37
42
* We use the matching rule described in RFC6125, section 6.4.3.
38
43
* http://tools.ietf.org/html/rfc6125#section-6.4.3
45
* In addition: ignore trailing dots in the host names and wildcards, so that
46
* the names are used normalized. This is what the browsers do.
48
* Do not allow wildcard matching on IP numbers. There are apparently
49
* certificates being used with an IP address in the CN field, thus making no
50
* apparent distinction between a name and an IP. We need to detect the use of
51
* an IP address and not wildcard match on such names.
53
* NOTE: hostmatch() gets called with copied buffers so that it can modify the
41
static int hostmatch(const char *hostname, const char *pattern)
57
static int hostmatch(char *hostname, char *pattern)
43
59
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
44
60
int wildcard_enabled;
45
61
size_t prefixlen, suffixlen;
62
struct in_addr ignored;
64
struct sockaddr_in6 si6;
67
/* normalize pattern and hostname by stripping off trailing dots */
68
size_t len = strlen(hostname);
69
if(hostname[len-1]=='.')
71
len = strlen(pattern);
72
if(pattern[len-1]=='.')
46
75
pattern_wildcard = strchr(pattern, '*');
47
76
if(pattern_wildcard == NULL)
48
77
return Curl_raw_equal(pattern, hostname) ?
49
78
CURL_HOST_MATCH : CURL_HOST_NOMATCH;
80
/* detect IP address as hostname and fail the match if so */
81
if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
82
return CURL_HOST_NOMATCH;
84
else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
85
return CURL_HOST_NOMATCH;
51
88
/* We require at least 2 dots in pattern to avoid too wide wildcard
53
90
wildcard_enabled = 1;
83
120
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
85
125
if(!match_pattern || !*match_pattern ||
86
126
!hostname || !*hostname) /* sanity check */
89
if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
92
if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
129
matchp = strdup(match_pattern);
131
hostp = strdup(hostname);
133
if(hostmatch(hostp, matchp) == CURL_HOST_MATCH)
97
144
#endif /* SSLEAY or AXTLS or QSOSSL or GSKIT or NSS */