/src/curl/lib/vtls/hostcheck.c
Line | Count | Source (jump to first uncovered line) |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | ***************************************************************************/ |
24 | | |
25 | | #include "curl_setup.h" |
26 | | |
27 | | #if defined(USE_OPENSSL) \ |
28 | | || defined(USE_GSKIT) \ |
29 | | || defined(USE_SCHANNEL) |
30 | | /* these backends use functions from this file */ |
31 | | |
32 | | #ifdef HAVE_NETINET_IN_H |
33 | | #include <netinet/in.h> |
34 | | #endif |
35 | | #ifdef HAVE_NETINET_IN6_H |
36 | | #include <netinet/in6.h> |
37 | | #endif |
38 | | #include "curl_memrchr.h" |
39 | | |
40 | | #include "hostcheck.h" |
41 | | #include "strcase.h" |
42 | | #include "hostip.h" |
43 | | |
44 | | #include "curl_memory.h" |
45 | | /* The last #include file should be: */ |
46 | | #include "memdebug.h" |
47 | | |
48 | | /* check the two input strings with given length, but do not |
49 | | assume they end in nul-bytes */ |
50 | | static bool pmatch(const char *hostname, size_t hostlen, |
51 | | const char *pattern, size_t patternlen) |
52 | 0 | { |
53 | 0 | if(hostlen != patternlen) |
54 | 0 | return FALSE; |
55 | 0 | return strncasecompare(hostname, pattern, hostlen); |
56 | 0 | } |
57 | | |
58 | | /* |
59 | | * Match a hostname against a wildcard pattern. |
60 | | * E.g. |
61 | | * "foo.host.com" matches "*.host.com". |
62 | | * |
63 | | * We use the matching rule described in RFC6125, section 6.4.3. |
64 | | * https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3 |
65 | | * |
66 | | * In addition: ignore trailing dots in the host names and wildcards, so that |
67 | | * the names are used normalized. This is what the browsers do. |
68 | | * |
69 | | * Do not allow wildcard matching on IP numbers. There are apparently |
70 | | * certificates being used with an IP address in the CN field, thus making no |
71 | | * apparent distinction between a name and an IP. We need to detect the use of |
72 | | * an IP address and not wildcard match on such names. |
73 | | * |
74 | | * Return TRUE on a match. FALSE if not. |
75 | | */ |
76 | | |
77 | | static bool hostmatch(const char *hostname, |
78 | | size_t hostlen, |
79 | | const char *pattern, |
80 | | size_t patternlen) |
81 | 0 | { |
82 | 0 | const char *pattern_label_end, *wildcard, *hostname_label_end; |
83 | 0 | size_t prefixlen, suffixlen; |
84 | | |
85 | | /* normalize pattern and hostname by stripping off trailing dots */ |
86 | 0 | DEBUGASSERT(patternlen); |
87 | 0 | if(hostname[hostlen-1]=='.') |
88 | 0 | hostlen--; |
89 | 0 | if(pattern[patternlen-1]=='.') |
90 | 0 | patternlen--; |
91 | |
|
92 | 0 | wildcard = memchr(pattern, '*', patternlen); |
93 | 0 | if(!wildcard) |
94 | 0 | return pmatch(hostname, hostlen, pattern, patternlen); |
95 | | |
96 | | /* detect IP address as hostname and fail the match if so */ |
97 | 0 | if(Curl_host_is_ipnum(hostname)) |
98 | 0 | return FALSE; |
99 | | |
100 | | /* We require at least 2 dots in the pattern to avoid too wide wildcard |
101 | | match. */ |
102 | 0 | pattern_label_end = memchr(pattern, '.', patternlen); |
103 | 0 | if(!pattern_label_end || |
104 | 0 | (memrchr(pattern, '.', patternlen) == pattern_label_end) || |
105 | 0 | strncasecompare(pattern, "xn--", 4)) |
106 | 0 | return pmatch(hostname, hostlen, pattern, patternlen); |
107 | | |
108 | 0 | hostname_label_end = memchr(hostname, '.', hostlen); |
109 | 0 | if(!hostname_label_end) |
110 | 0 | return FALSE; |
111 | 0 | else { |
112 | 0 | size_t skiphost = hostname_label_end - hostname; |
113 | 0 | size_t skiplen = pattern_label_end - pattern; |
114 | 0 | if(!pmatch(hostname_label_end, hostlen - skiphost, |
115 | 0 | pattern_label_end, patternlen - skiplen)) |
116 | 0 | return FALSE; |
117 | 0 | } |
118 | | /* The wildcard must match at least one character, so the left-most |
119 | | label of the hostname is at least as large as the left-most label |
120 | | of the pattern. */ |
121 | 0 | if(hostname_label_end - hostname < pattern_label_end - pattern) |
122 | 0 | return FALSE; |
123 | | |
124 | 0 | prefixlen = wildcard - pattern; |
125 | 0 | suffixlen = pattern_label_end - (wildcard + 1); |
126 | 0 | return strncasecompare(pattern, hostname, prefixlen) && |
127 | 0 | strncasecompare(wildcard + 1, hostname_label_end - suffixlen, |
128 | 0 | suffixlen) ? TRUE : FALSE; |
129 | 0 | } |
130 | | |
131 | | /* |
132 | | * Curl_cert_hostcheck() returns TRUE if a match and FALSE if not. |
133 | | */ |
134 | | bool Curl_cert_hostcheck(const char *match, size_t matchlen, |
135 | | const char *hostname, size_t hostlen) |
136 | 0 | { |
137 | 0 | if(match && *match && hostname && *hostname) |
138 | 0 | return hostmatch(hostname, hostlen, match, matchlen); |
139 | 0 | return FALSE; |
140 | 0 | } |
141 | | |
142 | | #endif /* OPENSSL, GSKIT or schannel+wince */ |