New functions to check a hostname email or IP address against a
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
diff --git a/apps/apps.c b/apps/apps.c
index 490ae3b..0ce0af5 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2791,6 +2791,35 @@
 	}
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
+void print_cert_checks(BIO *bio, X509 *x,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip)
+	{
+	if (x == NULL)
+		return;
+	if (checkhost)
+		{
+		BIO_printf(bio, "Hostname %s does%s match certificate\n",
+				checkhost, X509_check_host(x, checkhost, 0, 0)
+						? "" : " NOT");
+		}
+
+	if (checkemail)
+		{
+		BIO_printf(bio, "Email %s does%s match certificate\n",
+				checkemail, X509_check_email(x, checkemail, 0,
+						0) ? "" : " NOT");
+		}
+
+	if (checkip)
+		{
+		BIO_printf(bio, "IP %s does%s match certificate\n",
+				checkip, X509_check_ip_asc(x, checkip,
+						0) ? "" : " NOT");
+		}
+	}
+
 /*
  * Platform-specific sections
  */
diff --git a/apps/apps.h b/apps/apps.h
index c1ca99d..4c9f95a 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -335,6 +335,11 @@
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
+void print_cert_checks(BIO *bio, X509 *x,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip);
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
diff --git a/apps/s_apps.h b/apps/s_apps.h
index b1ae531..31b8923 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -191,3 +191,7 @@
 			int *badarg, BIO *err, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc, BIO *err);
 void print_ssl_summary(BIO *bio, SSL *s);
+void print_ssl_cert_checks(BIO *bio, SSL *s,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip);
diff --git a/apps/s_cb.c b/apps/s_cb.c
index e339a6c..5a2222e 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1533,3 +1533,16 @@
 		ssl_print_tmp_key(bio, s);
 	}
 
+void print_ssl_cert_checks(BIO *bio, SSL *s,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip)
+	{
+	X509 *peer;
+	peer = SSL_get_peer_certificate(s);
+	if (peer)
+		{
+		print_cert_checks(bio, peer, checkhost, checkemail, checkip);
+		X509_free(peer);
+		}
+	}
diff --git a/apps/s_client.c b/apps/s_client.c
index a7b150b..5ecc957 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -634,6 +634,9 @@
 #endif
 	SSL_EXCERT *exc = NULL;
 
+	unsigned char *checkhost = NULL, *checkemail = NULL;
+	char *checkip = NULL;
+
 	meth=SSLv23_client_method();
 
 	apps_startup();
@@ -993,6 +996,21 @@
 			client_sigalgs= *(++argv);
 			}
 #endif
+		else if (strcmp(*argv,"-checkhost") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkhost=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkemail") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkemail=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkip") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkip=*(++argv);
+			}
 #ifndef OPENSSL_NO_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
 			{
@@ -1628,6 +1646,8 @@
 						"CONNECTION ESTABLISHED\n");
 					print_ssl_summary(bio_err, con);
 					}
+				print_ssl_cert_checks(bio_err, con, checkhost,
+							checkemail, checkip);
 				print_stuff(bio_c_out,con,full_log);
 				if (full_log > 0) full_log--;
 
diff --git a/apps/s_server.c b/apps/s_server.c
index e89f057..00dc219 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1003,6 +1003,10 @@
 	char *srp_verifier_file = NULL;
 #endif
 	SSL_EXCERT *exc = NULL;
+
+	unsigned char *checkhost = NULL, *checkemail = NULL;
+	char *checkip = NULL;
+
 	meth=SSLv23_server_method();
 
 	local_argc=argc;
@@ -1260,6 +1264,21 @@
 			client_sigalgs= *(++argv);
 			}
 #endif
+		else if (strcmp(*argv,"-checkhost") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkhost=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkemail") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkemail=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkip") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkip=*(++argv);
+			}
 		else if	(strcmp(*argv,"-msg") == 0)
 			{ s_msg=1; }
 		else if	(strcmp(*argv,"-msgfile") == 0)
@@ -2661,6 +2680,8 @@
 	if (s_brief)
 		print_ssl_summary(bio_err, con);
 
+	print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip);
+
 	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
 
 	peer=SSL_get_peer_certificate(con);
diff --git a/apps/x509.c b/apps/x509.c
index e9f1163..788eb7b 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -208,6 +208,8 @@
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0, certflag = 0;
+	unsigned char *checkhost = NULL, *checkemail = NULL;
+	char *checkip = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
@@ -456,6 +458,21 @@
 			checkoffset=atoi(*(++argv));
 			checkend=1;
 			}
+		else if (strcmp(*argv,"-checkhost") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkhost=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkemail") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkemail=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-checkip") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkip=*(++argv);
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-trustout") == 0)
@@ -1061,6 +1078,8 @@
 		goto end;
 		}
 
+	print_cert_checks(STDout, x, checkhost, checkemail, checkip);
+
 	if (noout)
 		{
 		ret=0;