kris
/
boringssl
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
1359 Révisions
12 Branches
38 MiB
Aborescence: 08dc68d510
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '08dc68d510'
${ noResults }
boringssl/crypto/x509v3/v3nametest.c

v3nametest.c 12 KiB
Brut Vue normale Historique

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Eliminate unnecessary includes from low-level crypto modules. Beyond generally eliminating unnecessary includes, eliminate as many includes of headers that declare/define particularly error-prone functionality like strlen, malloc, and free. crypto/err/internal.h was added to remove the dependency on openssl/thread.h from the public openssl/err.h header. The include of <stdlib.h> in openssl/mem.h was retained since it defines OPENSSL_malloc and friends as macros around the stdlib.h functions. The public x509.h, x509v3.h, and ssl.h headers were not changed in order to minimize breakage of source compatibility with external code. Change-Id: I0d264b73ad0a720587774430b2ab8f8275960329 Reviewed-on: https://boringssl-review.googlesource.com/4220 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Add a CRYPTO_library_init and static-initializer-less build option. Chromium does not like static initializers, and the CPU logic uses one to initialize CPU bits. However, the crypto library lacks an explicit initialization function, which could complicate (no compile-time errors) porting existing code which uses crypto/, but not ssl/. Add an explicit CRYPTO_library_init function, but make it a no-op by default. It only does anything (and is required) if building with BORINGSSL_NO_STATIC_INITIALIZER. Change-Id: I6933bdc3447fb382b1f87c788e5b8142d6f3fe39 Reviewed-on: https://boringssl-review.googlesource.com/1770 Reviewed-by: Adam Langley <agl@google.com>
il y a 10 ans
Fix standalone bio_test and v3name_test on Win64. Win32 still has assembly issues and bssl wants to select() on both sockets and stdin (doesn't work on Windows). But this is a start. Change-Id: Iafc5215be281aed836c5ac2dc8b379399848a2c2 Reviewed-on: https://boringssl-review.googlesource.com/2090 Reviewed-by: Adam Langley <agl@google.com>
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Fixes to host checking. Fixes to host checking wild card support and add support for setting host checking flags when verifying a certificate chain. (Imported from upstream's a2219f6be36d12f02b6420dd95f819cf364baf1d)
il y a 10 ans
Client-side namecheck wildcards. A client reference identity of ".example.com" matches a server certificate presented identity that is any sub-domain of "example.com" (e.g. "www.sub.example.com). With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches only direct child sub-domains (e.g. "www.sub.example.com"). (cherry picked from commit e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357) (Imported from upstream's 3cc8a3f2343cda796de90c127b9e907ca3ec2da5)
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Client-side namecheck wildcards. A client reference identity of ".example.com" matches a server certificate presented identity that is any sub-domain of "example.com" (e.g. "www.sub.example.com). With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches only direct child sub-domains (e.g. "www.sub.example.com"). (cherry picked from commit e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357) (Imported from upstream's 3cc8a3f2343cda796de90c127b9e907ca3ec2da5)
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Client-side namecheck wildcards. A client reference identity of ".example.com" matches a server certificate presented identity that is any sub-domain of "example.com" (e.g. "www.sub.example.com). With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches only direct child sub-domains (e.g. "www.sub.example.com"). (cherry picked from commit e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357) (Imported from upstream's 3cc8a3f2343cda796de90c127b9e907ca3ec2da5)
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Convert all zero-argument functions to '(void)' Otherwise, in C, it becomes a K&R function declaration which doesn't actually type-check the number of arguments. Change-Id: I0731a9fefca46fb1c266bfb1c33d464cf451a22e Reviewed-on: https://boringssl-review.googlesource.com/1582 Reviewed-by: Adam Langley <agl@google.com>
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Fix standalone bio_test and v3name_test on Win64. Win32 still has assembly issues and bssl wants to select() on both sockets and stdin (doesn't work on Windows). But this is a start. Change-Id: Iafc5215be281aed836c5ac2dc8b379399848a2c2 Reviewed-on: https://boringssl-review.googlesource.com/2090 Reviewed-by: Adam Langley <agl@google.com>
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Update API to use (char *) for email addresses and hostnames. Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername(). (Imported from upstream's e83c913723fac7432a7706812f12394aaa00e8ce.) Change-Id: Id0fc11773a0cee8933978cd4bdbd8251fd7cfb5f
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Update API to use (char *) for email addresses and hostnames. Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername(). (Imported from upstream's e83c913723fac7432a7706812f12394aaa00e8ce.) Change-Id: Id0fc11773a0cee8933978cd4bdbd8251fd7cfb5f
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Update API to use (char *) for email addresses and hostnames. Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername(). (Imported from upstream's e83c913723fac7432a7706812f12394aaa00e8ce.) Change-Id: Id0fc11773a0cee8933978cd4bdbd8251fd7cfb5f
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Add a CRYPTO_library_init and static-initializer-less build option. Chromium does not like static initializers, and the CPU logic uses one to initialize CPU bits. However, the crypto library lacks an explicit initialization function, which could complicate (no compile-time errors) porting existing code which uses crypto/, but not ssl/. Add an explicit CRYPTO_library_init function, but make it a no-op by default. It only does anything (and is required) if building with BORINGSSL_NO_STATIC_INITIALIZER. Change-Id: I6933bdc3447fb382b1f87c788e5b8142d6f3fe39 Reviewed-on: https://boringssl-review.googlesource.com/1770 Reviewed-by: Adam Langley <agl@google.com>
il y a 10 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422 
  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 1999. */

