1*c43e99fdSEd Maste /* Obtained from: https://github.com/iSECPartners/ssl-conservatory */ 2*c43e99fdSEd Maste 3*c43e99fdSEd Maste /* 4*c43e99fdSEd Maste Copyright (C) 2012, iSEC Partners. 5*c43e99fdSEd Maste 6*c43e99fdSEd Maste Permission is hereby granted, free of charge, to any person obtaining a copy of 7*c43e99fdSEd Maste this software and associated documentation files (the "Software"), to deal in 8*c43e99fdSEd Maste the Software without restriction, including without limitation the rights to 9*c43e99fdSEd Maste use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 10*c43e99fdSEd Maste of the Software, and to permit persons to whom the Software is furnished to do 11*c43e99fdSEd Maste so, subject to the following conditions: 12*c43e99fdSEd Maste 13*c43e99fdSEd Maste The above copyright notice and this permission notice shall be included in all 14*c43e99fdSEd Maste copies or substantial portions of the Software. 15*c43e99fdSEd Maste 16*c43e99fdSEd Maste THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17*c43e99fdSEd Maste IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18*c43e99fdSEd Maste FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19*c43e99fdSEd Maste AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20*c43e99fdSEd Maste LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21*c43e99fdSEd Maste OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22*c43e99fdSEd Maste SOFTWARE. 23*c43e99fdSEd Maste */ 24*c43e99fdSEd Maste 25*c43e99fdSEd Maste /* 26*c43e99fdSEd Maste * Helper functions to perform basic hostname validation using OpenSSL. 27*c43e99fdSEd Maste * 28*c43e99fdSEd Maste * Please read "everything-you-wanted-to-know-about-openssl.pdf" before 29*c43e99fdSEd Maste * attempting to use this code. This whitepaper describes how the code works, 30*c43e99fdSEd Maste * how it should be used, and what its limitations are. 31*c43e99fdSEd Maste * 32*c43e99fdSEd Maste * Author: Alban Diquet 33*c43e99fdSEd Maste * License: See LICENSE 34*c43e99fdSEd Maste * 35*c43e99fdSEd Maste */ 36*c43e99fdSEd Maste 37*c43e99fdSEd Maste typedef enum { 38*c43e99fdSEd Maste MatchFound, 39*c43e99fdSEd Maste MatchNotFound, 40*c43e99fdSEd Maste NoSANPresent, 41*c43e99fdSEd Maste MalformedCertificate, 42*c43e99fdSEd Maste Error 43*c43e99fdSEd Maste } HostnameValidationResult; 44*c43e99fdSEd Maste 45*c43e99fdSEd Maste /** 46*c43e99fdSEd Maste * Validates the server's identity by looking for the expected hostname in the 47*c43e99fdSEd Maste * server's certificate. As described in RFC 6125, it first tries to find a match 48*c43e99fdSEd Maste * in the Subject Alternative Name extension. If the extension is not present in 49*c43e99fdSEd Maste * the certificate, it checks the Common Name instead. 50*c43e99fdSEd Maste * 51*c43e99fdSEd Maste * Returns MatchFound if a match was found. 52*c43e99fdSEd Maste * Returns MatchNotFound if no matches were found. 53*c43e99fdSEd Maste * Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. 54*c43e99fdSEd Maste * Returns Error if there was an error. 55*c43e99fdSEd Maste */ 56*c43e99fdSEd Maste HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert); 57