X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fcrypto%2FX509_check_host.pod;h=f8b530df9b5615a3e63f7ca1858580089e462d55;hb=aa224e9719871f89f962061a5970b49f03c9dca0;hp=5ac2137a50ee9974e275d9d40590c61d02d1a86a;hpb=d88926f1815d79c800e4cf11ecee8e43f3a7ad1f;p=oweals%2Fopenssl.git

diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 5ac2137a50..f8b530df9b 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -8,34 +8,51 @@ X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 cert
 
  #include <openssl/x509.h>
 
- int X509_check_host(X509 *, const unsigned char *name,
-                     size_t namelen, unsigned int flags);
- int X509_check_email(X509 *, const unsigned char *address,
-                     size_t addresslen, unsigned int flags);
- int X509_check_ip(X509 *, const unsigned char *address,
-                   size_t addresslen, unsigned int flags);
+ int X509_check_host(X509 *, const char *name, size_t namelen,
+		     unsigned int flags, char **peername);
+ int X509_check_email(X509 *, const char *address, size_t addresslen,
+		      unsigned int flags);
+ int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen,
+		   unsigned int flags);
  int X509_check_ip_asc(X509 *, const char *address, unsigned int flags);
 
 =head1 DESCRIPTION
 
-The certificate matching functions are intended to be called to check
-if a certificate matches a given host name, email address, or IP
-address.  The validity of the certificate and its trust level has to
-be checked by other means.
-
-X509_check_host() checks if the certificate matches the specified
-host name, which must be encoded in the preferred name syntax
-described in section 3.5 of RFC 1034. The B<namelen> argument must be
-the number of characters in the name string or zero in which case the
-length is calculated with strlen(name).
+The certificate matching functions are used to check whether a
+certificate matches a given host name, email address, or IP address.
+The validity of the certificate and its trust level has to be checked by
+other means.
+
+X509_check_host() checks if the certificate Subject Alternative
+Name (SAN) or Subject CommonName (CN) matches the specified host
+name, which must be encoded in the preferred name syntax described
+in section 3.5 of RFC 1034.  By default, wildcards are supported
+and they match  only in the left-most label; but they may match
+part of that label with an explicit prefix or suffix.  For example,
+by default, the host B<name> "www.example.com" would match a
+certificate with a SAN or CN value of "*.example.com", "w*.example.com"
+or "*w.example.com".
+
+Per section 6.4.2 of RFC 6125, B<name> values representing international
+domain names must be given in A-label form.  The B<namelen> argument
+must be the number of characters in the name string or zero in which
+case the length is calculated with strlen(B<name>).  When B<name> starts
+with a dot (e.g ".example.com"), it will be matched by a certificate
+valid for any sub-domain of B<name>, (see also
+B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below).
+
+When the certificate is matched, and B<peername> is not NULL, a
+pointer to a copy of the matching SAN or CN from the peer certificate
+is stored at the address passed in B<peername>.  The application
+is responsible for freeing the peername via OPENSSL_free() when it
+is no longer needed.
 
 X509_check_email() checks if the certificate matches the specified
-email address.  Only the mailbox syntax of RFC 822 is supported,
+email B<address>.  Only the mailbox syntax of RFC 822 is supported,
 comments are not allowed, and no attempt is made to normalize quoted
 characters.  The B<addresslen> argument must be the number of
-characters in the address string. The B<namelen> argument must be
-the number of characters in the name string or zero in which case the
-length is calculated with strlen(name).
+characters in the address string or zero in which case the length
+is calculated with strlen(B<address>).
 
 X509_check_ip() checks if the certificate matches a specified IPv4 or
 IPv6 address.  The B<address> array is in binary format, in network
@@ -47,17 +64,48 @@ X509_check_ip_asc() is similar, except that the NUL-terminated
 string B<address> is first converted to the internal representation.
 
 The B<flags> argument is usually 0.  It can be the bitwise OR of the
-flags B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
-B<X509_CHECK_FLAG_NO_WILDCARDS>.
+flags:
+
+=over 4
+
+=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
+
+=item B<X509_CHECK_FLAG_NO_WILDCARDS>,
+
+=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
+
+=item B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS>.
+
+=item B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>.
+
+=back
 
 The B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag causes the function
-to check the subject DN even if the certificate contains a subject
-alternative name extension is present; the default is to ignore the
-subject DN in preference of the extension.
+to consider the subject DN even if the certificate contains at least
+one subject alternative name of the right type (DNS name or email
+address as appropriate); the default is to ignore the subject DN
+when at least one corresponding subject alternative names is present.
 
-If present, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
+If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
 expansion; this only applies to B<X509_check_host>.
 
+If set, B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS> suppresses support
+for "*" as wildcard pattern in labels that have a prefix or suffix,
+such as: "www*" or "*www"; this only aplies to B<X509_check_host>.
+
+If set, B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS> allows a "*" that
+constitutes the complete label of a DNS name (e.g. "*.example.com")
+to match more than one label in B<name>; this flag only applies
+to B<X509_check_host>.
+
+If set, B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> restricts B<name>
+values which start with ".", that would otherwise match any sub-domain
+in the peer certificate, to only match direct child sub-domains.
+Thus, for instance, with this flag set a B<name> of ".example.com"
+would match a peer certificate with a DNS name of "www.example.com",
+but would not match a peer certificate with a DNS name of
+"www.sub.example.com"; this flag only applies to B<X509_check_host>.
+
 =head1 RETURN VALUES
 
 The functions return 1 for a successful match, 0 for a failed match
@@ -65,9 +113,22 @@ and -1 for an internal error: typically a memory allocation failure.
 
 X509_check_ip_asc() can also return -2 if the IP address string is malformed.
 
+=head1 NOTES
+
+Applications are encouraged to use X509_VERIFY_PARAM_set1_host()
+rather than explicitly calling L<X509_check_host(3)>. Host name
+checks are out of scope with the DANE-EE(3) certificate usage,
+and the internal checks will be suppressed as appropriate when
+DANE support is added to OpenSSL.
+
 =head1 SEE ALSO
 
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
+L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<X509_VERIFY_PARAM_set1_host(3)|X509_VERIFY_PARAM_set1_host(3)>,
+L<X509_VERIFY_PARAM_add1_host(3)|X509_VERIFY_PARAM_add1_host(3)>,
+L<X509_VERIFY_PARAM_set1_email(3)|X509_VERIFY_PARAM_set1_email(3)>,
+L<X509_VERIFY_PARAM_set1_ip(3)|X509_VERIFY_PARAM_set1_ip(3)>,
+L<X509_VERIFY_PARAM_set1_ipasc(3)|X509_VERIFY_PARAM_set1_ipasc(3)>
 
 =head1 HISTORY