aboutsummaryrefslogtreecommitdiff
path: root/src/daemon/https/x509/rfc2818_hostname.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/daemon/https/x509/rfc2818_hostname.c')
-rw-r--r--src/daemon/https/x509/rfc2818_hostname.c161
1 files changed, 0 insertions, 161 deletions
diff --git a/src/daemon/https/x509/rfc2818_hostname.c b/src/daemon/https/x509/rfc2818_hostname.c
deleted file mode 100644
index be49a778..00000000
--- a/src/daemon/https/x509/rfc2818_hostname.c
+++ /dev/null
@@ -1,161 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3 * Copyright (C) 2002 Andrew McDonald
4 *
5 * This file is part of GNUTLS.
6 *
7 * The GNUTLS library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA
21 *
22 */
23
24#include <gnutls_int.h>
25#include <x509.h>
26#include <dn.h>
27#include <common.h>
28#include <rfc2818.h>
29#include <gnutls_errors.h>
30
31/* compare hostname against certificate, taking account of wildcards
32 * return 1 on success or 0 on error
33 */
34int
35MHD__gnutls_hostname_compare (const char *certname, const char *hostname)
36{
37 const char *cmpstr1, *cmpstr2;
38
39 if (strlen (certname) == 0 || strlen (hostname) == 0)
40 return 0;
41
42 if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0)
43 {
44 /* a wildcard certificate */
45
46 cmpstr1 = certname + 1;
47
48 /* find the first dot in hostname, compare from there on */
49 cmpstr2 = strchr (hostname, '.');
50
51 if (cmpstr2 == NULL)
52 {
53 /* error, the hostname we're connecting to is only a local part */
54 return 0;
55 }
56
57 if (strcasecmp (cmpstr1, cmpstr2) == 0)
58 {
59 return 1;
60 }
61
62 return 0;
63 }
64
65 if (strcasecmp (certname, hostname) == 0)
66 {
67 return 1;
68 }
69
70 return 0;
71}
72
73/**
74 * MHD_gnutls_x509_crt_check_hostname - This function compares the given hostname with the hostname in the certificate
75 * @cert: should contain an MHD_gnutls_x509_crt_t structure
76 * @hostname: A null terminated string that contains a DNS name
77 *
78 * This function will check if the given certificate's subject
79 * matches the given hostname. This is a basic implementation of the
80 * matching described in RFC2818 (HTTPS), which takes into account
81 * wildcards, and the DNSName/IPAddress subject alternative name PKIX
82 * extension.
83 *
84 * Returns non zero for a successful match, and zero on failure.
85 **/
86int
87MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
88 const char *hostname)
89{
90
91 char dnsname[MAX_CN];
92 size_t dnsnamesize;
93 int found_dnsname = 0;
94 int ret = 0;
95 int i = 0;
96
97 /* try matching against:
98 * 1) a DNS name as an alternative name (subjectAltName) extension
99 * in the certificate
100 * 2) the common name (CN) in the certificate
101 *
102 * either of these may be of the form: *.domain.tld
103 *
104 * only try (2) if there is no subjectAltName extension of
105 * type dNSName
106 */
107
108 /* Check through all included subjectAltName extensions, comparing
109 * against all those of type dNSName.
110 */
111 for (i = 0; !(ret < 0); i++)
112 {
113
114 dnsnamesize = sizeof (dnsname);
115 ret = MHD_gnutls_x509_crt_get_subject_alt_name (cert, i,
116 dnsname, &dnsnamesize,
117 NULL);
118
119 if (ret == GNUTLS_SAN_DNSNAME)
120 {
121 found_dnsname = 1;
122 if (MHD__gnutls_hostname_compare (dnsname, hostname))
123 {
124 return 1;
125 }
126 }
127 else if (ret == GNUTLS_SAN_IPADDRESS)
128 {
129 found_dnsname = 1; /* RFC 2818 is unclear whether the CN
130 should be compared for IP addresses
131 too, but we won't do it. */
132 if (MHD__gnutls_hostname_compare (dnsname, hostname))
133 {
134 return 1;
135 }
136 }
137 }
138
139 if (!found_dnsname)
140 {
141 /* not got the necessary extension, use CN instead
142 */
143 dnsnamesize = sizeof (dnsname);
144 if (MHD_gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0,
145 0, dnsname, &dnsnamesize) < 0)
146 {
147 /* got an error, can't find a name
148 */
149 return 0;
150 }
151
152 if (MHD__gnutls_hostname_compare (dnsname, hostname))
153 {
154 return 1;
155 }
156 }
157
158 /* not found a matching name
159 */
160 return 0;
161}