diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2014-03-03 11:55:23 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2014-03-25 23:01:37 +0100 |
| commit | 965690f67e190b5069cb0b16eef6917cb0d8ae18 (patch) | |
| tree | 73a7801b3da7f7e70a640df43a085c652d26591f | |
| parent | 5019c780958c3a8dbe64123aa90e6eaff1b84cfa (diff) | |
| download | gnurl-965690f67e190b5069cb0b16eef6917cb0d8ae18.tar.gz gnurl-965690f67e190b5069cb0b16eef6917cb0d8ae18.tar.bz2 gnurl-965690f67e190b5069cb0b16eef6917cb0d8ae18.zip | |
Curl_cert_hostcheck: strip trailing dots in host name and wildcard
Reported-by: Richard Moore
| -rw-r--r-- | lib/hostcheck.c | 50 |
1 files changed, 42 insertions, 8 deletions
diff --git a/lib/hostcheck.c b/lib/hostcheck.c index d144f319a..162c52230 100644 --- a/lib/hostcheck.c +++ b/lib/hostcheck.c @@ -30,6 +30,10 @@ #include "rawstr.h" #include "inet_pton.h" +#include "curl_memory.h" +/* The last #include file should be: */ +#include "memdebug.h" + /* * Match a hostname against a wildcard pattern. * E.g. @@ -37,9 +41,20 @@ * * We use the matching rule described in RFC6125, section 6.4.3. * http://tools.ietf.org/html/rfc6125#section-6.4.3 + * + * In addition: ignore trailing dots in the host names and wildcards, so that + * the names are used normalized. This is what the browsers do. + * + * Do not allow wildcard matching on IP numbers. There are apparently + * certificates being used with an IP address in the CN field, thus making no + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * + * NOTE: hostmatch() gets called with copied buffers so that it can modify the + * contents at will. */ -static int hostmatch(const char *hostname, const char *pattern) +static int hostmatch(char *hostname, char *pattern) { const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; int wildcard_enabled; @@ -48,6 +63,15 @@ static int hostmatch(const char *hostname, const char *pattern) #ifdef ENABLE_IPV6 struct sockaddr_in6 si6; #endif + + /* normalize pattern and hostname by stripping off trailing dots */ + size_t len = strlen(hostname); + if(hostname[len-1]=='.') + hostname[len-1]=0; + len = strlen(pattern); + if(pattern[len-1]=='.') + pattern[len-1]=0; + pattern_wildcard = strchr(pattern, '*'); if(pattern_wildcard == NULL) return Curl_raw_equal(pattern, hostname) ? @@ -95,16 +119,26 @@ static int hostmatch(const char *hostname, const char *pattern) int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) { + char *matchp; + char *hostp; + int res = 0; if(!match_pattern || !*match_pattern || !hostname || !*hostname) /* sanity check */ - return 0; - - if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ - return 1; + ; + else { + matchp = strdup(match_pattern); + if(matchp) { + hostp = strdup(hostname); + if(hostp) { + if(hostmatch(hostp, matchp) == CURL_HOST_MATCH) + res= 1; + free(hostp); + } + free(matchp); + } + } - if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH) - return 1; - return 0; + return res; } #endif /* SSLEAY or AXTLS or QSOSSL or GSKIT */ |