Added a hostname check if connecting via domain hostname (Not IPv4/IPv6 - IPv6 still not supported / tested).

2025-11-11 17:35:53 +01:00
parent eda3cf87d1
commit fbafeafc9f
3 changed files with 82 additions and 2 deletions
--- a/include/columnlynx/client/net/tcp/tcp_client.hpp
+++ b/include/columnlynx/client/net/tcp/tcp_client.hpp
@@ -69,5 +69,6 @@ namespace ColumnLynx::Net::TCP {
            std::chrono::steady_clock::time_point mLastHeartbeatReceived;
            std::chrono::steady_clock::time_point mLastHeartbeatSent;
            int mMissedHeartbeats = 0;
+            bool mIsHostDomain;
    };
 }
--- a/include/columnlynx/common/libsodium_wrapper.hpp
+++ b/include/columnlynx/common/libsodium_wrapper.hpp
@@ -14,6 +14,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/pem.h>
+#include <openssl/x509v3.h>

 namespace ColumnLynx {
    using PublicKey = std::array<uint8_t, crypto_sign_PUBLICKEYBYTES>;   // Ed25519
@@ -222,6 +223,57 @@ namespace ColumnLynx::Utils {
            return result == 1;
        }

+        static inline std::vector<std::string> getCertificateHostname(const std::vector<uint8_t>& cert_der) {
+            std::vector<std::string> names;
+
+            if (cert_der.empty())
+                return names;
+
+            // Parse DER certificate
+            const unsigned char* p = cert_der.data();
+            X509* cert = d2i_X509(nullptr, &p, cert_der.size());
+            if (!cert)
+                return names;
+
+            // --- Subject Alternative Names (SAN) ---
+            GENERAL_NAMES* san_names =
+                (GENERAL_NAMES*)X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr);
+
+            if (san_names) {
+                int san_count = sk_GENERAL_NAME_num(san_names);
+                for (int i = 0; i < san_count; i++) {
+                    const GENERAL_NAME* current = sk_GENERAL_NAME_value(san_names, i);
+                    if (current->type == GEN_DNS) {
+                        const char* dns_name = (const char*)ASN1_STRING_get0_data(current->d.dNSName);
+                        // Safety: ensure no embedded nulls
+                        if (ASN1_STRING_length(current->d.dNSName) == (int)std::strlen(dns_name)) {
+                            names.emplace_back(dns_name);
+                        }
+                    }
+                }
+                GENERAL_NAMES_free(san_names);
+            }
+        
+            // --- Fallback: Common Name (CN) ---
+            if (names.empty()) {
+                X509_NAME* subject = X509_get_subject_name(cert);
+                if (subject) {
+                    int idx = X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
+                    if (idx >= 0) {
+                        X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject, idx);
+                        ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(entry);
+                        const char* cn_str = (const char*)ASN1_STRING_get0_data(cn_asn1);
+                        if (ASN1_STRING_length(cn_asn1) == (int)std::strlen(cn_str)) {
+                            names.emplace_back(cn_str);
+                        }
+                    }
+                }
+            }
+        
+            X509_free(cert);
+            return names;
+        }
+
        private:
            std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
            std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;