--- ksslpeerinfo.h 23 Nov 2001 18:42:36 -0000 1.12.2.2

diff -b -p -u -r1.12.2.2 -r1.12.2.3
--- ksslpeerinfo.h 23 Nov 2001 18:42:36 -0000 1.12.2.2
+++ ksslpeerinfo.h 14 May 2003 16:30:23 -0000 1.12.2.3
@@ -37,16 +37,17 @@ public:

KSSLCertificate& getPeerCertificate();
bool certMatchesAddress();
+ bool cnMatchesAddress(QString cn);
QString getPeerAddress();

void setProxying(bool active, QString realHost = QString::null);
+ void setPeerHost(QString host = QString::null);

protected:
KSSLPeerInfo();

KSSLCertificate m_cert;
void setPeerAddress(KInetSocketAddress &x);
- void extractDomains(const QString &fqdn, QStringList &domains);

private:
KSSLPeerInfoPrivate *d;
diff -b -p -u -r1.17.2.2 -r1.17.2.3
--- kssl.h 7 Nov 2001 05:47:37 -0000 1.17.2.2
+++ kssl.h 14 May 2003 16:30:23 -0000 1.17.2.3
@@ -100,6 +100,8 @@ public:
KSSLConnectionInfo& connectionInfo();
KSSLPeerInfo& peerInfo();

+ void setPeerHost(QString realHost);
+
private:
static bool m_bSSLWorks;
bool m_bInit;
diff -u -3 -p -r1.12.2.11 -r1.12.2.12
--- ksslpeerinfo.cc 23 Nov 2001 18:42:36 -0000 1.12.2.11
+++ ksslpeerinfo.cc 14 May 2003 16:30:23 -0000 1.12.2.12
@@ -33,11 +33,9 @@

class KSSLPeerInfoPrivate {
public:
- KSSLPeerInfoPrivate() : host(NULL), proxying(false) {}
- ~KSSLPeerInfoPrivate() { if (host) delete host; }
- KInetSocketAddress *host;
- bool proxying;
- QString proxyHost;
+ KSSLPeerInfoPrivate() {}
+ ~KSSLPeerInfoPrivate() { }
+ QString peerHost;
};

@@ -54,131 +52,103 @@ KSSLCertificate& KSSLPeerInfo::getPeerCe
return m_cert;
}

-void KSSLPeerInfo::setProxying(bool active, QString realHost) {
- d->proxying = active;
- d->proxyHost = realHost;
+void KSSLPeerInfo::setProxying(bool , QString ) {
}

-void KSSLPeerInfo::setPeerAddress(KInetSocketAddress& addr) {
- if (!d->host)
- d->host = new KInetSocketAddress(addr);
- else
- (*d->host) = addr;
+void KSSLPeerInfo::setPeerAddress(KInetSocketAddress& ) {
+}
+
+void KSSLPeerInfo::setPeerHost(QString host) {
+ d->peerHost = host.stripWhiteSpace();
+ while(d->peerHost.right(1) == ".")
+ d->peerHost.truncate(d->peerHost.length()-1);
+
+ d->peerHost = d->peerHost.lower();
}

bool KSSLPeerInfo::certMatchesAddress() {
#ifdef HAVE_SSL
- KSSLX509Map certinfo(m_cert.getSubject());
- QString cn = certinfo.getValue("CN");
+ KSSLX509Map certinfo(m_cert.getSubject());
+ QStringList cns = QStringList::split(QRegExp("[ \n\r]"), certinfo.getValue("CN"));
+
+ for (QStringList::Iterator cn = cns.begin(); cn != cns.end(); ++cn) {
+ if (cnMatchesAddress((*cn).stripWhiteSpace().lower()))
+ return true;
+ }
+
+#endif

- if (d->proxying) {
- QStringList domains;
+ return false;
+}
+
+
+bool KSSLPeerInfo::cnMatchesAddress(QString cn) {
+#ifdef HAVE_SSL
+ QRegExp rx;

