XRootD
XrdTlsNotaryUtils.icc
Go to the documentation of this file.
1 /* Obtained from: https://github.com/iSECPartners/ssl-conservatory */
2 // Original name: openssl_hostname_validation.c
3 
4 /*
5 Copyright (C) 2012, iSEC Partners.
6 
7 Permission is hereby granted, free of charge, to any person obtaining a copy of
8 this software and associated documentation files (the "Software"), to deal in
9 the Software without restriction, including without limitation the rights to
10 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
11 of the Software, and to permit persons to whom the Software is furnished to do
12 so, subject to the following conditions:
13 
14 The above copyright notice and this permission notice shall be included in all
15 copies or substantial portions of the Software.
16 
17 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 SOFTWARE.
24  */
25 
26 /*
27  * Helper functions to perform basic hostname validation using OpenSSL.
28  *
29  * Please read "everything-you-wanted-to-know-about-openssl.pdf" before
30  * attempting to use this code. This whitepaper describes how the code works,
31  * how it should be used, and what its limitations are.
32  *
33  * Author: Alban Diquet
34  * License: See LICENSE
35  *
36  */
37 
38 
39 #include <openssl/x509v3.h>
40 #include <openssl/ssl.h>
41 
42 /*
43 #include "openssl_hostname_validation.h"
44 #include "hostcheck.h"
45 */
46 
47 #define HOSTNAME_MAX_SIZE 255
48 
57 static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert) {
58  int common_name_loc = -1;
59  X509_NAME_ENTRY *common_name_entry = NULL;
60  ASN1_STRING *common_name_asn1 = NULL;
61  char *common_name_str = NULL;
62 
63  // Find the position of the CN field in the Subject field of the certificate
64  common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
65  if (common_name_loc < 0) {
66  return Error;
67  }
68 
69  // Extract the CN field
70  common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
71  if (common_name_entry == NULL) {
72  return Error;
73  }
74 
75  // Convert the CN field to a C string
76  common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
77  if (common_name_asn1 == NULL) {
78  return Error;
79  }
80 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
81  common_name_str = (char *) ASN1_STRING_get0_data(common_name_asn1);
82 #else
83  common_name_str = (char *) ASN1_STRING_data(common_name_asn1);
84 #endif
85 
86  // Make sure there isn't an embedded NUL character in the CN
87  if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
88  return MalformedCertificate;
89  }
90 
91  // Compare expected hostname with the CN
92  if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
93  return MatchFound;
94  }
95  else {
96  return MatchNotFound;
97  }
98 }
99 
100 
109 static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert) {
111  int i;
112  int san_names_nb = -1;
113  STACK_OF(GENERAL_NAME) *san_names = NULL;
114 
115  // Try to extract the names within the SAN extension from the certificate
116  san_names = static_cast<GENERAL_NAMES *>(
117  X509_get_ext_d2i((X509 *) server_cert,
118  NID_subject_alt_name, NULL, NULL));
119  if (san_names == NULL) {
120  return NoSANPresent;
121  }
122  san_names_nb = sk_GENERAL_NAME_num(san_names);
123 
124  // Check each name within the extension
125  for (i=0; i<san_names_nb; i++) {
126  const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
127 
128  if (current_name->type == GEN_DNS) {
129  // Current name is a DNS name, let's check it
130 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
131  char *dns_name = (char *) ASN1_STRING_get0_data(current_name->d.dNSName);
132 #else
133  char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName);
134 #endif
135 
136  // Make sure there isn't an embedded NUL character in the DNS name
137  if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
138  result = MalformedCertificate;
139  break;
140  }
141  else { // Compare expected hostname with the DNS name
142  if (Curl_cert_hostcheck(dns_name, hostname)
143  == CURL_HOST_MATCH) {
144  result = MatchFound;
145  break;
146  }
147  }
148  }
149  }
150  sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
151 
152  return result;
153 }
154 
155 
167 HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert) {
169 
170  if((hostname == NULL) || (server_cert == NULL))
171  return Error;
172 
173  // First try the Subject Alternative Names extension
174  result = matches_subject_alternative_name(hostname, server_cert);
175  if (result == NoSANPresent) {
176  // Extension was not found: try the Common Name
177  result = matches_common_name(hostname, server_cert);
178  }
179 
180  return result;
181 }
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
#define CURL_HOST_MATCH
HostnameValidationResult
@ MatchNotFound
@ NoSANPresent
@ MalformedCertificate
@ MatchFound
HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert)
static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert)
static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert)