blob: ffac35bd91cce7ab46d036f019e2d373e1386cad (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
@deftypefun {unsigned} {gnutls_x509_crt_check_hostname2} (gnutls_x509_crt_t @var{cert}, const char * @var{hostname}, unsigned int @var{flags})
@var{cert}: should contain an gnutls_x509_crt_t type
@var{hostname}: A null terminated string that contains a DNS name
@var{flags}: gnutls_certificate_verify_flags
This function will check if the given certificate's subject matches
the given hostname. This is a basic implementation of the matching
described in RFC6125, and takes into account wildcards,
and the DNSName/IPAddress subject alternative name PKIX extension.
IPv4 addresses are accepted by this function in the dotted-decimal
format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal
x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative
name extension is consulted. Previous versions to 3.6.0 of GnuTLS
in case of a non-match would consult (in a non-standard extension)
the DNSname and CN fields. This is no longer the case.
When the flag @code{GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS} is specified no
wildcards are considered. Otherwise they are only considered if the
domain name consists of three components or more, and the wildcard
starts at the leftmost position.
When the flag @code{GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES} is specified,
the input will be treated as a DNS name, and matching of textual IP addresses
against the IPAddress part of the alternative name will not be allowed.
The function @code{gnutls_x509_crt_check_ip()} is available for matching
IP addresses.
@strong{Returns:} non-zero for a successful match, and zero on failure.
@strong{Since:} 3.3.0
@end deftypefun
|