- kdDebug(7029) << "Matching CN=" << cn << " to " << d->proxyHost << endl;

- extractDomains(d->proxyHost, domains);
- QStringList::Iterator it = domains.begin();
- for (; it != domains.end(); it++)
- {
- int match = cn.findRev(*it, -1, false);
- kdDebug(7029) << "Match= " << match << ", CN.length= " << cn.length()
- << ", host.length= " << (*it).length() << endl;
-
- if (match > -1 && ((match + (*it).length()) == cn.length()))
- {
- kdDebug(7029) << "Found a match ==> " << (*it) << endl;
- return true;
- }
- }
- return false;
- }
-
-
- if (cn.startsWith("*")) { // stupid wildcard cn
- QString host, port;
- QStringList domains;
-
- if (KExtendedSocket::resolve(d->host, host, port, NI_NAMEREQD) != 0)
- host = d->host->nodeName();
-
- kdDebug(7029) << "Matching CN=" << cn << " to " << host << endl;
-
- extractDomains( host, domains );
- QStringList::Iterator it = domains.begin();
-
- for (; it != domains.end(); it++)
- {
- int match = cn.findRev(*it, -1, false);
- kdDebug(7029) << "Match= " << match << ", CN.length= " << cn.length()
- << ", host.length= " << (*it).length() << endl;
-
- if (match > -1 && ((match + (*it).length()) == cn.length()))
- {
- kdDebug(7029) << "Found a match ==> " << (*it) << endl;
- return true;
- }
- }
-
- return false;
- } else {
- int err = 0;
- QList<KAddressInfo> cns = KExtendedSocket::lookup(cn.latin1(), 0, 0, &err);
- if (err != 0) {
- kdDebug(7029) << "Address lookup failed! -- " << err << endl;
- return false;
- }
- cns.setAutoDelete(true);
-
- kdDebug(7029) << "The original ones were: " << d->host->nodeName()
- << " and: " << certinfo.getValue("CN").latin1()
- << endl;
-
- for (KAddressInfo *x = cns.first(); x; x = cns.next()) {
- if ((*x).address()->isCoreEqual(d->host)) {
- return true;
- }
- }
- kdDebug(7029) << "Testing failed!" << endl;
- }
+ kdDebug(7029) << "Matching CN=[" << cn << "] to [" << d->peerHost << "]" << endl;

+ // Check for invalid characters
+ if (QRegExp("[^a-zA-Z0-9\\.\\*\\-]").match(cn) >= 0) {
+ kdDebug(7029) << "CN contains invalid characters! Failing." << endl;
+ return false;
+ }
+
+ // Domains can legally end with '.'s. We don't need them though.
+ while(cn.right(1) == ".")
+ cn.truncate(cn.length()-1);
+
+ // Do not let empty CN's get by!!
+ if (cn.isEmpty())
+ return false;
+
+ // Check for IPv4 address
+ rx.setPattern("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}");
+ int tmp;
+ if (rx.match(d->peerHost, 0, &tmp) == 0 && tmp == d->peerHost.length())
+ return d->peerHost == cn;
+
+ // Check for IPv6 address here...
+ rx.setPattern("^\\[.*\\]$");
+ if (rx.match(d->peerHost, 0, &tmp) == 0 && tmp == d->peerHost.length())
+ return d->peerHost == cn;
+
+ if (cn.contains('*')) {
+ // First make sure that there are at least two valid parts
+ // after the wildcard (*).
+ QStringList parts = QStringList::split('.', cn, false);
+
+ while(parts.count() > 2)
+ parts.remove(parts.begin());
+
+ if (parts.count() != 2) {
+ return false; // we don't allow *.root - that's bad
+ }
+
+ if (parts[0].contains('*') || parts[1].contains('*')) {
+ return false;
+ }
+
+ // RFC2818 says that *.example.com should match against
+ // foo.example.com but not bar.foo.example.com
+ // (ie. they must have the same number of parts)
+ if (QRegExp(cn, false, true).match(d->peerHost, 0, &tmp) == 0 &&
+ tmp == d->peerHost.length() &&
+ QStringList::split('.', cn, false).count() ==
+ QStringList::split('.', d->peerHost, false).count())
+ return true;
+
+ return false;
+ }
+
+ // We must have an exact match in this case (insensitive though)
+ // (note we already did .lower())
+ if (cn == d->peerHost)
+ return true;
#endif
- return false;
+ return false;
}

