Re: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN

[Gisle Vanem]

"Thorsten Glaser" <address@hidden> said:

> But look what happens when you go to www.cvshome.org - you are
> redirected to https://www.cvshome.org/ which has got an SSL
> certificate of *.cvshome.org - apparently using wildcards.
> 
> Since I don't think it's "bad to have", am able to implement
> it (hopefully correctly) and tested that, I think we should
> take this diff even if I didn't look into the standards.
> 
> Hostnames are, as usual, matched case-insensitive but not
> locale-specific (they're quite limited, character-wise,
> anyway).

You patch are too simple compared to other browsers that is.
Where '* in other han 1st position or multiple '*' in CNs are accepted. 
Your patch doesn't match e.g. "www1.host.com" against "www*.host.com".

I once make such a recursive function for libcurl. Feel free to use it in
Lynx:

----------------

/*
 * Match a hostname against a wildcard pattern.
 * E.g.
 *  "foo.host.com" matches "*.host.com".
 *
 * We are a bit more liberal than RFC2818 describes in that we
 * accept multiple "*" in pattern (similar to what some other browsers do).
 * E.g.
 *  "abc.def.domain.com" should strickly not match "*.domain.com", but we
 *  don't consider "." to be important in CERT checking.
 */
#define HOST_NOMATCH 0
#define HOST_MATCH   1

static int hostmatch(const char *hostname, const char *pattern)
{
  while (1) {
    int c = *pattern++;

    if (c == '\0')
      return (*hostname ? HOST_NOMATCH : HOST_MATCH);

    if (c == '*') {
      c = *pattern;
      if (c == '\0')      /* "*\0" matches anything remaining */
        return HOST_MATCH;

      while (*hostname) {
        /* The only recursive function in libcurl! */
        if (hostmatch(hostname++,pattern) == HOST_MATCH)
          return HOST_MATCH;
      }
      return HOST_NOMATCH;
    }

    if (toupper(c) != toupper(*hostname++))
      return HOST_NOMATCH;
  }
}

---------

Loosely based on djgpp's fnmatch().

--gv