  3. /* ====================================================================

  4.  * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.

  5.  *

  6.  * Redistribution and use in source and binary forms, with or without

  7.  * modification, are permitted provided that the following conditions

  8.  * are met:

  9.  *

  10.  * 1. Redistributions of source code must retain the above copyright

  11.  *    notice, this list of conditions and the following disclaimer. 

  12.  *

  13.  * 2. Redistributions in binary form must reproduce the above copyright

  14.  *    notice, this list of conditions and the following disclaimer in

  15.  *    the documentation and/or other materials provided with the

  16.  *    distribution.

  17.  *

  18.  * 3. All advertising materials mentioning features or use of this

  19.  *    software must display the following acknowledgment:

  20.  *    "This product includes software developed by the OpenSSL Project

  21.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  22.  *

  23.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  24.  *    endorse or promote products derived from this software without

  25.  *    prior written permission. For written permission, please contact

  26.  *    licensing@OpenSSL.org.

  27.  *

  28.  * 5. Products derived from this software may not be called "OpenSSL"

  29.  *    nor may "OpenSSL" appear in their names without prior written

  30.  *    permission of the OpenSSL Project.

  31.  *

  32.  * 6. Redistributions of any form whatsoever must retain the following

  33.  *    acknowledgment:

  34.  *    "This product includes software developed by the OpenSSL Project

  35.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  36.  *

  37.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  38.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  39.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  40.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  41.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  42.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  43.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  44.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  45.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  46.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  47.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  48.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  49.  * ====================================================================

  50.  *

  51.  * This product includes cryptographic software written by Eric Young

  52.  * (eay@cryptsoft.com).  This product includes software written by Tim

  53.  * Hudson (tjh@cryptsoft.com). */

  54. 

  55. #include <stdarg.h>

  56. #include <string.h>

  57. 

  58. #include <openssl/crypto.h>

  59. #include <openssl/mem.h>

  60. #include <openssl/x509.h>

  61. #include <openssl/x509v3.h>

  62. 

  63. 

  64. static const char *const names[] =

  65. 	{

  66. 	"a", "b", ".", "*", "@",

  67. 	".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",

  68. 	"@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",

  69. 	"*@example.com", "test@*.example.com", "example.com", "www.example.com",

  70. 	"test.www.example.com", "*.example.com", "*.www.example.com",

  71. 	"test.*.example.com", "www.*.com",

  72. 	".www.example.com", "*www.example.com",

  73. 	"example.net", "xn--rger-koa.example.com",

  74. 	"a.example.com", "b.example.com",

  75. 	"postmaster@example.com", "Postmaster@example.com",

  76. 	"postmaster@EXAMPLE.COM",

  77. 	NULL

  78. 	};

  79. 

