hostcheck: fix host name wildcard checking

The leftmost "label" of the host name can now only match against single
'*'. Like the browsers have worked for a long time.

- extended unit test 1397 for this
- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc

Reported-by: Hiroki Kurosawa
Closes #11018

lib/vtls/hostcheck.c

@@ -71,7 +71,12 @@ static bool pmatch(const char *hostname, size_t hostlen,
  * apparent distinction between a name and an IP. We need to detect the use of
  * an IP address and not wildcard match on such names.
  *
+ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
+ * "*b".
+ *
  * Return TRUE on a match. FALSE if not.
+ *
+ * @unittest: 1397
  */
 
 static bool hostmatch(const char *hostname,
@@ -79,53 +84,42 @@ static bool hostmatch(const char *hostname,
                       const char *pattern,
                       size_t patternlen)
 {
-  const char *pattern_label_end, *wildcard, *hostname_label_end;
-  size_t prefixlen, suffixlen;
+  const char *pattern_label_end;
 
-  /* normalize pattern and hostname by stripping off trailing dots */
+  DEBUGASSERT(pattern);
   DEBUGASSERT(patternlen);
+  DEBUGASSERT(hostname);
+  DEBUGASSERT(hostlen);
+
+  /* normalize pattern and hostname by stripping off trailing dots */
   if(hostname[hostlen-1]=='.')
     hostlen--;
   if(pattern[patternlen-1]=='.')
     patternlen--;
 
-  wildcard = memchr(pattern, '*', patternlen);
-  if(!wildcard)
+  if(strncmp(pattern, "*.", 2))
     return pmatch(hostname, hostlen, pattern, patternlen);
 
   /* detect IP address as hostname and fail the match if so */
-  if(Curl_host_is_ipnum(hostname))
+  else if(Curl_host_is_ipnum(hostname))
     return FALSE;
 
   /* We require at least 2 dots in the pattern to avoid too wide wildcard
      match. */
   pattern_label_end = memchr(pattern, '.', patternlen);
   if(!pattern_label_end ||
-     (memrchr(pattern, '.', patternlen) == pattern_label_end) ||
-     strncasecompare(pattern, "xn--", 4))
+     (memrchr(pattern, '.', patternlen) == pattern_label_end))
     return pmatch(hostname, hostlen, pattern, patternlen);
-
-  hostname_label_end = memchr(hostname, '.', hostlen);
-  if(!hostname_label_end)
-    return FALSE;
   else {
-    size_t skiphost = hostname_label_end - hostname;
-    size_t skiplen = pattern_label_end - pattern;
-    if(!pmatch(hostname_label_end, hostlen - skiphost,
-               pattern_label_end, patternlen - skiplen))
-      return FALSE;
+    const char *hostname_label_end = memchr(hostname, '.', hostlen);
+    if(hostname_label_end) {
+      size_t skiphost = hostname_label_end - hostname;
+      size_t skiplen = pattern_label_end - pattern;
+      return pmatch(hostname_label_end, hostlen - skiphost,
+                    pattern_label_end, patternlen - skiplen);
+    }
   }
-  /* The wildcard must match at least one character, so the left-most
-     label of the hostname is at least as large as the left-most label
-     of the pattern. */
-  if(hostname_label_end - hostname < pattern_label_end - pattern)
-    return FALSE;
-
-  prefixlen = wildcard - pattern;
-  suffixlen = pattern_label_end - (wildcard + 1);
-  return strncasecompare(pattern, hostname, prefixlen) &&
-    strncasecompare(wildcard + 1, hostname_label_end - suffixlen,
-                    suffixlen) ? TRUE : FALSE;
+  return FALSE;
 }
 
 /*

tests/data/test1397

@@ -2,8 +2,7 @@
 <info>
 <keywords>
 unittest
-ssl
-wildcard
+Curl_cert_hostcheck
 </keywords>
 </info>
 
@@ -16,9 +15,8 @@ none
 <features>
 unittest
 </features>
- <name>
-Check wildcard certificate matching function Curl_cert_hostcheck
- </name>
+<name>
+Curl_cert_hostcheck unit tests
+</name>
 </client>
-
 </testcase>

