[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN
From: |
Gisle Vanem |
Subject: |
Re: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN |
Date: |
Wed, 21 Jul 2004 19:28:39 +0200 |
"Thorsten Glaser" <address@hidden> said:
> But look what happens when you go to www.cvshome.org - you are
> redirected to https://www.cvshome.org/ which has got an SSL
> certificate of *.cvshome.org - apparently using wildcards.
>
> Since I don't think it's "bad to have", am able to implement
> it (hopefully correctly) and tested that, I think we should
> take this diff even if I didn't look into the standards.
>
> Hostnames are, as usual, matched case-insensitive but not
> locale-specific (they're quite limited, character-wise,
> anyway).
You patch are too simple compared to other browsers that is.
Where '* in other han 1st position or multiple '*' in CNs are accepted.
Your patch doesn't match e.g. "www1.host.com" against "www*.host.com".
I once make such a recursive function for libcurl. Feel free to use it in
Lynx:
----------------
/*
* Match a hostname against a wildcard pattern.
* E.g.
* "foo.host.com" matches "*.host.com".
*
* We are a bit more liberal than RFC2818 describes in that we
* accept multiple "*" in pattern (similar to what some other browsers do).
* E.g.
* "abc.def.domain.com" should strickly not match "*.domain.com", but we
* don't consider "." to be important in CERT checking.
*/
#define HOST_NOMATCH 0
#define HOST_MATCH 1
static int hostmatch(const char *hostname, const char *pattern)
{
while (1) {
int c = *pattern++;
if (c == '\0')
return (*hostname ? HOST_NOMATCH : HOST_MATCH);
if (c == '*') {
c = *pattern;
if (c == '\0') /* "*\0" matches anything remaining */
return HOST_MATCH;
while (*hostname) {
/* The only recursive function in libcurl! */
if (hostmatch(hostname++,pattern) == HOST_MATCH)
return HOST_MATCH;
}
return HOST_NOMATCH;
}
if (toupper(c) != toupper(*hostname++))
return HOST_NOMATCH;
}
}
---------
Loosely based on djgpp's fnmatch().
--gv