X509_check_ip_asc (3)
Leading comments
Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) Standard preamble: ========================================================================
NAME
X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 certificate matchingSYNOPSIS
#include <openssl/x509.h> int X509_check_host(X509 *, const char *name, size_t namelen, unsigned int flags, char **peername); int X509_check_email(X509 *, const char *address, size_t addresslen, unsigned int flags); int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, unsigned int flags); int X509_check_ip_asc(X509 *, const char *address, unsigned int flags);
DESCRIPTION
The certificate matching functions are used to check whether a certificate matches a given host name, email address, orX509_check_host() checks if the certificate Subject Alternative Name (
Per section 6.4.2 of
When the certificate is matched, and peername is not
X509_check_email() checks if the certificate matches the specified email address. Only the mailbox syntax of
X509_check_ip() checks if the certificate matches a specified IPv4 or IPv6 address. The address array is in binary format, in network byte order. The length is either 4 (IPv4) or 16 (IPv6). Only explicitly marked addresses in the certificates are considered;
X509_check_ip_asc() is similar, except that the NUL-terminated string address is first converted to the internal representation.
The flags argument is usually 0. It can be the bitwise
- X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
- X509_CHECK_FLAG_NO_WILDCARDS,
- X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
- X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS.
- X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS.
The X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT flag causes the function to consider the subject
If set, X509_CHECK_FLAG_NO_WILDCARDS disables wildcard expansion; this only applies to X509_check_host.
If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for ``*'' as wildcard pattern in labels that have a prefix or suffix, such as: ``www*'' or ``*www''; this only aplies to X509_check_host.
If set, X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS allows a ``*'' that constitutes the complete label of a
If set, X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS restricts name values which start with ``.'', that would otherwise match any sub-domain in the peer certificate, to only match direct child sub-domains. Thus, for instance, with this flag set a name of ``.example.com'' would match a peer certificate with a
RETURN VALUES
The functions return 1 for a successful match, 0 for a failed match and -1 for an internal error: typically a memory allocation failure or anAll functions can also return -2 if the input is malformed. For example, X509_check_host() returns -2 if the provided name contains embedded NULs.