/**
* Validates the server's identity by looking for the expected hostname in the
* server's certificate. As described in RFC 6125, it first tries to find a match
* in the Subject Alternative Name extension. If the extension is not present in
* the certificate, it checks the Common Name instead.
*
* Returns MatchFound if a match was found.
* Returns MatchNotFound if no matches were found.
* Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it.
* Returns Error if there was an error.
*/
HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert) {
HostnameValidationResult result;
if ((hostname == NULL) || (server_cert == NULL))
return Error;
// First try the Subject Alternative Names extension
result = matches_subject_alternative_name(hostname, server_cert);
if (result == NoSANPresent) {
// Extension was not found: try the Common Name
result = matches_common_name(hostname, server_cert);
}
return result;
}
int32_t validate_hostname(const char *hostname, const SSL *server) {
int32_t result;
X509 *server_cert = 0;
if (!hostname || !server) {
return Error;
}
server_cert = SSL_get_peer_certificate(server);
if (!server_cert) {
return Error;
}
result = matches_subject_alternative_name(hostname, server_cert);
if (result == NoSANPresent) {
result = matches_common_name(hostname, server_cert);
}
X509_free(server_cert);
return result;
}