tests/unit/Makefile.am

@@ -67,97 +67,3 @@ noinst_PROGRAMS = $(UNITPROGS)
 else
 noinst_PROGRAMS =
 endif
-
-unit1300_SOURCES = unit1300.c $(UNITFILES)
-
-unit1302_SOURCES = unit1302.c $(UNITFILES)
-
-unit1303_SOURCES = unit1303.c $(UNITFILES)
-
-unit1304_SOURCES = unit1304.c $(UNITFILES)
-
-unit1305_SOURCES = unit1305.c $(UNITFILES)
-
-unit1307_SOURCES = unit1307.c $(UNITFILES)
-
-unit1308_SOURCES = unit1308.c $(UNITFILES)
-
-unit1309_SOURCES = unit1309.c $(UNITFILES)
-
-unit1323_SOURCES = unit1323.c $(UNITFILES)
-
-unit1330_SOURCES = unit1330.c $(UNITFILES)
-
-unit1394_SOURCES = unit1394.c $(UNITFILES)
-unit1394_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
-unit1394_LDFLAGS = $(top_builddir)/src/libcurltool.la
-unit1394_LIBS =
-
-unit1395_SOURCES = unit1395.c $(UNITFILES)
-
-unit1396_SOURCES = unit1396.c $(UNITFILES)
-
-unit1397_SOURCES = unit1397.c $(UNITFILES)
-
-unit1398_SOURCES = unit1398.c $(UNITFILES)
-
-unit1399_SOURCES = unit1399.c $(UNITFILES)
-
-unit1600_SOURCES = unit1600.c $(UNITFILES)
-
-unit1601_SOURCES = unit1601.c $(UNITFILES)
-
-unit1602_SOURCES = unit1602.c $(UNITFILES)
-
-unit1603_SOURCES = unit1603.c $(UNITFILES)
-
-unit1604_SOURCES = unit1604.c $(UNITFILES)
-
-unit1605_SOURCES = unit1605.c $(UNITFILES)
-
-unit1606_SOURCES = unit1606.c $(UNITFILES)
-
-unit1607_SOURCES = unit1607.c $(UNITFILES)
-
-unit1608_SOURCES = unit1608.c $(UNITFILES)
-
-unit1609_SOURCES = unit1609.c $(UNITFILES)
-
-unit1610_SOURCES = unit1610.c $(UNITFILES)
-
-unit1611_SOURCES = unit1611.c $(UNITFILES)
-
-unit1612_SOURCES = unit1612.c $(UNITFILES)
-
-unit1614_SOURCES = unit1614.c $(UNITFILES)
-
-unit1620_SOURCES = unit1620.c $(UNITFILES)
-
-unit1621_SOURCES = unit1621.c $(UNITFILES)
-unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la @NSS_LIBS@
-
-unit1650_SOURCES = unit1650.c $(UNITFILES)
-
-unit1651_SOURCES = unit1651.c $(UNITFILES)
-
-unit1652_SOURCES = unit1652.c $(UNITFILES)
-
-unit1653_SOURCES = unit1653.c $(UNITFILES)
-
-unit1654_SOURCES = unit1654.c $(UNITFILES)
-
-unit1655_SOURCES = unit1655.c $(UNITFILES)
-
-unit1660_SOURCES = unit1660.c $(UNITFILES)
-
-unit1661_SOURCES = unit1661.c $(UNITFILES)
-
-unit2600_SOURCES = unit2600.c $(UNITFILES)
-
-unit2601_SOURCES = unit2601.c $(UNITFILES)
-
-unit2602_SOURCES = unit2602.c $(UNITFILES)
-
-unit2603_SOURCES = unit2603.c $(UNITFILES)
-
-unit3200_SOURCES = unit3200.c $(UNITFILES)

