2
0

hostcheck.c 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. #include "curl_setup.h"
  23. #if defined(USE_OPENSSL) \
  24. || defined(USE_GSKIT) \
  25. || defined(USE_SCHANNEL)
  26. /* these backends use functions from this file */
  27. #ifdef HAVE_NETINET_IN_H
  28. #include <netinet/in.h>
  29. #endif
  30. #ifdef HAVE_NETINET_IN6_H
  31. #include <netinet/in6.h>
  32. #endif
  33. #include "hostcheck.h"
  34. #include "strcase.h"
  35. #include "inet_pton.h"
  36. #include "curl_memory.h"
  37. /* The last #include file should be: */
  38. #include "memdebug.h"
  39. /*
  40. * Match a hostname against a wildcard pattern.
  41. * E.g.
  42. * "foo.host.com" matches "*.host.com".
  43. *
  44. * We use the matching rule described in RFC6125, section 6.4.3.
  45. * https://tools.ietf.org/html/rfc6125#section-6.4.3
  46. *
  47. * In addition: ignore trailing dots in the host names and wildcards, so that
  48. * the names are used normalized. This is what the browsers do.
  49. *
  50. * Do not allow wildcard matching on IP numbers. There are apparently
  51. * certificates being used with an IP address in the CN field, thus making no
  52. * apparent distinction between a name and an IP. We need to detect the use of
  53. * an IP address and not wildcard match on such names.
  54. *
  55. * NOTE: hostmatch() gets called with copied buffers so that it can modify the
  56. * contents at will.
  57. */
  58. static int hostmatch(char *hostname, char *pattern)
  59. {
  60. const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
  61. int wildcard_enabled;
  62. size_t prefixlen, suffixlen;
  63. struct in_addr ignored;
  64. #ifdef ENABLE_IPV6
  65. struct sockaddr_in6 si6;
  66. #endif
  67. /* normalize pattern and hostname by stripping off trailing dots */
  68. size_t len = strlen(hostname);
  69. if(hostname[len-1]=='.')
  70. hostname[len-1] = 0;
  71. len = strlen(pattern);
  72. if(pattern[len-1]=='.')
  73. pattern[len-1] = 0;
  74. pattern_wildcard = strchr(pattern, '*');
  75. if(pattern_wildcard == NULL)
  76. return strcasecompare(pattern, hostname) ?
  77. CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  78. /* detect IP address as hostname and fail the match if so */
  79. if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
  80. return CURL_HOST_NOMATCH;
  81. #ifdef ENABLE_IPV6
  82. if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
  83. return CURL_HOST_NOMATCH;
  84. #endif
  85. /* We require at least 2 dots in pattern to avoid too wide wildcard
  86. match. */
  87. wildcard_enabled = 1;
  88. pattern_label_end = strchr(pattern, '.');
  89. if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
  90. pattern_wildcard > pattern_label_end ||
  91. strncasecompare(pattern, "xn--", 4)) {
  92. wildcard_enabled = 0;
  93. }
  94. if(!wildcard_enabled)
  95. return strcasecompare(pattern, hostname) ?
  96. CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  97. hostname_label_end = strchr(hostname, '.');
  98. if(hostname_label_end == NULL ||
  99. !strcasecompare(pattern_label_end, hostname_label_end))
  100. return CURL_HOST_NOMATCH;
  101. /* The wildcard must match at least one character, so the left-most
  102. label of the hostname is at least as large as the left-most label
  103. of the pattern. */
  104. if(hostname_label_end - hostname < pattern_label_end - pattern)
  105. return CURL_HOST_NOMATCH;
  106. prefixlen = pattern_wildcard - pattern;
  107. suffixlen = pattern_label_end - (pattern_wildcard + 1);
  108. return strncasecompare(pattern, hostname, prefixlen) &&
  109. strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
  110. suffixlen) ?
  111. CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  112. }
  113. int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
  114. {
  115. int res = 0;
  116. if(!match_pattern || !*match_pattern ||
  117. !hostname || !*hostname) /* sanity check */
  118. ;
  119. else {
  120. char *matchp = strdup(match_pattern);
  121. if(matchp) {
  122. char *hostp = strdup(hostname);
  123. if(hostp) {
  124. if(hostmatch(hostp, matchp) == CURL_HOST_MATCH)
  125. res = 1;
  126. free(hostp);
  127. }
  128. free(matchp);
  129. }
  130. }
  131. return res;
  132. }
  133. #endif /* OPENSSL, GSKIT or schannel+wince */