* Return TRUE on a match. FALSE if not.
*/
-static bool hostmatch(const char *hostname, const char *pattern,
+static bool hostmatch(const char *hostname,
+ size_t hostlen,
+ const char *pattern,
size_t patternlen)
{
const char *pattern_label_end, *wildcard, *hostname_label_end;
size_t prefixlen, suffixlen;
/* normalize pattern and hostname by stripping off trailing dots */
- size_t hostlen = strlen(hostname);
DEBUGASSERT(patternlen);
if(hostname[hostlen-1]=='.')
hostlen--;
* Curl_cert_hostcheck() returns TRUE if a match and FALSE if not.
*/
bool Curl_cert_hostcheck(const char *match, size_t matchlen,
- const char *hostname)
+ const char *hostname, size_t hostlen)
{
if(match && *match && hostname && *hostname)
- return hostmatch(hostname, match, matchlen);
+ return hostmatch(hostname, hostlen, match, matchlen);
return FALSE;
}
const char *match_pattern,
size_t matchlen,
const char *hostname,
+ size_t hostlen,
const char *dispname)
{
#ifdef CURL_DISABLE_VERBOSE_STRINGS
(void)dispname;
(void)data;
#endif
- if(Curl_cert_hostcheck(match_pattern, matchlen, hostname)) {
+ if(Curl_cert_hostcheck(match_pattern, matchlen, hostname, hostlen)) {
infof(data, " subjectAltName: host \"%s\" matched cert's \"%s\"",
dispname, match_pattern);
return TRUE;
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
const char * const hostname = SSL_HOST_NAME();
const char * const dispname = SSL_HOST_DISPNAME();
+ size_t hostlen = strlen(hostname);
#ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip &&
if((altlen == strlen(altptr)) &&
/* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */
- subj_alt_hostcheck(data, altptr, altlen, hostname, dispname)) {
+ subj_alt_hostcheck(data,
+ altptr,
+ altlen, hostname, hostlen, dispname)) {
dnsmatched = TRUE;
}
break;
"SSL: unable to obtain common name from peer certificate");
result = CURLE_PEER_FAILED_VERIFICATION;
}
- else if(!Curl_cert_hostcheck((const char *)peer_CN, peerlen, hostname)) {
+ else if(!Curl_cert_hostcheck((const char *)peer_CN,
+ peerlen, hostname, hostlen)) {
failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", peer_CN, dispname);
result = CURLE_PEER_FAILED_VERIFICATION;
ssize_t len;
const char * const hostname = SSL_HOST_NAME();
const char * const dispname = SSL_HOST_DISPNAME();
+ size_t hostlen = strlen(hostname);
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
name.beg, name.end);
if(len > 0 && (size_t)len == strlen(dnsname))
- matched = Curl_cert_hostcheck(dnsname, (size_t)len, hostname);
+ matched = Curl_cert_hostcheck(dnsname,
+ (size_t)len, hostname, hostlen);
else
matched = 0;
free(dnsname);
}
if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */
failf(data, "SSL: illegal cert name field");
- else if(Curl_cert_hostcheck((const char *) dnsname, hostname)) {
+ else if(Curl_cert_hostcheck((const char *) dnsname,
+ len, hostname, hostlen)) {
infof(data, " common name: %s (matched)", dnsname);
free(dnsname);
return CURLE_OK;
/* here you start doing things and checking that the results are good */
fail_unless(Curl_cert_hostcheck(STRCONST("www.example.com"),
- "www.example.com"), "good 1");
-fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"), "www.example.com"),
+ STRCONST("www.example.com")), "good 1");
+fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"),
+ STRCONST("www.example.com")),
"good 2");
fail_unless(Curl_cert_hostcheck(STRCONST("xxx*.example.com"),
- "xxxwww.example.com"), "good 3");
-fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"), "foo.example.com"),
- "good 4");
-fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"), "192.168.0.0"),
- "good 5");
+ STRCONST("xxxwww.example.com")), "good 3");
+fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"),
+ STRCONST("foo.example.com")), "good 4");
+fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"),
+ STRCONST("192.168.0.0")), "good 5");
fail_if(Curl_cert_hostcheck(STRCONST("xxx.example.com"),
- "www.example.com"), "bad 1");
-fail_if(Curl_cert_hostcheck(STRCONST("*"), "www.example.com"), "bad 2");
-fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"), "www.example.com"), "bad 3");
+ STRCONST("www.example.com")), "bad 1");
+fail_if(Curl_cert_hostcheck(STRCONST("*"),
+ STRCONST("www.example.com")),"bad 2");
+fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"),
+ STRCONST("www.example.com")), "bad 3");
fail_if(Curl_cert_hostcheck(STRCONST("*.example.com"),
- "baa.foo.example.com"), "bad 4");
+ STRCONST("baa.foo.example.com")), "bad 4");
fail_if(Curl_cert_hostcheck(STRCONST("f*.example.com"),
- "baa.example.com"), "bad 5");
-fail_if(Curl_cert_hostcheck(STRCONST("*.com"), "example.com"), "bad 6");
-fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"), "example.com"), "bad 7");
-fail_if(Curl_cert_hostcheck(STRCONST("*.example."), "www.example."), "bad 8");
-fail_if(Curl_cert_hostcheck(STRCONST("*.example."), "www.example"), "bad 9");
-fail_if(Curl_cert_hostcheck(STRCONST(""), "www"), "bad 10");
-fail_if(Curl_cert_hostcheck(STRCONST("*"), "www"), "bad 11");
-fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"), "192.168.0.0"), "bad 12");
+ STRCONST("baa.example.com")), "bad 5");
+fail_if(Curl_cert_hostcheck(STRCONST("*.com"),
+ STRCONST("example.com")), "bad 6");
+fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"),
+ STRCONST("example.com")), "bad 7");
+fail_if(Curl_cert_hostcheck(STRCONST("*.example."),
+ STRCONST("www.example.")), "bad 8");
+fail_if(Curl_cert_hostcheck(STRCONST("*.example."),
+ STRCONST("www.example")), "bad 9");
+fail_if(Curl_cert_hostcheck(STRCONST(""), STRCONST("www")), "bad 10");
+fail_if(Curl_cert_hostcheck(STRCONST("*"), STRCONST("www")), "bad 11");
+fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"),
+ STRCONST("192.168.0.0")), "bad 12");
fail_if(Curl_cert_hostcheck(STRCONST("www.example.com"),
- "192.168.0.0"), "bad 13");
+ STRCONST("192.168.0.0")), "bad 13");
#ifdef ENABLE_IPV6
fail_if(Curl_cert_hostcheck(STRCONST("*::3285:a9ff:fe46:b619"),
- "fe80::3285:a9ff:fe46:b619"), "bad 14");
+ STRCONST("fe80::3285:a9ff:fe46:b619")), "bad 14");
fail_unless(Curl_cert_hostcheck(STRCONST("fe80::3285:a9ff:fe46:b619"),
- "fe80::3285:a9ff:fe46:b619"), "good 6");
+ STRCONST("fe80::3285:a9ff:fe46:b619")),
+ "good 6");
#endif
#endif
projects / thirdparty / curl.git / commitdiff
