1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
/**
@file ssl_verify.c
@author web, feh -- parts of code borrowed from Pavel Shramov; tx Peter Conrad
@brief Compares 'hostname' against SubAltName DNS:hostname + DN: /CN=hostname
*/
#include "ucspissl.h"
#include "case.h"
#include "str.h"
int ssl_verify(SSL *ssl,const char *hostname,stralloc *dnsout)
{
X509 *cert;
STACK_OF(GENERAL_NAME) *extensions;
const GENERAL_NAME *ext;
char buf[SSL_NAME_LEN];
char *dnsname = 0;
int i;
int num;
int len;
int dname = 0;
#if (OPENSSL_VERSION_NUMBER > 0x30100000L)
cert = SSL_get1_peer_certificate(ssl);
#else
cert = SSL_get_peer_certificate(ssl);
#endif
if (!cert) return -1;
if (SSL_get_verify_result(ssl) != X509_V_OK) return -2;
if (hostname) {
if (!stralloc_copys(dnsout,"")) return 1;
extensions = X509_get_ext_d2i(cert,NID_subject_alt_name,0,0);
num = sk_GENERAL_NAME_num(extensions); /* num = 0, if no SAN extensions */
for (i = 0; i < num; ++i) {
ext = sk_GENERAL_NAME_value(extensions,i);
if (ext->type == GEN_DNS) {
if (ASN1_STRING_type(ext->d.dNSName) != V_ASN1_IA5STRING) continue;
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
dnsname = (char *)ASN1_STRING_data(ext->d.dNSName);
#else
dnsname = (char *)ASN1_STRING_get0_data(ext->d.dNSName);
#endif
len = ASN1_STRING_length(ext->d.dNSName);
if (len != str_len(dnsname)) continue;
if (!stralloc_copyb(dnsout,dnsname,len)) return 1;
if (case_diffs((char *)hostname,dnsname) == 0) return 0;
dname = 1;
}
}
if (!dname) {
X509_NAME_get_text_by_NID(X509_get_subject_name(cert),NID_commonName,buf,sizeof(buf));
buf[SSL_NAME_LEN - 1] = 0;
if (!stralloc_copyb(dnsout,buf,str_len(buf))) return 1;
if (case_diffs((char *)hostname,buf) == 0) return 0;
}
return -3;
}
return 0;
}
|