  80. static const char *const exceptions[] =

  81. 	{

  82. 	"set CN: host: [*.example.com] matches [a.example.com]",

  83. 	"set CN: host: [*.example.com] matches [b.example.com]",

  84. 	"set CN: host: [*.example.com] matches [www.example.com]",

  85. 	"set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",

  86. 	"set CN: host: [*.www.example.com] matches [test.www.example.com]",

  87. 	"set CN: host: [*.www.example.com] matches [.www.example.com]",

  88. 	"set CN: host: [*www.example.com] matches [www.example.com]",

  89. 	"set CN: host: [test.www.example.com] matches [.www.example.com]",

  90. 	"set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  91. 	"set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  92. 	"set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  93. 	"set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  94. 	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  95. 	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  96. 	"set dnsName: host: [*.example.com] matches [www.example.com]",

  97. 	"set dnsName: host: [*.example.com] matches [a.example.com]",

  98. 	"set dnsName: host: [*.example.com] matches [b.example.com]",

  99. 	"set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",

  100. 	"set dnsName: host: [*.www.example.com] matches [test.www.example.com]",

  101. 	"set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  102. 	"set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  103. 	"set dnsName: host: [*.www.example.com] matches [.www.example.com]",

  104. 	"set dnsName: host: [*www.example.com] matches [www.example.com]",

  105. 	"set dnsName: host: [test.www.example.com] matches [.www.example.com]",

  106. 	"set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  107. 	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  108. 	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  109. 	"set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  110. 	NULL

  111. 	};

  112. 

  113. static int is_exception(const char *msg)

  114. 	{

  115. 	const char *const *p;

  116. 	for (p = exceptions; *p; ++p)

  117. 		if (strcmp(msg, *p) == 0)

  118. 			return 1;

  119. 	return 0;

  120. 	}

  121. 

  122. static int set_cn(X509 *crt, ...)

  123. 	{

  124. 	int ret = 0;

  125. 	X509_NAME *n = NULL;

  126. 	va_list ap;

  127. 	va_start(ap, crt);

  128. 	n = X509_NAME_new();

  129. 	if (n == NULL)

  130. 		goto out;

  131. 	while (1) {

  132. 		int nid;

  133. 		const char *name;

  134. 		nid = va_arg(ap, int);

  135. 		if (nid == 0)

  136. 			break;

  137. 		name = va_arg(ap, const char *);

  138. 		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,

  139. 							(unsigned char *)name,

  140. 						-1, -1, 1))

  141. 			goto out;

  142. 	}

  143. 	if (!X509_set_subject_name(crt, n))

  144. 		goto out;

  145. 	ret = 1;

  146.  out:

  147. 	X509_NAME_free(n);

  148. 	va_end(ap);

  149. 	return ret;

  150. 	}

  151. 

  152. /*

  153. int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);

  154. X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,

  155. 			int nid, int crit, ASN1_OCTET_STRING *data);

  156. int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);

  157. */

  158. 

  159. static int set_altname(X509 *crt, ...)

  160. 	{

  161. 	int ret = 0;

  162. 	GENERAL_NAMES *gens = NULL;

  163. 	GENERAL_NAME *gen = NULL;

  164. 	ASN1_IA5STRING *ia5 = NULL;

  165. 	va_list ap;

  166. 	va_start(ap, crt);

  167. 	gens = sk_GENERAL_NAME_new_null();

  168. 	if (gens == NULL)

  169. 		goto out;

  170. 	while (1) {

  171. 		int type;

  172. 		const char *name;

  173. 		type = va_arg(ap, int);

  174. 		if (type == 0)

  175. 			break;

  176. 		name = va_arg(ap, const char *);

  177. 

