xrootd
XrdTlsNotary.hh
Go to the documentation of this file.
1 #ifndef __XRDTLSNOTARY_H__
2 #define __XRDTLSNOTARY_H__
3 /******************************************************************************/
4 /* */
5 /* X r d T l s N o t a r y . h h */
6 /* */
7 /* (c) 2019 by the Board of Trustees of the Leland Stanford, Jr., University */
8 /* Produced by Andrew Hanushevsky for Stanford University under contract */
9 /* DE-AC02-76-SFO0515 with the Department of Energy */
10 /* */
11 /* This file is part of the XRootD software suite. */
12 /* */
13 /* XRootD is free software: you can redistribute it and/or modify it under */
14 /* the terms of the GNU Lesser General Public License as published by the */
15 /* Free Software Foundation, either version 3 of the License, or (at your */
16 /* option) any later version. */
17 /* */
18 /* XRootD is distributed in the hope that it will be useful, but WITHOUT */
19 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
20 /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
21 /* License for more details. */
22 /* */
23 /* You should have received a copy of the GNU Lesser General Public License */
24 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
25 /* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
26 /* */
27 /* The copyright holder's institutional names and contributor's names may not */
28 /* be used to endorse or promote products derived from this software without */
29 /* specific prior written permission of the institution or contributor. */
30 /******************************************************************************/
31 
32 #include <openssl/ssl.h>
33 
34 /* This class encapsulates the method to be used for hostname validation.
35  A hostname is valid, as follows:
36  1) When DNS is not allowed to be used:
37  a) If a SAN extension is present and the hostname matches an entry
38  in the extension it is considered valid.
39  b) If there is no SAN extension and use of the common name is
40  allowed and the names match it is considered valid.
41  c) At this point hostname validation has failed.
42  2) When DNS is allowed to be used:
43  a) If a SAN extension is present and the hostname matches an entry
44  in the extension it is considered valid.
45  b) If the common name matches the hostname it is considered valid.
46  c) If reverse lookup of the host IP address matches the name, it
47  is considered valid.
48  d) At this point hostname validation has failed.
49 
50  Notice the diference between the two is how we handle SAN matching. When
51  DNS cannot be used the SAN, if present, must match. The fallback is
52  to use the common name. This is selctable as the current recommendation
53  is to require all certificates to have a SAN extension.
54 */
55 
56 class XrdNetAddrInfo;
57 
59 {
60 public:
61 
62 //-----------------------------------------------------------------------------
76 //-----------------------------------------------------------------------------
77 
78 static const char *Validate(const SSL *ssl,
79  const char *hName,
80  XrdNetAddrInfo *netInfo=0);
81 
82 //-----------------------------------------------------------------------------
89 //-----------------------------------------------------------------------------
90 
91 static void UseCN(bool yesno) {cnOK = yesno;}
92 
93 private:
94 
95 static bool cnOK;
96 };
97 #endif
Definition: XrdTlsNotary.hh:58
static const char * Validate(const SSL *ssl, const char *hName, XrdNetAddrInfo *netInfo=0)
Definition: XrdNetAddrInfo.hh:53
static bool cnOK
Definition: XrdTlsNotary.hh:95
static void UseCN(bool yesno)
Definition: XrdTlsNotary.hh:91