3c7dcc5c722ac050784098b87a04259ee7fcf370
[tclink.git] / validate.c
1 /*
2 COPYRIGHT AND PERMISSION NOTICE
3
4 Copyright (c) 1996 - 2010, Daniel Stenberg, <daniel@haxx.se>.
5
6 All rights reserved.
7
8 Permission to use, copy, modify, and distribute this software for any purpose
9 with or without fee is hereby granted, provided that the above copyright
10 notice and this permission notice appear in all copies.
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
13 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
15 NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
16 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
17 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
18 OR OTHER DEALINGS IN THE SOFTWARE.
19
20 Except as contained in this notice, the name of a copyright holder shall not
21 be used in advertising or otherwise to promote the sale, use or other dealings
22 in this Software without prior written authorization of the copyright holder.
23 */
24 /* simplified to a basic host name check */
25 #include <string.h>
26 #include <openssl/x509_vfy.h>
27 #include <openssl/x509v3.h>
28
29 #define bool int
30 #define false 0
31 #define true 1
32 /** @fn static bool cert_hostcheck(const char *hostname, char *pattern)
33 * Verifies that the hostname matches against the pattern specified.
34 * Handles wildcard patterns and ignores the distinction between upper and lower case letters.
35 * Note: Ported over from ssluse.c in curl (7.1.16) lib
36 * Note: Explicit pattern match disabled as we do not use that for processing node certificate.
37 * Note: No longer ignores the distinction between upper and lower case letters. Our certificate is generated with lowercase letters.
38 * @return true if matches, false otherwise
39 * @param hostname The hostname we want to check. e.g: vault.trustcommerce.com
40 * @param pattern The pattern we wish to match against. e.g: *.trustcommerce.com
41 */
42 bool cert_hostcheck(const char *pattern, const char *hostname)
43 {
44 if (!hostname || !pattern || !*hostname || !*pattern) return false;
45 if (!strcmp(hostname,pattern)) return true;
46 return false;
47 }
48 /** @fn static bool checkCertificate(X509 *cert, char *host)
49 * Provides validation of the hostname associated with a certificate.
50 * See RFC2818 - Server Identity for an overview of the concept.
51 * This implementation is based off the one found in curl-7.16.1: ssluse.c
52 * but we treat the subjectAltName as a recommendation... so if it fails,
53 * we will proceed to the CN check.
54 * The rationale for this is that we are not always using HTTP (over SSL)
55 * and its more of a certification generation / CA issue and we want
56 * maximum interoperability (as opposed to strict compliance).
57 * @param cert The X509 certificate in question.
58 * @param host The hostname or ip we wish to check.
59 * @return true if matches, false otherwise
60 */
61 static bool checkCertificate(X509 * cert, const char *host)
62 {
63 int i,j;
64 bool matched = false;
65 STACK_OF(GENERAL_NAME) * altnames;
66 unsigned char *nulstr = { '\0' };
67 unsigned char *peer_CN = nulstr;
68 X509_NAME *name;
69 ASN1_STRING * tmp;
70 bool status = false;
71
72 if (!cert || !host) return false;
73
74 altnames = (STACK_OF(GENERAL_NAME) *)(X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL));
75
76 if (altnames != NULL)
77 {
78 int numalts = sk_GENERAL_NAME_num(altnames);
79 for (i=0; (i<numalts) && (matched == false); i++)
80 {
81 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
82 const char *altptr = (char *)(ASN1_STRING_data(check->d.ia5));
83 size_t altlen;
84 switch (check->type)
85 {
86 case GEN_DNS:
87 altlen = ASN1_STRING_length(check->d.ia5);
88 if (altlen == strlen(host) && cert_hostcheck(altptr, host))
89 matched = true;
90 break;
91 case GEN_IPADD:
92 altlen = ASN1_STRING_length(check->d.ia5);
93 if (altlen == strlen(host) && !memcmp(altptr, host, altlen))
94 matched = true;
95 break;
96 }
97 }
98 GENERAL_NAMES_free(altnames);
99 if (matched != false) return true;
100 }
101
102 i = j = -1;
103
104
105 name = X509_get_subject_name(cert);
106 if (!name) return false;
107
108
109 // get the last CN found in the subject (supposedly its the most distinguished one)
110 while ((j=X509_NAME_get_index_by_NID(name,NID_commonName,i))>=0)
111 i=j;
112
113 if (i<0) return false;
114
115 tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
116 /* workaround for version of openssl < 0.9.7d */
117 if (tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING)
118 {
119 j = ASN1_STRING_length(tmp);
120 if (j >= 0) {
121 peer_CN = (unsigned char *)(OPENSSL_malloc(j+1));
122 if (peer_CN)
123 {
124 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
125 peer_CN[j] = '\0';
126 }
127 }
128 }
129 else
130 {
131 j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
132 }
133
134 if (peer_CN == nulstr)
135 peer_CN = NULL;
136
137 if (peer_CN == NULL)
138 return false; // the cn isnt missing in virtually all cases
139 else if(!cert_hostcheck((char *)(peer_CN), host))
140 status = false;
141 else
142 status = true;
143
144 if (peer_CN)
145 OPENSSL_free(peer_CN);
146 return status;
147 }
148
149 int TCLinkDefaultValidate(int x, void * cert)
150 {
151 if (x != 0 || cert == NULL) return 0;
152 return !checkCertificate((X509 *)cert, "pgw1.trustcommerce.com");
153
154 }