• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.haxx.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  ***************************************************************************/
22 
23 #include "curl_setup.h"
24 
25 #if defined(USE_OPENSSL)                                \
26   || defined(USE_AXTLS)                                 \
27   || defined(USE_GSKIT)                                 \
28   || (defined(USE_SCHANNEL) && defined(_WIN32_WCE))
29 /* these backends use functions from this file */
30 
31 #ifdef HAVE_NETINET_IN_H
32 #include <netinet/in.h>
33 #endif
34 #ifdef HAVE_NETINET_IN6_H
35 #include <netinet/in6.h>
36 #endif
37 
38 #include "hostcheck.h"
39 #include "strcase.h"
40 #include "inet_pton.h"
41 
42 #include "curl_memory.h"
43 /* The last #include file should be: */
44 #include "memdebug.h"
45 
46 /*
47  * Match a hostname against a wildcard pattern.
48  * E.g.
49  *  "foo.host.com" matches "*.host.com".
50  *
51  * We use the matching rule described in RFC6125, section 6.4.3.
52  * https://tools.ietf.org/html/rfc6125#section-6.4.3
53  *
54  * In addition: ignore trailing dots in the host names and wildcards, so that
55  * the names are used normalized. This is what the browsers do.
56  *
57  * Do not allow wildcard matching on IP numbers. There are apparently
58  * certificates being used with an IP address in the CN field, thus making no
59  * apparent distinction between a name and an IP. We need to detect the use of
60  * an IP address and not wildcard match on such names.
61  *
62  * NOTE: hostmatch() gets called with copied buffers so that it can modify the
63  * contents at will.
64  */
65 
hostmatch(char * hostname,char * pattern)66 static int hostmatch(char *hostname, char *pattern)
67 {
68   const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
69   int wildcard_enabled;
70   size_t prefixlen, suffixlen;
71   struct in_addr ignored;
72 #ifdef ENABLE_IPV6
73   struct sockaddr_in6 si6;
74 #endif
75 
76   /* normalize pattern and hostname by stripping off trailing dots */
77   size_t len = strlen(hostname);
78   if(hostname[len-1]=='.')
79     hostname[len-1] = 0;
80   len = strlen(pattern);
81   if(pattern[len-1]=='.')
82     pattern[len-1] = 0;
83 
84   pattern_wildcard = strchr(pattern, '*');
85   if(pattern_wildcard == NULL)
86     return strcasecompare(pattern, hostname) ?
87       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
88 
89   /* detect IP address as hostname and fail the match if so */
90   if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
91     return CURL_HOST_NOMATCH;
92 #ifdef ENABLE_IPV6
93   if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
94     return CURL_HOST_NOMATCH;
95 #endif
96 
97   /* We require at least 2 dots in pattern to avoid too wide wildcard
98      match. */
99   wildcard_enabled = 1;
100   pattern_label_end = strchr(pattern, '.');
101   if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
102      pattern_wildcard > pattern_label_end ||
103      strncasecompare(pattern, "xn--", 4)) {
104     wildcard_enabled = 0;
105   }
106   if(!wildcard_enabled)
107     return strcasecompare(pattern, hostname) ?
108       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
109 
110   hostname_label_end = strchr(hostname, '.');
111   if(hostname_label_end == NULL ||
112      !strcasecompare(pattern_label_end, hostname_label_end))
113     return CURL_HOST_NOMATCH;
114 
115   /* The wildcard must match at least one character, so the left-most
116      label of the hostname is at least as large as the left-most label
117      of the pattern. */
118   if(hostname_label_end - hostname < pattern_label_end - pattern)
119     return CURL_HOST_NOMATCH;
120 
121   prefixlen = pattern_wildcard - pattern;
122   suffixlen = pattern_label_end - (pattern_wildcard + 1);
123   return strncasecompare(pattern, hostname, prefixlen) &&
124     strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
125                     suffixlen) ?
126     CURL_HOST_MATCH : CURL_HOST_NOMATCH;
127 }
128 
Curl_cert_hostcheck(const char * match_pattern,const char * hostname)129 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
130 {
131   char *matchp;
132   char *hostp;
133   int res = 0;
134   if(!match_pattern || !*match_pattern ||
135       !hostname || !*hostname) /* sanity check */
136     ;
137   else {
138     matchp = strdup(match_pattern);
139     if(matchp) {
140       hostp = strdup(hostname);
141       if(hostp) {
142         if(hostmatch(hostp, matchp) == CURL_HOST_MATCH)
143           res = 1;
144         free(hostp);
145       }
146       free(matchp);
147     }
148   }
149 
150   return res;
151 }
152 
153 #endif /* OPENSSL, AXTLS, GSKIT or schannel+wince */
154