tests/unit/Makefile.inc

@@ -40,3 +40,97 @@ UNITPROGS = unit1300          unit1302 unit1303 unit1304 unit1305 unit1307 \
  unit1660 unit1661 \
  unit2600 unit2601 unit2602 unit2603 \
  unit3200
+
+unit1300_SOURCES = unit1300.c $(UNITFILES)
+
+unit1302_SOURCES = unit1302.c $(UNITFILES)
+
+unit1303_SOURCES = unit1303.c $(UNITFILES)
+
+unit1304_SOURCES = unit1304.c $(UNITFILES)
+
+unit1305_SOURCES = unit1305.c $(UNITFILES)
+
+unit1307_SOURCES = unit1307.c $(UNITFILES)
+
+unit1308_SOURCES = unit1308.c $(UNITFILES)
+
+unit1309_SOURCES = unit1309.c $(UNITFILES)
+
+unit1323_SOURCES = unit1323.c $(UNITFILES)
+
+unit1330_SOURCES = unit1330.c $(UNITFILES)
+
+unit1394_SOURCES = unit1394.c $(UNITFILES)
+unit1394_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
+unit1394_LDFLAGS = $(top_builddir)/src/libcurltool.la
+unit1394_LIBS =
+
+unit1395_SOURCES = unit1395.c $(UNITFILES)
+
+unit1396_SOURCES = unit1396.c $(UNITFILES)
+
+unit1397_SOURCES = unit1397.c $(UNITFILES)
+
+unit1398_SOURCES = unit1398.c $(UNITFILES)
+
+unit1399_SOURCES = unit1399.c $(UNITFILES)
+
+unit1600_SOURCES = unit1600.c $(UNITFILES)
+
+unit1601_SOURCES = unit1601.c $(UNITFILES)
+
+unit1602_SOURCES = unit1602.c $(UNITFILES)
+
+unit1603_SOURCES = unit1603.c $(UNITFILES)
+
+unit1604_SOURCES = unit1604.c $(UNITFILES)
+
+unit1605_SOURCES = unit1605.c $(UNITFILES)
+
+unit1606_SOURCES = unit1606.c $(UNITFILES)
+
+unit1607_SOURCES = unit1607.c $(UNITFILES)
+
+unit1608_SOURCES = unit1608.c $(UNITFILES)
+
+unit1609_SOURCES = unit1609.c $(UNITFILES)
+
+unit1610_SOURCES = unit1610.c $(UNITFILES)
+
+unit1611_SOURCES = unit1611.c $(UNITFILES)
+
+unit1612_SOURCES = unit1612.c $(UNITFILES)
+
+unit1614_SOURCES = unit1614.c $(UNITFILES)
+
+unit1620_SOURCES = unit1620.c $(UNITFILES)
+
+unit1621_SOURCES = unit1621.c $(UNITFILES)
+unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la @NSS_LIBS@
+
+unit1650_SOURCES = unit1650.c $(UNITFILES)
+
+unit1651_SOURCES = unit1651.c $(UNITFILES)
+
+unit1652_SOURCES = unit1652.c $(UNITFILES)
+
+unit1653_SOURCES = unit1653.c $(UNITFILES)
+
+unit1654_SOURCES = unit1654.c $(UNITFILES)
+
+unit1655_SOURCES = unit1655.c $(UNITFILES)
+
+unit1660_SOURCES = unit1660.c $(UNITFILES)
+
+unit1661_SOURCES = unit1661.c $(UNITFILES)
+
+unit2600_SOURCES = unit2600.c $(UNITFILES)
+
+unit2601_SOURCES = unit2601.c $(UNITFILES)
+
+unit2602_SOURCES = unit2602.c $(UNITFILES)
+
+unit2603_SOURCES = unit2603.c $(UNITFILES)
+
+unit3200_SOURCES = unit3200.c $(UNITFILES)

tests/unit/unit1397.c

@@ -23,7 +23,6 @@
  ***************************************************************************/
 #include "curlcheck.h"
 
-#include "vtls/hostcheck.h" /* from the lib dir */
 
 static CURLcode unit_setup(void)
 {
@@ -32,63 +31,94 @@ static CURLcode unit_setup(void)
 
 static void unit_stop(void)
 {
-  /* done before shutting down and exiting */
 }
 
-UNITTEST_START
-
 /* only these backends define the tested functions */
-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
-
-  /* here you start doing things and checking that the results are good */
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
+#include "vtls/hostcheck.h"
+struct testcase {
+  const char *host;
+  const char *pattern;
+  bool match;
+};
 
