XRootD
XrdTlsHostcheck.icc
Go to the documentation of this file.
1 /***************************************************************************
2  * _ _ ____ _
3  * Project ___| | | | _ \| |
4  * / __| | | | |_) | |
5  * | (__| |_| | _ <| |___
6  * \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at http://curl.haxx.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  ***************************************************************************/
22 
23 /* This file is an amalgamation of hostcheck.c and most of rawstr.c
24  from cURL. The contents of the COPYING file mentioned above are:
25 
26 COPYRIGHT AND PERMISSION NOTICE
27 
28 Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>.
29 
30 All rights reserved.
31 
32 Permission to use, copy, modify, and distribute this software for any purpose
33 with or without fee is hereby granted, provided that the above copyright
34 notice and this permission notice appear in all copies.
35 
36 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
37 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
38 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
39 NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
40 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
41 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
42 OR OTHER DEALINGS IN THE SOFTWARE.
43 
44 Except as contained in this notice, the name of a copyright holder shall not
45 be used in advertising or otherwise to promote the sale, use or other dealings
46 in this Software without prior written authorization of the copyright holder.
47 */
48 
49 /* #include "hostcheck.h" */
50 #include <cstring>
51 
52 /* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because
53  its behavior is altered by the current locale. */
54 static char Curl_raw_toupper(char in)
55 {
56  switch (in) {
57  case 'a':
58  return 'A';
59  case 'b':
60  return 'B';
61  case 'c':
62  return 'C';
63  case 'd':
64  return 'D';
65  case 'e':
66  return 'E';
67  case 'f':
68  return 'F';
69  case 'g':
70  return 'G';
71  case 'h':
72  return 'H';
73  case 'i':
74  return 'I';
75  case 'j':
76  return 'J';
77  case 'k':
78  return 'K';
79  case 'l':
80  return 'L';
81  case 'm':
82  return 'M';
83  case 'n':
84  return 'N';
85  case 'o':
86  return 'O';
87  case 'p':
88  return 'P';
89  case 'q':
90  return 'Q';
91  case 'r':
92  return 'R';
93  case 's':
94  return 'S';
95  case 't':
96  return 'T';
97  case 'u':
98  return 'U';
99  case 'v':
100  return 'V';
101  case 'w':
102  return 'W';
103  case 'x':
104  return 'X';
105  case 'y':
106  return 'Y';
107  case 'z':
108  return 'Z';
109  }
110  return in;
111 }
112 
113 /*
114  * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant
115  * to be locale independent and only compare strings we know are safe for
116  * this. See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for
117  * some further explanation to why this function is necessary.
118  *
119  * The function is capable of comparing a-z case insensitively even for
120  * non-ascii.
121  */
122 
123 static int Curl_raw_equal(const char *first, const char *second)
124 {
125  while(*first && *second) {
126  if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second))
127  /* get out of the loop as soon as they don't match */
128  break;
129  first++;
130  second++;
131  }
132  /* we do the comparison here (possibly again), just to make sure that if the
133  loop above is skipped because one of the strings reached zero, we must not
134  return this as a successful match */
135  return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second));
136 }
137 
138 static int Curl_raw_nequal(const char *first, const char *second, size_t max)
139 {
140  while(*first && *second && max) {
141  if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) {
142  break;
143  }
144  max--;
145  first++;
146  second++;
147  }
148  if(0 == max)
149  return 1; /* they are equal this far */
150 
151  return Curl_raw_toupper(*first) == Curl_raw_toupper(*second);
152 }
153 
154 /*
155  * Match a hostname against a wildcard pattern.
156  * E.g.
157  * "foo.host.com" matches "*.host.com".
158  *
159  * We use the matching rule described in RFC6125, section 6.4.3.
160  * http://tools.ietf.org/html/rfc6125#section-6.4.3
161  */
162 
163 static int hostmatch(const char *hostname, const char *pattern)
164 {
165  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
166  int wildcard_enabled;
167  size_t prefixlen, suffixlen;
168  pattern_wildcard = strchr(pattern, '*');
169  if(pattern_wildcard == NULL)
170  return Curl_raw_equal(pattern, hostname) ?
172 
173  /* We require at least 2 dots in pattern to avoid too wide wildcard
174  match. */
175  wildcard_enabled = 1;
176  pattern_label_end = strchr(pattern, '.');
177  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
178  pattern_wildcard > pattern_label_end ||
179  Curl_raw_nequal(pattern, "xn--", 4)) {
180  wildcard_enabled = 0;
181  }
182  if(!wildcard_enabled)
183  return Curl_raw_equal(pattern, hostname) ?
185 
186  hostname_label_end = strchr(hostname, '.');
187  if(hostname_label_end == NULL ||
188  !Curl_raw_equal(pattern_label_end, hostname_label_end))
189  return CURL_HOST_NOMATCH;
190 
191  /* The wildcard must match at least one character, so the left-most
192  label of the hostname is at least as large as the left-most label
193  of the pattern. */
194  if(hostname_label_end - hostname < pattern_label_end - pattern)
195  return CURL_HOST_NOMATCH;
196 
197  prefixlen = pattern_wildcard - pattern;
198  suffixlen = pattern_label_end - (pattern_wildcard+1);
199  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
200  Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
201  suffixlen) ?
203 }
204 
205 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
206 {
207  if(!match_pattern || !*match_pattern ||
208  !hostname || !*hostname) /* sanity check */
209  return 0;
210 
211  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
212  return 1;
213 
214  if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
215  return 1;
216  return 0;
217 }
#define CURL_HOST_NOMATCH
#define CURL_HOST_MATCH
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
static char Curl_raw_toupper(char in)
static int Curl_raw_equal(const char *first, const char *second)
static int hostmatch(const char *hostname, const char *pattern)
static int Curl_raw_nequal(const char *first, const char *second, size_t max)