SJung-uk Kim 91e71b7053SJung-uk KimThe B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never 92e71b7053SJung-uk Kimconsider the subject DN even if the certificate contains no subject alternative 93e71b7053SJung-uk Kimnames of the right type (DNS name or email address as appropriate); the default 94e71b7053SJung-uk Kimis to use the subject DN when no corresponding subject alternative names are 95e71b7053SJung-uk Kimpresent. 96e71b7053SJung-uk KimIf both B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> and 97e71b7053SJung-uk KimB<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> are specified, the latter takes 98e71b7053SJung-uk Kimprecedence and the subject DN is not checked for matching names. 99e71b7053SJung-uk Kim 100e71b7053SJung-uk KimIf set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard 101e71b7053SJung-uk Kimexpansion; this only applies to B<X509_check_host>. 102e71b7053SJung-uk Kim 103e71b7053SJung-uk KimIf set, B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS> suppresses support 104e71b7053SJung-uk Kimfor "*" as wildcard pattern in labels that have a prefix or suffix, 105e71b7053SJung-uk Kimsuch as: "www*" or "*www"; this only applies to B<X509_check_host>. 106e71b7053SJung-uk Kim 107e71b7053SJung-uk KimIf set, B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS> allows a "*" that 108e71b7053SJung-uk Kimconstitutes the complete label of a DNS name (e.g. "*.example.com") 109e71b7053SJung-uk Kimto match more than one label in B<name>; this flag only applies 110e71b7053SJung-uk Kimto B<X509_check_host>. 111e71b7053SJung-uk Kim 112e71b7053SJung-uk KimIf set, B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> restricts B<name> 113e71b7053SJung-uk Kimvalues which start with ".", that would otherwise match any sub-domain 114e71b7053SJung-uk Kimin the peer certificate, to only match direct child sub-domains. 115e71b7053SJung-uk KimThus, for instance, with this flag set a B<name> of ".example.com" 116e71b7053SJung-uk Kimwould match a peer certificate with a DNS name of "www.example.com", 117e71b7053SJung-uk Kimbut would not match a peer certificate with a DNS name of 118e71b7053SJung-uk Kim"www.sub.example.com"; this flag only applies to B<X509_check_host>. 119e71b7053SJung-uk Kim 120e71b7053SJung-uk Kim=head1 RETURN VALUES 121e71b7053SJung-uk Kim 122e71b7053SJung-uk KimThe functions return 1 for a successful match, 0 for a failed match 123e71b7053SJung-uk Kimand -1 for an internal error: typically a memory allocation failure 124e71b7053SJung-uk Kimor an ASN.1 decoding error. 125e71b7053SJung-uk Kim 126e71b7053SJung-uk KimAll functions can also return -2 if the input is malformed. For example, 127e71b7053SJung-uk KimX509_check_host() returns -2 if the provided B<name> contains embedded 128e71b7053SJung-uk KimNULs. 129e71b7053SJung-uk Kim 130e71b7053SJung-uk Kim=head1 NOTES 131e71b7053SJung-uk Kim 132e71b7053SJung-uk KimApplications are encouraged to use X509_VERIFY_PARAM_set1_host() 133e71b7053SJung-uk Kimrather than explicitly calling L<X509_check_host(3)>. Host name 134e71b7053SJung-uk Kimchecks may be out of scope with the DANE-EE(3) certificate usage, 135e71b7053SJung-uk Kimand the internal checks will be suppressed as appropriate when 136e71b7053SJung-uk KimDANE support is enabled. 137e71b7053SJung-uk Kim 138e71b7053SJung-uk Kim=head1 SEE ALSO 139e71b7053SJung-uk Kim 140e71b7053SJung-uk KimL<SSL_get_verify_result(3)>, 141e71b7053SJung-uk KimL<X509_VERIFY_PARAM_set1_host(3)>, 142e71b7053SJung-uk KimL<X509_VERIFY_PARAM_add1_host(3)>, 143e71b7053SJung-uk KimL<X509_VERIFY_PARAM_set1_email(3)>, 144e71b7053SJung-uk KimL<X509_VERIFY_PARAM_set1_ip(3)>, 145e71b7053SJung-uk KimL<X509_VERIFY_PARAM_set1_ipasc(3)> 146e71b7053SJung-uk Kim 147e71b7053SJung-uk Kim=head1 HISTORY 148e71b7053SJung-uk Kim 149e71b7053SJung-uk KimThese functions were added in OpenSSL 1.0.2. 150e71b7053SJung-uk Kim 151e71b7053SJung-uk Kim=head1 COPYRIGHT 152e71b7053SJung-uk Kim 153*58f35182SJung-uk KimCopyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. 154e71b7053SJung-uk Kim 155e71b7053SJung-uk KimLicensed under the OpenSSL license (the "License"). You may not use 156e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 157e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 158e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 159e71b7053SJung-uk Kim 160e71b7053SJung-uk Kim=cut 161