2 * Copyright 2016 Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 #include <openssl/x509v3.h>
20 #include <netinet/in.h>
21 #include <sys/socket.h>
29 * Validate that the peer certificate's common name or subject alt names
30 * match what we expect. Currently this only checks for IPs within
31 * subject alt names but it could easily be expanded to check common name
32 * and hostnames as well.
34 * @param cert X509* peer certificate
35 * @param addr sockaddr object containing sockaddr to verify
36 * @param addrLen length of sockaddr as returned by getpeername or accept
37 * @return true iff a subject altname IP matches addr
39 // TODO(agartrell): Add support for things like common name when
41 static bool validatePeerCertNames(X509* cert,
46 * Get the peer socket address from an X509_STORE_CTX*. Unlike the
47 * accept, getsockname, getpeername, etc family of operations, addrLen's
48 * initial value is ignored and reset.
50 * @param ctx Context from which to retrieve peer sockaddr
51 * @param addrStorage out param for address
52 * @param addrLen out param for length of address
53 * @return true on success, false on failure
55 static bool getPeerAddressFromX509StoreCtx(X509_STORE_CTX* ctx,
56 sockaddr_storage* addrStorage,