ssl_verify.c

Go to the documentation of this file.

 
#include "ucspissl.h"
#include "case.h"
#include "str.h"
 
int ssl_verify(SSL *ssl,const char *hostname,stralloc *dnsout)
{
  X509 *cert;
  STACK_OF(GENERAL_NAME) *extensions;
  const GENERAL_NAME *ext;
  char buf[SSL_NAME_LEN];
  char *dnsname = 0;
  int i;
  int num; 
  int len;
  int dname = 0;
 
  cert = SSL_get_peer_certificate(ssl); // deprecated, but working everywhere => SSL_get1_peer_certificate()
  if (!cert) return -1;
 
  if (SSL_get_verify_result(ssl) != X509_V_OK) return -2;
 
  if (hostname) {
    if (!stralloc_copys(dnsout,"")) return 1;
    extensions = X509_get_ext_d2i(cert,NID_subject_alt_name,0,0);
    num = sk_GENERAL_NAME_num(extensions);      /* num = 0, if no SAN extensions */
 
    for (i = 0; i < num; ++i) {
      ext = sk_GENERAL_NAME_value(extensions,i);
      if (ext->type == GEN_DNS) {
        if (ASN1_STRING_type(ext->d.dNSName) != V_ASN1_IA5STRING) continue;
        dnsname = (char *)ASN1_STRING_get0_data(ext->d.dNSName);
        len = ASN1_STRING_length(ext->d.dNSName);
        if (len != str_len(dnsname)) continue;
        if (!stralloc_copyb(dnsout,dnsname,len)) return 1; 
        if (case_diffs((char *)hostname,dnsname) == 0) return 0;
        dname = 1;
      }
    }
    
    if (!dname) {
      X509_NAME_get_text_by_NID(X509_get_subject_name(cert),NID_commonName,buf,sizeof(buf));
      buf[SSL_NAME_LEN - 1] = 0;
      if (!stralloc_copyb(dnsout,buf,str_len(buf))) return 1; 
      if (case_diffs((char *)hostname,buf) == 0) return 0;
    }
 
    return -3;
  }
  return 0;
}