1*805a1ce9Schristos /* $NetBSD: openssl_hostname_validation.h,v 1.1.1.1 2017/01/31 21:14:53 christos Exp $ */ 2*805a1ce9Schristos /* Obtained from: https://github.com/iSECPartners/ssl-conservatory */ 3*805a1ce9Schristos 4*805a1ce9Schristos /* 5*805a1ce9Schristos Copyright (C) 2012, iSEC Partners. 6*805a1ce9Schristos 7*805a1ce9Schristos Permission is hereby granted, free of charge, to any person obtaining a copy of 8*805a1ce9Schristos this software and associated documentation files (the "Software"), to deal in 9*805a1ce9Schristos the Software without restriction, including without limitation the rights to 10*805a1ce9Schristos use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 11*805a1ce9Schristos of the Software, and to permit persons to whom the Software is furnished to do 12*805a1ce9Schristos so, subject to the following conditions: 13*805a1ce9Schristos 14*805a1ce9Schristos The above copyright notice and this permission notice shall be included in all 15*805a1ce9Schristos copies or substantial portions of the Software. 16*805a1ce9Schristos 17*805a1ce9Schristos THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18*805a1ce9Schristos IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19*805a1ce9Schristos FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20*805a1ce9Schristos AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21*805a1ce9Schristos LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22*805a1ce9Schristos OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23*805a1ce9Schristos SOFTWARE. 24*805a1ce9Schristos */ 25*805a1ce9Schristos 26*805a1ce9Schristos /* 27*805a1ce9Schristos * Helper functions to perform basic hostname validation using OpenSSL. 28*805a1ce9Schristos * 29*805a1ce9Schristos * Please read "everything-you-wanted-to-know-about-openssl.pdf" before 30*805a1ce9Schristos * attempting to use this code. This whitepaper describes how the code works, 31*805a1ce9Schristos * how it should be used, and what its limitations are. 32*805a1ce9Schristos * 33*805a1ce9Schristos * Author: Alban Diquet 34*805a1ce9Schristos * License: See LICENSE 35*805a1ce9Schristos * 36*805a1ce9Schristos */ 37*805a1ce9Schristos 38*805a1ce9Schristos typedef enum { 39*805a1ce9Schristos MatchFound, 40*805a1ce9Schristos MatchNotFound, 41*805a1ce9Schristos NoSANPresent, 42*805a1ce9Schristos MalformedCertificate, 43*805a1ce9Schristos Error 44*805a1ce9Schristos } HostnameValidationResult; 45*805a1ce9Schristos 46*805a1ce9Schristos /** 47*805a1ce9Schristos * Validates the server's identity by looking for the expected hostname in the 48*805a1ce9Schristos * server's certificate. As described in RFC 6125, it first tries to find a match 49*805a1ce9Schristos * in the Subject Alternative Name extension. If the extension is not present in 50*805a1ce9Schristos * the certificate, it checks the Common Name instead. 51*805a1ce9Schristos * 52*805a1ce9Schristos * Returns MatchFound if a match was found. 53*805a1ce9Schristos * Returns MatchNotFound if no matches were found. 54*805a1ce9Schristos * Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. 55*805a1ce9Schristos * Returns Error if there was an error. 56*805a1ce9Schristos */ 57*805a1ce9Schristos HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert); 58