1*6236dae4SAndroid Build Coastguard Worker /***************************************************************************
2*6236dae4SAndroid Build Coastguard Worker * _ _ ____ _
3*6236dae4SAndroid Build Coastguard Worker * Project ___| | | | _ \| |
4*6236dae4SAndroid Build Coastguard Worker * / __| | | | |_) | |
5*6236dae4SAndroid Build Coastguard Worker * | (__| |_| | _ <| |___
6*6236dae4SAndroid Build Coastguard Worker * \___|\___/|_| \_\_____|
7*6236dae4SAndroid Build Coastguard Worker *
8*6236dae4SAndroid Build Coastguard Worker * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9*6236dae4SAndroid Build Coastguard Worker *
10*6236dae4SAndroid Build Coastguard Worker * This software is licensed as described in the file COPYING, which
11*6236dae4SAndroid Build Coastguard Worker * you should have received as part of this distribution. The terms
12*6236dae4SAndroid Build Coastguard Worker * are also available at https://curl.se/docs/copyright.html.
13*6236dae4SAndroid Build Coastguard Worker *
14*6236dae4SAndroid Build Coastguard Worker * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15*6236dae4SAndroid Build Coastguard Worker * copies of the Software, and permit persons to whom the Software is
16*6236dae4SAndroid Build Coastguard Worker * furnished to do so, under the terms of the COPYING file.
17*6236dae4SAndroid Build Coastguard Worker *
18*6236dae4SAndroid Build Coastguard Worker * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19*6236dae4SAndroid Build Coastguard Worker * KIND, either express or implied.
20*6236dae4SAndroid Build Coastguard Worker *
21*6236dae4SAndroid Build Coastguard Worker * SPDX-License-Identifier: curl
22*6236dae4SAndroid Build Coastguard Worker *
23*6236dae4SAndroid Build Coastguard Worker ***************************************************************************/
24*6236dae4SAndroid Build Coastguard Worker
25*6236dae4SAndroid Build Coastguard Worker #include "curl_setup.h"
26*6236dae4SAndroid Build Coastguard Worker
27*6236dae4SAndroid Build Coastguard Worker #if defined(USE_OPENSSL) \
28*6236dae4SAndroid Build Coastguard Worker || defined(USE_SCHANNEL)
29*6236dae4SAndroid Build Coastguard Worker /* these backends use functions from this file */
30*6236dae4SAndroid Build Coastguard Worker
31*6236dae4SAndroid Build Coastguard Worker #ifdef HAVE_NETINET_IN_H
32*6236dae4SAndroid Build Coastguard Worker #include <netinet/in.h>
33*6236dae4SAndroid Build Coastguard Worker #endif
34*6236dae4SAndroid Build Coastguard Worker #ifdef HAVE_NETINET_IN6_H
35*6236dae4SAndroid Build Coastguard Worker #include <netinet/in6.h>
36*6236dae4SAndroid Build Coastguard Worker #endif
37*6236dae4SAndroid Build Coastguard Worker #include "curl_memrchr.h"
38*6236dae4SAndroid Build Coastguard Worker
39*6236dae4SAndroid Build Coastguard Worker #include "hostcheck.h"
40*6236dae4SAndroid Build Coastguard Worker #include "strcase.h"
41*6236dae4SAndroid Build Coastguard Worker #include "hostip.h"
42*6236dae4SAndroid Build Coastguard Worker
43*6236dae4SAndroid Build Coastguard Worker #include "curl_memory.h"
44*6236dae4SAndroid Build Coastguard Worker /* The last #include file should be: */
45*6236dae4SAndroid Build Coastguard Worker #include "memdebug.h"
46*6236dae4SAndroid Build Coastguard Worker
47*6236dae4SAndroid Build Coastguard Worker /* check the two input strings with given length, but do not
48*6236dae4SAndroid Build Coastguard Worker assume they end in nul-bytes */
pmatch(const char * hostname,size_t hostlen,const char * pattern,size_t patternlen)49*6236dae4SAndroid Build Coastguard Worker static bool pmatch(const char *hostname, size_t hostlen,
50*6236dae4SAndroid Build Coastguard Worker const char *pattern, size_t patternlen)
51*6236dae4SAndroid Build Coastguard Worker {
52*6236dae4SAndroid Build Coastguard Worker if(hostlen != patternlen)
53*6236dae4SAndroid Build Coastguard Worker return FALSE;
54*6236dae4SAndroid Build Coastguard Worker return strncasecompare(hostname, pattern, hostlen);
55*6236dae4SAndroid Build Coastguard Worker }
56*6236dae4SAndroid Build Coastguard Worker
57*6236dae4SAndroid Build Coastguard Worker /*
58*6236dae4SAndroid Build Coastguard Worker * Match a hostname against a wildcard pattern.
