TDE core libraries
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ksslpeerinfo.cc 4.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171
  1. /* This file is part of the KDE project
  2. *
  3. * Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
  4. *
  5. * This library is free software; you can redistribute it and/or
  6. * modify it under the terms of the GNU Library General Public
  7. * License as published by the Free Software Foundation; either
  8. * version 2 of the License, or (at your option) any later version.
  9. *
  10. * This library is distributed in the hope that it will be useful,
  11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  13. * Library General Public License for more details.
  14. *
  15. * You should have received a copy of the GNU Library General Public License
  16. * along with this library; see the file COPYING.LIB. If not, write to
  17. * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  18. * Boston, MA 02110-1301, USA.
  19. */
  20. #ifdef HAVE_CONFIG_H
  21. #include <config.h>
  22. #endif
  23. #include <tqregexp.h>
  24. #include "ksslpeerinfo.h"
  25. #include <kdebug.h>
  26. #include <ksockaddr.h>
  27. #include <kextsock.h>
  28. #include <netsupp.h>
  29. #ifndef Q_WS_WIN //TODO kresolver not ported
  30. #include "kresolver.h"
  31. #endif
  32. #include "ksslx509map.h"
  33. class KSSLPeerInfoPrivate {
  34. public:
  35. KSSLPeerInfoPrivate() {}
  36. ~KSSLPeerInfoPrivate() { }
  37. TQString peerHost;
  38. };
  39. KSSLPeerInfo::KSSLPeerInfo() {
  40. d = new KSSLPeerInfoPrivate;
  41. }
  42. KSSLPeerInfo::~KSSLPeerInfo() {
  43. delete d;
  44. }
  45. KSSLCertificate& KSSLPeerInfo::getPeerCertificate() {
  46. return m_cert;
  47. }
  48. void KSSLPeerInfo::setPeerHost(TQString realHost) {
  49. d->peerHost = realHost.stripWhiteSpace();
  50. while(d->peerHost.endsWith("."))
  51. d->peerHost.truncate(d->peerHost.length()-1);
  52. #ifdef Q_WS_WIN //TODO kresolver not ported
  53. d->peerHost = d->peerHost.lower();
  54. #else
  55. d->peerHost = TQString::fromLatin1(KNetwork::KResolver::domainToAscii(d->peerHost));
  56. #endif
  57. }
  58. bool KSSLPeerInfo::certMatchesAddress() {
  59. #ifdef KSSL_HAVE_SSL
  60. KSSLX509Map certinfo(m_cert.getSubject());
  61. TQStringList cns = TQStringList::split(TQRegExp("[ \n\r]"), certinfo.getValue("CN"));
  62. cns += m_cert.subjAltNames();
  63. for (TQStringList::Iterator cn = cns.begin(); cn != cns.end(); ++cn) {
  64. if (cnMatchesAddress((*cn).stripWhiteSpace().lower()))
  65. return true;
  66. }
  67. #endif
  68. return false;
  69. }
  70. bool KSSLPeerInfo::cnMatchesAddress(TQString cn) {
  71. #ifdef KSSL_HAVE_SSL
  72. TQRegExp rx;
  73. kdDebug(7029) << "Matching CN=[" << cn << "] to ["
  74. << d->peerHost << "]" << endl;
  75. // Check for invalid characters
  76. if (TQRegExp("[^a-zA-Z0-9\\.\\*\\-]").search(cn) >= 0) {
  77. kdDebug(7029) << "CN contains invalid characters! Failing." << endl;
  78. return false;
  79. }
  80. // Domains can legally end with '.'s. We don't need them though.
  81. while(cn.endsWith("."))
  82. cn.truncate(cn.length()-1);
  83. // Do not let empty CN's get by!!
  84. if (cn.isEmpty())
  85. return false;
  86. // Check for IPv4 address
  87. rx.setPattern("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}");
  88. if (rx.exactMatch(d->peerHost))
  89. return d->peerHost == cn;
  90. // Check for IPv6 address here...
  91. rx.setPattern("^\\[.*\\]$");
  92. if (rx.exactMatch(d->peerHost))
  93. return d->peerHost == cn;
  94. if (cn.contains('*')) {
  95. // First make sure that there are at least two valid parts
  96. // after the wildcard (*).
  97. TQStringList parts = TQStringList::split('.', cn, false);
  98. while (parts.count() > 2)
  99. parts.remove(parts.begin());
  100. if (parts.count() != 2) {
  101. return false; // we don't allow *.root - that's bad
  102. }
  103. if (parts[0].contains('*') || parts[1].contains('*')) {
  104. return false;
  105. }
  106. // RFC2818 says that *.example.com should match against
  107. // foo.example.com but not bar.foo.example.com
  108. // (ie. they must have the same number of parts)
  109. if (TQRegExp(cn, false, true).exactMatch(d->peerHost) &&
  110. TQStringList::split('.', cn, false).count() ==
  111. TQStringList::split('.', d->peerHost, false).count())
  112. return true;
  113. // *.example.com must match example.com also. Sigh..
  114. if (cn.startsWith("*.")) {
  115. TQString chopped = cn.mid(2);
  116. if (chopped == d->peerHost) {
  117. return true;
  118. }
  119. }
  120. return false;
  121. }
  122. // We must have an exact match in this case (insensitive though)
  123. // (note we already did .lower())
  124. if (cn == d->peerHost)
  125. return true;
  126. #endif
  127. return false;
  128. }
  129. void KSSLPeerInfo::reset() {
  130. d->peerHost = TQString::null;
  131. }
  132. const TQString& KSSLPeerInfo::peerHost() const {
  133. return d->peerHost;
  134. }