  178. 		gen = GENERAL_NAME_new();

  179. 		if (gen == NULL)

  180. 			goto out;

  181. 		ia5 = ASN1_IA5STRING_new();

  182. 		if (ia5 == NULL)

  183. 			goto out;

  184. 		if (!ASN1_STRING_set(ia5, name, -1))

  185. 			goto out;

  186. 		switch (type)

  187. 			{

  188. 			case GEN_EMAIL:

  189. 			case GEN_DNS:

  190. 				GENERAL_NAME_set0_value(gen, type, ia5);

  191. 				ia5 = NULL;

  192. 				break;

  193. 			default:

  194. 				abort();

  195. 			}

  196. 		sk_GENERAL_NAME_push(gens, gen);

  197. 		gen = NULL;

  198. 	}

  199. 	if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))

  200. 		goto out;

  201. 	ret = 1;

  202.  out:

  203. 	ASN1_IA5STRING_free(ia5);

  204. 	GENERAL_NAME_free(gen);

  205. 	GENERAL_NAMES_free(gens);

  206. 	va_end(ap);

  207. 	return ret;

  208. 	}

  209. 

  210. static int set_cn1(X509 *crt, const char *name)

  211. 	{

  212. 	return set_cn(crt, NID_commonName, name, 0);

  213. 	}

  214. 

  215. 

  216. static int set_cn_and_email(X509 *crt, const char *name)

  217. 	{

  218. 	return set_cn(crt, NID_commonName, name,

  219. 		      NID_pkcs9_emailAddress, "dummy@example.com", 0);

  220. 	}

  221. 

  222. static int set_cn2(X509 *crt, const char *name)

  223. 	{

  224. 	return set_cn(crt, NID_commonName, "dummy value",

  225. 		      NID_commonName, name, 0);

  226. 	}

  227. 

  228. static int set_cn3(X509 *crt, const char *name)

  229. 	{

  230. 	return set_cn(crt, NID_commonName, name,

  231. 		      NID_commonName, "dummy value", 0);

  232. 	}

  233. 

  234. static int set_email1(X509 *crt, const char *name)

  235. 	{

  236. 	return set_cn(crt, NID_pkcs9_emailAddress, name, 0);

  237. 	}

  238. 

  239. static int set_email2(X509 *crt, const char *name)

  240. 	{

  241. 	return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",

  242. 		      NID_pkcs9_emailAddress, name, 0);

  243. 	}

  244. 

  245. static int set_email3(X509 *crt, const char *name)

  246. 	{

  247. 	return set_cn(crt, NID_pkcs9_emailAddress, name,

  248. 		      NID_pkcs9_emailAddress, "dummy@example.com", 0);

  249. 	}

  250. 

  251. static int set_email_and_cn(X509 *crt, const char *name)

  252. 	{

  253. 	return set_cn(crt, NID_pkcs9_emailAddress, name,

  254. 		      NID_commonName, "www.example.org", 0);

  255. 	}

  256. 

  257. static int set_altname_dns(X509 *crt, const char *name)

  258. 	{

  259. 	return set_altname(crt, GEN_DNS, name, 0);

  260. 	}

  261. 

  262. static int set_altname_email(X509 *crt, const char *name)

  263. 	{

  264. 	return set_altname(crt, GEN_EMAIL, name, 0);

  265. 	}

  266. 

  267. struct set_name_fn

  268. 	{

  269. 	int (*fn)(X509 *, const char *);

  270. 	const char *name;

  271. 	int host;

  272. 	int email;

  273. 	};

  274. 

  275. static const struct set_name_fn name_fns[] =

  276. 	{

  277. 	{set_cn1, "set CN", 1, 0},

  278. 	{set_cn2, "set CN", 1, 0},

  279. 	{set_cn3, "set CN", 1, 0},

  280. 	{set_cn_and_email, "set CN", 1, 0},

  281. 	{set_email1, "set emailAddress", 0, 1},

  282. 	{set_email2, "set emailAddress", 0, 1},

  283. 	{set_email3, "set emailAddress", 0, 1},

  284. 	{set_email_and_cn, "set emailAddress", 0, 1},

  285. 	{set_altname_dns, "set dnsName", 1, 0},

  286. 	{set_altname_email, "set rfc822Name", 0, 1},

  287. 	{NULL, NULL, 0}

  288. 	};

  289. 

  290. static X509 *make_cert(void)

  291. 	{

  292. 	X509 *ret = NULL;

  293. 	X509 *crt = NULL;

  294. 	X509_NAME *issuer = NULL;

  295. 	crt = X509_new();

  296. 	if (crt == NULL)

  297. 		goto out;

  298. 	if (!X509_set_version(crt, 3))

  299. 		goto out;

  300. 	ret = crt;

  301. 	crt = NULL;

  302.  out:

  303. 	X509_NAME_free(issuer);

  304. 	return ret;

  305. 	}

  306. 

