New functions to check a hostname email or IP address against a certificate. Add options to s_client, s_server and x509 utilities to print results of checks.
diff --git a/apps/apps.c b/apps/apps.c index 490ae3b..0ce0af5 100644 --- a/apps/apps.c +++ b/apps/apps.c
@@ -2791,6 +2791,35 @@ } #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ +void print_cert_checks(BIO *bio, X509 *x, + const unsigned char *checkhost, + const unsigned char *checkemail, + const char *checkip) + { + if (x == NULL) + return; + if (checkhost) + { + BIO_printf(bio, "Hostname %s does%s match certificate\n", + checkhost, X509_check_host(x, checkhost, 0, 0) + ? "" : " NOT"); + } + + if (checkemail) + { + BIO_printf(bio, "Email %s does%s match certificate\n", + checkemail, X509_check_email(x, checkemail, 0, + 0) ? "" : " NOT"); + } + + if (checkip) + { + BIO_printf(bio, "IP %s does%s match certificate\n", + checkip, X509_check_ip_asc(x, checkip, + 0) ? "" : " NOT"); + } + } + /* * Platform-specific sections */
diff --git a/apps/apps.h b/apps/apps.h index c1ca99d..4c9f95a 100644 --- a/apps/apps.h +++ b/apps/apps.h
@@ -335,6 +335,11 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in); #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ +void print_cert_checks(BIO *bio, X509 *x, + const unsigned char *checkhost, + const unsigned char *checkemail, + const char *checkip); + #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 #define FORMAT_TEXT 2
diff --git a/apps/s_apps.h b/apps/s_apps.h index b1ae531..31b8923 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h
@@ -191,3 +191,7 @@ int *badarg, BIO *err, SSL_EXCERT **pexc); int load_excert(SSL_EXCERT **pexc, BIO *err); void print_ssl_summary(BIO *bio, SSL *s); +void print_ssl_cert_checks(BIO *bio, SSL *s, + const unsigned char *checkhost, + const unsigned char *checkemail, + const char *checkip);
diff --git a/apps/s_cb.c b/apps/s_cb.c index e339a6c..5a2222e 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c
@@ -1533,3 +1533,16 @@ ssl_print_tmp_key(bio, s); } +void print_ssl_cert_checks(BIO *bio, SSL *s, + const unsigned char *checkhost, + const unsigned char *checkemail, + const char *checkip) + { + X509 *peer; + peer = SSL_get_peer_certificate(s); + if (peer) + { + print_cert_checks(bio, peer, checkhost, checkemail, checkip); + X509_free(peer); + } + }
diff --git a/apps/s_client.c b/apps/s_client.c index a7b150b..5ecc957 100644 --- a/apps/s_client.c +++ b/apps/s_client.c
@@ -634,6 +634,9 @@ #endif SSL_EXCERT *exc = NULL; + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; + meth=SSLv23_client_method(); apps_startup(); @@ -993,6 +996,21 @@ client_sigalgs= *(++argv); } #endif + else if (strcmp(*argv,"-checkhost") == 0) + { + if (--argc < 1) goto bad; + checkhost=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkemail") == 0) + { + if (--argc < 1) goto bad; + checkemail=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkip") == 0) + { + if (--argc < 1) goto bad; + checkip=*(++argv); + } #ifndef OPENSSL_NO_JPAKE else if (strcmp(*argv,"-jpake") == 0) { @@ -1628,6 +1646,8 @@ "CONNECTION ESTABLISHED\n"); print_ssl_summary(bio_err, con); } + print_ssl_cert_checks(bio_err, con, checkhost, + checkemail, checkip); print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--;
diff --git a/apps/s_server.c b/apps/s_server.c index e89f057..00dc219 100644 --- a/apps/s_server.c +++ b/apps/s_server.c
@@ -1003,6 +1003,10 @@ char *srp_verifier_file = NULL; #endif SSL_EXCERT *exc = NULL; + + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; + meth=SSLv23_server_method(); local_argc=argc; @@ -1260,6 +1264,21 @@ client_sigalgs= *(++argv); } #endif + else if (strcmp(*argv,"-checkhost") == 0) + { + if (--argc < 1) goto bad; + checkhost=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkemail") == 0) + { + if (--argc < 1) goto bad; + checkemail=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkip") == 0) + { + if (--argc < 1) goto bad; + checkip=*(++argv); + } else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } else if (strcmp(*argv,"-msgfile") == 0) @@ -2661,6 +2680,8 @@ if (s_brief) print_ssl_summary(bio_err, con); + print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip); + PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); peer=SSL_get_peer_certificate(con);
diff --git a/apps/x509.c b/apps/x509.c index e9f1163..788eb7b 100644 --- a/apps/x509.c +++ b/apps/x509.c
@@ -208,6 +208,8 @@ int need_rand = 0; int checkend=0,checkoffset=0; unsigned long nmflag = 0, certflag = 0; + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -456,6 +458,21 @@ checkoffset=atoi(*(++argv)); checkend=1; } + else if (strcmp(*argv,"-checkhost") == 0) + { + if (--argc < 1) goto bad; + checkhost=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkemail") == 0) + { + if (--argc < 1) goto bad; + checkemail=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkip") == 0) + { + if (--argc < 1) goto bad; + checkip=*(++argv); + } else if (strcmp(*argv,"-noout") == 0) noout= ++num; else if (strcmp(*argv,"-trustout") == 0) @@ -1061,6 +1078,8 @@ goto end; } + print_cert_checks(STDout, x, checkhost, checkemail, checkip); + if (noout) { ret=0;