]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // |
2 | // ssl/impl/rfc2818_verification.ipp | |
3 | // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
4 | // | |
5 | // Copyright (c) 2003-2016 Christopher M. Kohlhoff (chris at kohlhoff dot com) | |
6 | // | |
7 | // Distributed under the Boost Software License, Version 1.0. (See accompanying | |
8 | // file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt) | |
9 | // | |
10 | ||
11 | #ifndef BOOST_ASIO_SSL_IMPL_RFC2818_VERIFICATION_IPP | |
12 | #define BOOST_ASIO_SSL_IMPL_RFC2818_VERIFICATION_IPP | |
13 | ||
14 | #if defined(_MSC_VER) && (_MSC_VER >= 1200) | |
15 | # pragma once | |
16 | #endif // defined(_MSC_VER) && (_MSC_VER >= 1200) | |
17 | ||
18 | #include <boost/asio/detail/config.hpp> | |
19 | ||
20 | #if !defined(BOOST_ASIO_ENABLE_OLD_SSL) | |
21 | # include <cctype> | |
22 | # include <cstring> | |
23 | # include <boost/asio/ip/address.hpp> | |
24 | # include <boost/asio/ssl/rfc2818_verification.hpp> | |
25 | # include <boost/asio/ssl/detail/openssl_types.hpp> | |
26 | #endif // !defined(BOOST_ASIO_ENABLE_OLD_SSL) | |
27 | ||
28 | #include <boost/asio/detail/push_options.hpp> | |
29 | ||
30 | namespace boost { | |
31 | namespace asio { | |
32 | namespace ssl { | |
33 | ||
34 | #if !defined(BOOST_ASIO_ENABLE_OLD_SSL) | |
35 | ||
36 | bool rfc2818_verification::operator()( | |
37 | bool preverified, verify_context& ctx) const | |
38 | { | |
39 | using namespace std; // For memcmp. | |
40 | ||
41 | // Don't bother looking at certificates that have failed pre-verification. | |
42 | if (!preverified) | |
43 | return false; | |
44 | ||
45 | // We're only interested in checking the certificate at the end of the chain. | |
46 | int depth = X509_STORE_CTX_get_error_depth(ctx.native_handle()); | |
47 | if (depth > 0) | |
48 | return true; | |
49 | ||
50 | // Try converting the host name to an address. If it is an address then we | |
51 | // need to look for an IP address in the certificate rather than a host name. | |
52 | boost::system::error_code ec; | |
53 | ip::address address = ip::address::from_string(host_, ec); | |
54 | bool is_address = !ec; | |
55 | ||
56 | X509* cert = X509_STORE_CTX_get_current_cert(ctx.native_handle()); | |
57 | ||
58 | // Go through the alternate names in the certificate looking for matching DNS | |
59 | // or IP address entries. | |
60 | GENERAL_NAMES* gens = static_cast<GENERAL_NAMES*>( | |
61 | X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0)); | |
62 | for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i) | |
63 | { | |
64 | GENERAL_NAME* gen = sk_GENERAL_NAME_value(gens, i); | |
65 | if (gen->type == GEN_DNS && !is_address) | |
66 | { | |
67 | ASN1_IA5STRING* domain = gen->d.dNSName; | |
68 | if (domain->type == V_ASN1_IA5STRING && domain->data && domain->length) | |
69 | { | |
70 | const char* pattern = reinterpret_cast<const char*>(domain->data); | |
71 | std::size_t pattern_length = domain->length; | |
72 | if (match_pattern(pattern, pattern_length, host_.c_str())) | |
73 | { | |
74 | GENERAL_NAMES_free(gens); | |
75 | return true; | |
76 | } | |
77 | } | |
78 | } | |
79 | else if (gen->type == GEN_IPADD && is_address) | |
80 | { | |
81 | ASN1_OCTET_STRING* ip_address = gen->d.iPAddress; | |
82 | if (ip_address->type == V_ASN1_OCTET_STRING && ip_address->data) | |
83 | { | |
84 | if (address.is_v4() && ip_address->length == 4) | |
85 | { | |
86 | ip::address_v4::bytes_type bytes = address.to_v4().to_bytes(); | |
87 | if (memcmp(bytes.data(), ip_address->data, 4) == 0) | |
88 | { | |
89 | GENERAL_NAMES_free(gens); | |
90 | return true; | |
91 | } | |
92 | } | |
93 | else if (address.is_v6() && ip_address->length == 16) | |
94 | { | |
95 | ip::address_v6::bytes_type bytes = address.to_v6().to_bytes(); | |
96 | if (memcmp(bytes.data(), ip_address->data, 16) == 0) | |
97 | { | |
98 | GENERAL_NAMES_free(gens); | |
99 | return true; | |
100 | } | |
101 | } | |
102 | } | |
103 | } | |
104 | } | |
105 | GENERAL_NAMES_free(gens); | |
106 | ||
107 | // No match in the alternate names, so try the common names. We should only | |
108 | // use the "most specific" common name, which is the last one in the list. | |
109 | X509_NAME* name = X509_get_subject_name(cert); | |
110 | int i = -1; | |
111 | ASN1_STRING* common_name = 0; | |
112 | while ((i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0) | |
113 | { | |
114 | X509_NAME_ENTRY* name_entry = X509_NAME_get_entry(name, i); | |
115 | common_name = X509_NAME_ENTRY_get_data(name_entry); | |
116 | } | |
117 | if (common_name && common_name->data && common_name->length) | |
118 | { | |
119 | const char* pattern = reinterpret_cast<const char*>(common_name->data); | |
120 | std::size_t pattern_length = common_name->length; | |
121 | if (match_pattern(pattern, pattern_length, host_.c_str())) | |
122 | return true; | |
123 | } | |
124 | ||
125 | return false; | |
126 | } | |
127 | ||
128 | bool rfc2818_verification::match_pattern(const char* pattern, | |
129 | std::size_t pattern_length, const char* host) | |
130 | { | |
131 | using namespace std; // For tolower. | |
132 | ||
133 | const char* p = pattern; | |
134 | const char* p_end = p + pattern_length; | |
135 | const char* h = host; | |
136 | ||
137 | while (p != p_end && *h) | |
138 | { | |
139 | if (*p == '*') | |
140 | { | |
141 | ++p; | |
142 | while (*h && *h != '.') | |
143 | if (match_pattern(p, p_end - p, h++)) | |
144 | return true; | |
145 | } | |
146 | else if (tolower(*p) == tolower(*h)) | |
147 | { | |
148 | ++p; | |
149 | ++h; | |
150 | } | |
151 | else | |
152 | { | |
153 | return false; | |
154 | } | |
155 | } | |
156 | ||
157 | return p == p_end && !*h; | |
158 | } | |
159 | ||
160 | #endif // !defined(BOOST_ASIO_ENABLE_OLD_SSL) | |
161 | ||
162 | } // namespace ssl | |
163 | } // namespace asio | |
164 | } // namespace boost | |
165 | ||
166 | #include <boost/asio/detail/pop_options.hpp> | |
167 | ||
168 | #endif // BOOST_ASIO_SSL_IMPL_RFC2818_VERIFICATION_IPP |