  307. static int errors;

  308. 

  309. static void check_message(const struct set_name_fn *fn, const char *op,

  310. 			  const char *nameincert, int match, const char *name)

  311. 	{

  312. 	char msg[1024];

  313. 	if (match < 0)

  314. 		return;

  315. 	BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",

  316. 		 fn->name, op, nameincert,

  317. 		 match ? "matches" : "does not match", name);

  318. 	if (is_exception(msg))

  319. 		return;

  320. 	puts(msg);

  321. 	++errors;

  322. 	}

  323. 

  324. static void run_cert(X509 *crt, const char *nameincert,

  325. 		     const struct set_name_fn *fn)

  326. 	{

  327. 	const char *const *pname = names;

  328. 	while (*pname)

  329. 		{

  330. 		int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;

  331. 		size_t namelen = strlen(*pname);

  332. 		char *name = malloc(namelen);

  333. 		int match, ret;

  334. 		memcpy(name, *pname, namelen);

  335. 

  336. 		ret = X509_check_host(crt, name, namelen, 0, NULL);

  337. 		match = -1;

  338. 		if (ret < 0)

  339. 			{

  340. 			fprintf(stderr, "internal error in X509_check_host");

  341. 			++errors;

  342. 			}

  343. 		else if (fn->host)

  344. 			{

  345. 			if (ret == 1 && !samename)

  346. 				match = 1;

  347. 			if (ret == 0 && samename)

  348. 				match = 0;

  349. 			}

  350. 		else if (ret == 1)

  351. 			match = 1;

  352. 		check_message(fn, "host", nameincert, match, *pname);

  353. 

  354. 		ret = X509_check_host(crt, name, namelen,

  355. 				      X509_CHECK_FLAG_NO_WILDCARDS, NULL);

  356. 		match = -1;

  357. 		if (ret < 0)

  358. 			{

  359. 			fprintf(stderr, "internal error in X509_check_host");

  360. 			++errors;

  361. 			}

  362. 		else if (fn->host)

  363. 			{

  364. 			if (ret == 1 && !samename)

  365. 				match = 1;

  366. 			if (ret == 0 && samename)

  367. 				match = 0;

  368. 			}

  369. 		else if (ret == 1)

  370. 			match = 1;

  371. 		check_message(fn, "host-no-wildcards",

  372. 			      nameincert, match, *pname);

  373. 

  374. 		ret = X509_check_email(crt, name, namelen, 0);

  375. 		match = -1;

  376. 		if (fn->email)

  377. 			{

  378. 			if (ret && !samename)

  379. 				match = 1;

  380. 			if (!ret && samename && strchr(nameincert, '@') != NULL)

  381. 				match = 0;

  382. 			}

  383. 		else if (ret)

  384. 			match = 1;

  385. 		check_message(fn, "email", nameincert, match, *pname);

  386. 		++pname;

  387. 		free(name);

  388. 		}

  389. 	}

  390. 

  391. int

  392. main(void)

  393. 	{

  394. 	CRYPTO_library_init();

  395. 

  396. 	const struct set_name_fn *pfn = name_fns;

  397. 	while (pfn->name) {

  398. 		const char *const *pname = names;

  399. 		while (*pname)

  400. 			{

  401. 			X509 *crt = make_cert();

  402. 			if (crt == NULL)

  403. 				{

  404. 				fprintf(stderr, "make_cert failed\n");

  405. 				return 1;

  406. 				}

  407. 			if (!pfn->fn(crt, *pname))

  408. 				{

  409. 				fprintf(stderr, "X509 name setting failed\n");

  410. 				return 1;

  411. 				}

  412. 			run_cert(crt, *pname, pfn);

  413. 			X509_free(crt);

  414. 			++pname;

  415. 			}

  416. 		++pfn;

  417. 	}

  418. 	if (errors == 0) {

  419. 	  printf("PASS\n");

  420. 	}

  421. 	return errors > 0 ? 1 : 0;

  422. 	}