2
0

hostcheck.c 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. #include "curl_setup.h"
  23. #if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_GSKIT)
  24. /* these backends use functions from this file */
  25. #ifdef HAVE_NETINET_IN_H
  26. #include <netinet/in.h>
  27. #endif
  28. #include "hostcheck.h"
  29. #include "rawstr.h"
  30. #include "inet_pton.h"
  31. #include "curl_memory.h"
  32. /* The last #include file should be: */
  33. #include "memdebug.h"
  34. /*
  35. * Match a hostname against a wildcard pattern.
  36. * E.g.
  37. * "foo.host.com" matches "*.host.com".
  38. *
  39. * We use the matching rule described in RFC6125, section 6.4.3.
  40. * http://tools.ietf.org/html/rfc6125#section-6.4.3
  41. *
  42. * In addition: ignore trailing dots in the host names and wildcards, so that
  43. * the names are used normalized. This is what the browsers do.
  44. *
  45. * Do not allow wildcard matching on IP numbers. There are apparently
  46. * certificates being used with an IP address in the CN field, thus making no
  47. * apparent distinction between a name and an IP. We need to detect the use of
  48. * an IP address and not wildcard match on such names.
  49. *
  50. * NOTE: hostmatch() gets called with copied buffers so that it can modify the
  51. * contents at will.
  52. */
  53. static int hostmatch(char *hostname, char *pattern)
  54. {
  55. const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
  56. int wildcard_enabled;
  57. size_t prefixlen, suffixlen;
  58. struct in_addr ignored;
  59. #ifdef ENABLE_IPV6
  60. struct sockaddr_in6 si6;
  61. #endif
  62. /* normalize pattern and hostname by stripping off trailing dots */
  63. size_t len = strlen(hostname);
  64. if(hostname[len-1]=='.')
  65. hostname[len-1]=0;
  66. len = strlen(pattern);
  67. if(pattern[len-1]=='.')
  68. pattern[len-1]=0;
  69. pattern_wildcard = strchr(pattern, '*');
  70. if(pattern_wildcard == NULL)
  71. return Curl_raw_equal(pattern, hostname) ?
  72. CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  73. /* detect IP address as hostname and fail the match if so */
  74. if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
  75. return CURL_HOST_NOMATCH;
  76. #ifdef ENABLE_IPV6
  77. else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
  78. return CURL_HOST_NOMATCH;
  79. #endif
  80. /* We require at least 2 dots in pattern to avoid too wide wildcard
  81. match. */
  82. wildcard_enabled = 1;
  83. pattern_label_end = strchr(pattern, '.');
  84. if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
  85. pattern_wildcard > pattern_label_end ||
  86. Curl_raw_nequal(pattern, "xn--", 4)) {
  87. wildcard_enabled = 0;
  88. }
  89. if(!wildcard_enabled)
  90. return Curl_raw_equal(pattern, hostname) ?
  91. CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  92. hostname_label_end = strchr(hostname, '.');
  93. if(hostname_label_end == NULL ||
  94. !Curl_raw_equal(pattern_label_end, hostname_label_end))
  95. return CURL_HOST_NOMATCH;
  96. /* The wildcard must match at least one character, so the left-most
  97. label of the hostname is at least as large as the left-most label
  98. of the pattern. */
  99. if(hostname_label_end - hostname < pattern_label_end - pattern)
  100. return CURL_HOST_NOMATCH;
  101. prefixlen = pattern_wildcard - pattern;
  102. suffixlen = pattern_label_end - (pattern_wildcard+1);
  103. return Curl_raw_nequal(pattern, hostname, prefixlen) &&
  104. Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
  105. suffixlen) ?
  106. CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  107. }
  108. int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
  109. {
  110. char *matchp;
  111. char *hostp;
  112. int res = 0;
  113. if(!match_pattern || !*match_pattern ||
  114. !hostname || !*hostname) /* sanity check */
  115. ;
  116. else {
  117. matchp = strdup(match_pattern);
  118. if(matchp) {
  119. hostp = strdup(hostname);
  120. if(hostp) {
  121. if(hostmatch(hostp, matchp) == CURL_HOST_MATCH)
  122. res= 1;
  123. free(hostp);
  124. }
  125. free(matchp);
  126. }
  127. }
  128. return res;
  129. }
  130. #endif /* SSLEAY or AXTLS or GSKIT */