commit ce1ef1abde0d5519e0464f9326edea01b73a845f
parent 77de1bb2a84e0980d23b7fc2dda1480a1093ca21
Author: Drew DeVault <sir@cmpwn.com>
Date: Sun, 27 Sep 2020 11:40:49 -0400
TOFU: verify hostnames
Diffstat:
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/tofu.c b/src/tofu.c
@@ -6,6 +6,7 @@
#include <openssl/evp.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
@@ -27,8 +28,6 @@ verify_callback(X509_STORE_CTX *ctx, void *data)
//
// If you're reading this code with the intent to re-use it, think
// twice.
- //
- // TODO: Check that the subject name is valid for the requested URL.
struct gemini_tofu *tofu = (struct gemini_tofu *)data;
X509 *cert = X509_STORE_CTX_get0_cert(ctx);
struct known_host *host = NULL;
@@ -74,6 +73,12 @@ verify_callback(X509_STORE_CTX *ctx, void *data)
goto invalid_cert;
}
+ rc = X509_check_host(cert, servername, strlen(servername), 0, NULL);
+ if (rc != 1) {
+ rc = X509_V_ERR_HOSTNAME_MISMATCH;
+ goto invalid_cert;
+ }
+
time_t now;
time(&now);