-fail_unless(Curl_cert_hostcheck(STRCONST("www.example.com"),
-                                STRCONST("www.example.com")), "good 1");
-fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"),
-                                STRCONST("www.example.com")),
-            "good 2");
-fail_unless(Curl_cert_hostcheck(STRCONST("xxx*.example.com"),
-                                STRCONST("xxxwww.example.com")), "good 3");
-fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"),
-                                STRCONST("foo.example.com")), "good 4");
-fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"),
-                                STRCONST("192.168.0.0")), "good 5");
+static struct testcase tests[] = {
+  {"", "", FALSE},
+  {"a", "", FALSE},
+  {"", "b", FALSE},
+  {"a", "b", FALSE},
+  {"aa", "bb", FALSE},
+  {"\xff", "\xff", TRUE},
+  {"aa.aa.aa", "aa.aa.bb", FALSE},
+  {"aa.aa.aa", "aa.aa.aa", TRUE},
+  {"aa.aa.aa", "*.aa.bb", FALSE},
+  {"aa.aa.aa", "*.aa.aa", TRUE},
+  {"192.168.0.1", "192.168.0.1", TRUE},
+  {"192.168.0.1", "*.168.0.1", FALSE},
+  {"192.168.0.1", "*.0.1", FALSE},
+  {"h.ello", "*.ello", FALSE},
+  {"h.ello.", "*.ello", FALSE},
+  {"h.ello", "*.ello.", FALSE},
+  {"h.e.llo", "*.e.llo", TRUE},
+  {"h.e.llo", " *.e.llo", FALSE},
+  {" h.e.llo", "*.e.llo", TRUE},
+  {"h.e.llo.", "*.e.llo", TRUE},
+  {"*.e.llo.", "*.e.llo", TRUE},
+  {"************.e.llo.", "*.e.llo", TRUE},
+  {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+   "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
+   "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
+   "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
+   "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+   ".e.llo.", "*.e.llo", TRUE},
+  {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
+  {"h.e.llo.", "*.e.llo.", TRUE},
+  {"h.e.llo", "*.e.llo.", TRUE},
+  {".h.e.llo", "*.e.llo.", FALSE},
+  {"h.e.llo", "*.*.llo.", FALSE},
+  {"h.e.llo", "h.*.llo", FALSE},
+  {"h.e.llo", "h.e.*", FALSE},
+  {"hello", "*.ello", FALSE},
+  {"hello", "**llo", FALSE},
+  {"bar.foo.example.com", "*.example.com", FALSE},
+  {"foo.example.com", "*.example.com", TRUE},
+  {"baz.example.net", "b*z.example.net", FALSE},
+  {"foobaz.example.net", "*baz.example.net", FALSE},
+  {"xn--l8j.example.local", "x*.example.local", FALSE},
+  {"xn--l8j.example.net", "*.example.net", TRUE},
+  {"xn--l8j.example.net", "*j.example.net", FALSE},
+  {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
+  {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
+  {"xl8j.example.net", "*.example.net", TRUE},
+  {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
+  {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
+  {NULL, NULL, FALSE}
+};
 
-fail_if(Curl_cert_hostcheck(STRCONST("xxx.example.com"),
-                            STRCONST("www.example.com")), "bad 1");
-fail_if(Curl_cert_hostcheck(STRCONST("*"),
-                            STRCONST("www.example.com")),"bad 2");
-fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"),
-                            STRCONST("www.example.com")), "bad 3");
-fail_if(Curl_cert_hostcheck(STRCONST("*.example.com"),
-                            STRCONST("baa.foo.example.com")), "bad 4");
-fail_if(Curl_cert_hostcheck(STRCONST("f*.example.com"),
-                            STRCONST("baa.example.com")), "bad 5");
-fail_if(Curl_cert_hostcheck(STRCONST("*.com"),
-                            STRCONST("example.com")), "bad 6");
-fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"),
-                            STRCONST("example.com")), "bad 7");
-fail_if(Curl_cert_hostcheck(STRCONST("*.example."),
-                            STRCONST("www.example.")), "bad 8");
-fail_if(Curl_cert_hostcheck(STRCONST("*.example."),
-                            STRCONST("www.example")), "bad 9");
-fail_if(Curl_cert_hostcheck(STRCONST(""), STRCONST("www")), "bad 10");
-fail_if(Curl_cert_hostcheck(STRCONST("*"), STRCONST("www")), "bad 11");
-fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"),
-                            STRCONST("192.168.0.0")), "bad 12");
-fail_if(Curl_cert_hostcheck(STRCONST("www.example.com"),
-                            STRCONST("192.168.0.0")), "bad 13");
-
-#ifdef ENABLE_IPV6
-fail_if(Curl_cert_hostcheck(STRCONST("*::3285:a9ff:fe46:b619"),
-                            STRCONST("fe80::3285:a9ff:fe46:b619")), "bad 14");
-fail_unless(Curl_cert_hostcheck(STRCONST("fe80::3285:a9ff:fe46:b619"),
-                                STRCONST("fe80::3285:a9ff:fe46:b619")),
-            "good 6");
-#endif
+UNITTEST_START
+{
+  int i;
+  for(i = 0; tests[i].host; i++) {
+    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
+                                             strlen(tests[i].pattern),
+                                             tests[i].host,
+                                             strlen(tests[i].host))) {
+      fprintf(stderr,
+              "HOST: %s\n"
+              "PTRN: %s\n"
+              "did %sMATCH\n",
+              tests[i].host,
+              tests[i].pattern,
+              tests[i].match ? "NOT ": "");
+      unitfail++;
+    }
+  }
+}
 
-#endif
+UNITTEST_STOP
+#else
 
-  /* you end the test code like this: */
+UNITTEST_START
 
 UNITTEST_STOP
+#endif