On Fri, 19 Jan 2018 16:00:55 +0100 Michael Gmelin <free...@grem.de> wrote:
> ... > According to the X509_check_host(3) > (src/lib/libcrypto/man/X509_check_host.3), "The namelen argument must > be the number of characters in the name string or zero, in which case > the length is calculated with strlen(name)" for both functions > mentioned above. Even though I think this not a good API (I would > always make the called pass the exact length and call it a day), this > causes compatibility problems with code written for OpenSSL, a good > example is MariaDB's SSL certificate hostname check found here: > https://github.com/MariaDB/server/blob/10.3/sql-common/client.c#L1825 > ... So I learned that these functions were imported from BoringSSL, while taking the man page from OpenSSL[0]. That's why the documented behavior doesn't match the implemented one. So either the code has to change or the documentation should be adapted, so at least it can be referred to. Using the same function names/signatures in Open-/Libre-/BoringSSL with slightly different behavior is kind of unfortunate. Best, Michael p.s. Signature in code as ported from BoringSSL: int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername) Signature in man page: int X509_check_host(X509 *x, const char *name, size_t namelen, unsigned int flags, char **peername); [0]http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/man/X509_check_host.3 -- Michael Gmelin