59*6236dae4SAndroid Build Coastguard Worker * E.g.
60*6236dae4SAndroid Build Coastguard Worker * "foo.host.com" matches "*.host.com".
61*6236dae4SAndroid Build Coastguard Worker *
62*6236dae4SAndroid Build Coastguard Worker * We use the matching rule described in RFC6125, section 6.4.3.
63*6236dae4SAndroid Build Coastguard Worker * https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3
64*6236dae4SAndroid Build Coastguard Worker *
65*6236dae4SAndroid Build Coastguard Worker * In addition: ignore trailing dots in the hostnames and wildcards, so that
66*6236dae4SAndroid Build Coastguard Worker * the names are used normalized. This is what the browsers do.
67*6236dae4SAndroid Build Coastguard Worker *
68*6236dae4SAndroid Build Coastguard Worker * Do not allow wildcard matching on IP numbers. There are apparently
69*6236dae4SAndroid Build Coastguard Worker * certificates being used with an IP address in the CN field, thus making no
70*6236dae4SAndroid Build Coastguard Worker * apparent distinction between a name and an IP. We need to detect the use of
71*6236dae4SAndroid Build Coastguard Worker * an IP address and not wildcard match on such names.
72*6236dae4SAndroid Build Coastguard Worker *
73*6236dae4SAndroid Build Coastguard Worker * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
74*6236dae4SAndroid Build Coastguard Worker * "*b".
75*6236dae4SAndroid Build Coastguard Worker *
76*6236dae4SAndroid Build Coastguard Worker * Return TRUE on a match. FALSE if not.
77*6236dae4SAndroid Build Coastguard Worker *
78*6236dae4SAndroid Build Coastguard Worker * @unittest: 1397
79*6236dae4SAndroid Build Coastguard Worker */
80*6236dae4SAndroid Build Coastguard Worker
hostmatch(const char * hostname,size_t hostlen,const char * pattern,size_t patternlen)81*6236dae4SAndroid Build Coastguard Worker static bool hostmatch(const char *hostname,
82*6236dae4SAndroid Build Coastguard Worker size_t hostlen,
83*6236dae4SAndroid Build Coastguard Worker const char *pattern,
84*6236dae4SAndroid Build Coastguard Worker size_t patternlen)
85*6236dae4SAndroid Build Coastguard Worker {
86*6236dae4SAndroid Build Coastguard Worker const char *pattern_label_end;
87*6236dae4SAndroid Build Coastguard Worker
88*6236dae4SAndroid Build Coastguard Worker DEBUGASSERT(pattern);
89*6236dae4SAndroid Build Coastguard Worker DEBUGASSERT(patternlen);
90*6236dae4SAndroid Build Coastguard Worker DEBUGASSERT(hostname);
91*6236dae4SAndroid Build Coastguard Worker DEBUGASSERT(hostlen);
92*6236dae4SAndroid Build Coastguard Worker
93*6236dae4SAndroid Build Coastguard Worker /* normalize pattern and hostname by stripping off trailing dots */
94*6236dae4SAndroid Build Coastguard Worker if(hostname[hostlen-1]=='.')
