diff options
Diffstat (limited to 'src/daemon/https/x509/rfc2818_hostname.c')
-rw-r--r-- | src/daemon/https/x509/rfc2818_hostname.c | 161 |
1 files changed, 0 insertions, 161 deletions
diff --git a/src/daemon/https/x509/rfc2818_hostname.c b/src/daemon/https/x509/rfc2818_hostname.c deleted file mode 100644 index be49a778..00000000 --- a/src/daemon/https/x509/rfc2818_hostname.c +++ /dev/null | |||
@@ -1,161 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation | ||
3 | * Copyright (C) 2002 Andrew McDonald | ||
4 | * | ||
5 | * This file is part of GNUTLS. | ||
6 | * | ||
7 | * The GNUTLS library is free software; you can redistribute it and/or | ||
8 | * modify it under the terms of the GNU Lesser General Public License | ||
9 | * as published by the Free Software Foundation; either version 2.1 of | ||
10 | * the License, or (at your option) any later version. | ||
11 | * | ||
12 | * This library is distributed in the hope that it will be useful, but | ||
13 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
15 | * Lesser General Public License for more details. | ||
16 | * | ||
17 | * You should have received a copy of the GNU Lesser General Public | ||
18 | * License along with this library; if not, write to the Free Software | ||
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
20 | * USA | ||
21 | * | ||
22 | */ | ||
23 | |||
24 | #include <gnutls_int.h> | ||
25 | #include <x509.h> | ||
26 | #include <dn.h> | ||
27 | #include <common.h> | ||
28 | #include <rfc2818.h> | ||
29 | #include <gnutls_errors.h> | ||
30 | |||
31 | /* compare hostname against certificate, taking account of wildcards | ||
32 | * return 1 on success or 0 on error | ||
33 | */ | ||
34 | int | ||
35 | MHD__gnutls_hostname_compare (const char *certname, const char *hostname) | ||
36 | { | ||
37 | const char *cmpstr1, *cmpstr2; | ||
38 | |||
39 | if (strlen (certname) == 0 || strlen (hostname) == 0) | ||
40 | return 0; | ||
41 | |||
42 | if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0) | ||
43 | { | ||
44 | /* a wildcard certificate */ | ||
45 | |||
46 | cmpstr1 = certname + 1; | ||
47 | |||
48 | /* find the first dot in hostname, compare from there on */ | ||
49 | cmpstr2 = strchr (hostname, '.'); | ||
50 | |||
51 | if (cmpstr2 == NULL) | ||
52 | { | ||
53 | /* error, the hostname we're connecting to is only a local part */ | ||
54 | return 0; | ||
55 | } | ||
56 | |||
57 | if (strcasecmp (cmpstr1, cmpstr2) == 0) | ||
58 | { | ||
59 | return 1; | ||
60 | } | ||
61 | |||
62 | return 0; | ||
63 | } | ||
64 | |||
65 | if (strcasecmp (certname, hostname) == 0) | ||
66 | { | ||
67 | return 1; | ||
68 | } | ||
69 | |||
70 | return 0; | ||
71 | } | ||
72 | |||
73 | /** | ||
74 | * MHD_gnutls_x509_crt_check_hostname - This function compares the given hostname with the hostname in the certificate | ||
75 | * @cert: should contain an MHD_gnutls_x509_crt_t structure | ||
76 | * @hostname: A null terminated string that contains a DNS name | ||
77 | * | ||
78 | * This function will check if the given certificate's subject | ||
79 | * matches the given hostname. This is a basic implementation of the | ||
80 | * matching described in RFC2818 (HTTPS), which takes into account | ||
81 | * wildcards, and the DNSName/IPAddress subject alternative name PKIX | ||
82 | * extension. | ||
83 | * | ||
84 | * Returns non zero for a successful match, and zero on failure. | ||
85 | **/ | ||
86 | int | ||
87 | MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert, | ||
88 | const char *hostname) | ||
89 | { | ||
90 | |||
91 | char dnsname[MAX_CN]; | ||
92 | size_t dnsnamesize; | ||
93 | int found_dnsname = 0; | ||
94 | int ret = 0; | ||
95 | int i = 0; | ||
96 | |||
97 | /* try matching against: | ||
98 | * 1) a DNS name as an alternative name (subjectAltName) extension | ||
99 | * in the certificate | ||
100 | * 2) the common name (CN) in the certificate | ||
101 | * | ||
102 | * either of these may be of the form: *.domain.tld | ||
103 | * | ||
104 | * only try (2) if there is no subjectAltName extension of | ||
105 | * type dNSName | ||
106 | */ | ||
107 | |||
108 | /* Check through all included subjectAltName extensions, comparing | ||
109 | * against all those of type dNSName. | ||
110 | */ | ||
111 | for (i = 0; !(ret < 0); i++) | ||
112 | { | ||
113 | |||
114 | dnsnamesize = sizeof (dnsname); | ||
115 | ret = MHD_gnutls_x509_crt_get_subject_alt_name (cert, i, | ||
116 | dnsname, &dnsnamesize, | ||
117 | NULL); | ||
118 | |||
119 | if (ret == GNUTLS_SAN_DNSNAME) | ||
120 | { | ||
121 | found_dnsname = 1; | ||
122 | if (MHD__gnutls_hostname_compare (dnsname, hostname)) | ||
123 | { | ||
124 | return 1; | ||
125 | } | ||
126 | } | ||
127 | else if (ret == GNUTLS_SAN_IPADDRESS) | ||
128 | { | ||
129 | found_dnsname = 1; /* RFC 2818 is unclear whether the CN | ||
130 | should be compared for IP addresses | ||
131 | too, but we won't do it. */ | ||
132 | if (MHD__gnutls_hostname_compare (dnsname, hostname)) | ||
133 | { | ||
134 | return 1; | ||
135 | } | ||
136 | } | ||
137 | } | ||
138 | |||
139 | if (!found_dnsname) | ||
140 | { | ||
141 | /* not got the necessary extension, use CN instead | ||
142 | */ | ||
143 | dnsnamesize = sizeof (dnsname); | ||
144 | if (MHD_gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0, | ||
145 | 0, dnsname, &dnsnamesize) < 0) | ||
146 | { | ||
147 | /* got an error, can't find a name | ||
148 | */ | ||
149 | return 0; | ||
150 | } | ||
151 | |||
152 | if (MHD__gnutls_hostname_compare (dnsname, hostname)) | ||
153 | { | ||
154 | return 1; | ||
155 | } | ||
156 | } | ||
157 | |||
158 | /* not found a matching name | ||
159 | */ | ||
160 | return 0; | ||
161 | } | ||