-void KSSLPeerInfo::extractDomains(const QString &fqdn, QStringList &domains)
-{
- domains.clear();
-
- // If fqdn is an IP address, then only use
- // the entire IP address to find a match! (DA)
- if (fqdn[0] >= '0' && fqdn[0] <= '9') {
- domains.append(fqdn);
- return;
- }
-
- QStringList partList = QStringList::split('.', fqdn, false);
-
- if (partList.count())
- partList.remove(partList.begin()); // Remove hostname
-
- while(partList.count()) {
- if (partList.count() == 1)
- break; // We only have a TLD left.
-
- if (partList.count() == 2) {
- // If this is a TLD, we should stop. (e.g. co.uk)
- // We assume this is a TLD if it ends with .xx.yy or .x.yy
- if (partList[0].length() <= 2 && partList[1].length() == 2)
- break; // This is a TLD.
- }
-
- QString domain = partList.join(".");
- domains.append(domain);
- partList.remove(partList.begin());
- }
-
- // Add the entire FQDN at the end of the
- // list for fqdn == CN checks
- domains.append(fqdn);
-}
+
diff -u -3 -p -r1.50.2.3 -r1.50.2.4
--- kssl.cc 7 Nov 2001 05:47:37 -0000 1.50.2.3
+++ kssl.cc 14 May 2003 16:30:23 -0000 1.50.2.4
@@ -336,25 +336,19 @@ void KSSL::setConnectionInfo() {
}

-void KSSL::setPeerInfo(int sock) {
+void KSSL::setPeerHost(QString realHost) {
+ d->proxyPeer = realHost;
+}
+
+
+void KSSL::setPeerInfo(int) {
#ifdef HAVE_SSL
- if (!d->proxying) {
- ksockaddr_in sa;
- ksocklen_t nl = sizeof(ksockaddr_in);
- int rc = KSocks::self()->getpeername(sock, (sockaddr *)&sa, &nl);
-
- if (rc != -1) {
- QString haddr;
- KInetSocketAddress x(&sa, nl);
- m_pi.setPeerAddress(x);
- }
- } else {
- m_pi.setProxying(d->proxying, d->proxyPeer);
- }
- m_pi.m_cert.setCert(d->kossl->SSL_get_peer_certificate(d->m_ssl));
- STACK_OF(X509) *xs = d->kossl->SSL_get_peer_cert_chain(d->m_ssl);
- if (xs) xs = sk_X509_dup(xs);
- m_pi.m_cert.setChain((void *)xs);
+ m_pi.setPeerHost(d->proxyPeer);
+ m_pi.m_cert.setCert(d->kossl->SSL_get_peer_certificate(d->m_ssl));
+ STACK_OF(X509) *xs = d->kossl->SSL_get_peer_cert_chain(d->m_ssl);
+ if (xs)
+ xs = sk_X509_dup(xs); // Leak?
+ m_pi.m_cert.setChain((void *)xs);
#endif
}

@@ -372,9 +366,7 @@ KSSLConnectionInfo& KSSL::connectionInfo
}

-void KSSL::setProxy(bool active, QString realHost) {
- d->proxying = active;
- d->proxyPeer = realHost;
+void KSSL::setProxy(bool, QString) {
}

void KSSL::setProxyUse(bool, QString, int, QString) {