95*6236dae4SAndroid Build Coastguard Worker hostlen--;
96*6236dae4SAndroid Build Coastguard Worker if(pattern[patternlen-1]=='.')
97*6236dae4SAndroid Build Coastguard Worker patternlen--;
98*6236dae4SAndroid Build Coastguard Worker
99*6236dae4SAndroid Build Coastguard Worker if(strncmp(pattern, "*.", 2))
100*6236dae4SAndroid Build Coastguard Worker return pmatch(hostname, hostlen, pattern, patternlen);
101*6236dae4SAndroid Build Coastguard Worker
102*6236dae4SAndroid Build Coastguard Worker /* detect IP address as hostname and fail the match if so */
103*6236dae4SAndroid Build Coastguard Worker else if(Curl_host_is_ipnum(hostname))
104*6236dae4SAndroid Build Coastguard Worker return FALSE;
105*6236dae4SAndroid Build Coastguard Worker
106*6236dae4SAndroid Build Coastguard Worker /* We require at least 2 dots in the pattern to avoid too wide wildcard
107*6236dae4SAndroid Build Coastguard Worker match. */
108*6236dae4SAndroid Build Coastguard Worker pattern_label_end = memchr(pattern, '.', patternlen);
109*6236dae4SAndroid Build Coastguard Worker if(!pattern_label_end ||
110*6236dae4SAndroid Build Coastguard Worker (memrchr(pattern, '.', patternlen) == pattern_label_end))
111*6236dae4SAndroid Build Coastguard Worker return pmatch(hostname, hostlen, pattern, patternlen);
112*6236dae4SAndroid Build Coastguard Worker else {
113*6236dae4SAndroid Build Coastguard Worker const char *hostname_label_end = memchr(hostname, '.', hostlen);
114*6236dae4SAndroid Build Coastguard Worker if(hostname_label_end) {
115*6236dae4SAndroid Build Coastguard Worker size_t skiphost = hostname_label_end - hostname;
116*6236dae4SAndroid Build Coastguard Worker size_t skiplen = pattern_label_end - pattern;
117*6236dae4SAndroid Build Coastguard Worker return pmatch(hostname_label_end, hostlen - skiphost,
118*6236dae4SAndroid Build Coastguard Worker pattern_label_end, patternlen - skiplen);
119*6236dae4SAndroid Build Coastguard Worker }
120*6236dae4SAndroid Build Coastguard Worker }
121*6236dae4SAndroid Build Coastguard Worker return FALSE;
122*6236dae4SAndroid Build Coastguard Worker }
123*6236dae4SAndroid Build Coastguard Worker
124*6236dae4SAndroid Build Coastguard Worker /*
125*6236dae4SAndroid Build Coastguard Worker * Curl_cert_hostcheck() returns TRUE if a match and FALSE if not.
126*6236dae4SAndroid Build Coastguard Worker */
Curl_cert_hostcheck(const char * match,size_t matchlen,const char * hostname,size_t hostlen)127*6236dae4SAndroid Build Coastguard Worker bool Curl_cert_hostcheck(const char *match, size_t matchlen,
128*6236dae4SAndroid Build Coastguard Worker const char *hostname, size_t hostlen)
129*6236dae4SAndroid Build Coastguard Worker {
130*6236dae4SAndroid Build Coastguard Worker if(match && *match && hostname && *hostname)
131*6236dae4SAndroid Build Coastguard Worker return hostmatch(hostname, hostlen, match, matchlen);
132*6236dae4SAndroid Build Coastguard Worker return FALSE;
133*6236dae4SAndroid Build Coastguard Worker }
134*6236dae4SAndroid Build Coastguard Worker
135*6236dae4SAndroid Build Coastguard Worker #endif /* OPENSSL or SCHANNEL */
136