2 // System.Net.ServicePointManager
5 // Lawrence Pit (loz@cable.a2000.nl)
6 // Gonzalo Paniagua Javier (gonzalo@novell.com)
8 // Copyright (c) 2003-2010 Novell, Inc (http://www.novell.com)
12 // Permission is hereby granted, free of charge, to any person obtaining
13 // a copy of this software and associated documentation files (the
14 // "Software"), to deal in the Software without restriction, including
15 // without limitation the rights to use, copy, modify, merge, publish,
16 // distribute, sublicense, and/or sell copies of the Software, and to
17 // permit persons to whom the Software is furnished to do so, subject to
18 // the following conditions:
20 // The above copyright notice and this permission notice shall be
21 // included in all copies or substantial portions of the Software.
23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
35 using Mono.Security.Protocol.Tls;
36 using MSX = Mono.Security.X509;
37 using Mono.Security.X509.Extensions;
39 extern alias MonoSecurity;
40 using MonoSecurity::Mono.Security.X509.Extensions;
41 using MonoSecurity::Mono.Security.Protocol.Tls;
42 using MSX = MonoSecurity::Mono.Security.X509;
45 using System.Text.RegularExpressions;
49 using System.Threading;
50 using System.Collections;
51 using System.Collections.Generic;
52 using System.Collections.Specialized;
53 using System.Configuration;
54 using System.Net.Configuration;
55 using System.Security.Cryptography.X509Certificates;
57 using System.Globalization;
58 using System.Net.Security;
59 using System.Diagnostics;
63 // A service point manager manages service points (duh!).
64 // A service point maintains a list of connections (per scheme + authority).
65 // According to HttpWebRequest.ConnectionGroupName each connection group
66 // creates additional connections. therefor, a service point has a hashtable
67 // of connection groups where each value is a list of connections.
69 // when we need to make an HttpWebRequest, we need to do the following:
70 // 1. find service point, given Uri and Proxy
71 // 2. find connection group, given service point and group name
72 // 3. find free connection in connection group, or create one (if ok due to limits)
73 // 4. lease connection
75 // 6. when finished, return connection
81 public class ServicePointManager {
83 Uri uri; // schema/host/port
87 public SPKey (Uri uri, Uri proxy, bool use_connect) {
90 this.use_connect = use_connect;
97 public bool UseConnect {
98 get { return use_connect; }
101 public bool UsesProxy {
102 get { return proxy != null; }
105 public override int GetHashCode () {
107 hash = hash * 31 + ((use_connect) ? 1 : 0);
108 hash = hash * 31 + uri.GetHashCode ();
109 hash = hash * 31 + (proxy != null ? proxy.GetHashCode () : 0);
113 public override bool Equals (object obj) {
114 SPKey other = obj as SPKey;
119 if (!uri.Equals (other.uri))
121 if (use_connect != other.use_connect || UsesProxy != other.UsesProxy)
123 if (UsesProxy && !proxy.Equals (other.proxy))
129 private static HybridDictionary servicePoints = new HybridDictionary ();
133 private static ICertificatePolicy policy = new DefaultCertificatePolicy ();
134 private static int defaultConnectionLimit = DefaultPersistentConnectionLimit;
135 private static int maxServicePointIdleTime = 100000; // 100 seconds
136 private static int maxServicePoints = 0;
137 private static bool _checkCRL = false;
138 private static SecurityProtocolType _securityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls;
141 static bool expectContinue = false;
143 static bool expectContinue = true;
145 static bool useNagle;
146 static RemoteCertificateValidationCallback server_cert_cb;
147 static bool tcp_keepalive;
148 static int tcp_keepalive_time;
149 static int tcp_keepalive_interval;
153 public const int DefaultNonPersistentConnectionLimit = 4;
155 public const int DefaultPersistentConnectionLimit = 10;
157 public const int DefaultPersistentConnectionLimit = 2;
161 const string configKey = "system.net/connectionManagement";
162 static ConnectionManagementData manager;
165 static ServicePointManager ()
168 #if CONFIGURATION_DEP
169 object cfg = ConfigurationManager.GetSection (configKey);
170 ConnectionManagementSection s = cfg as ConnectionManagementSection;
172 manager = new ConnectionManagementData (null);
173 foreach (ConnectionManagementElement e in s.ConnectionManagement)
174 manager.Add (e.Address, e.MaxConnection);
176 defaultConnectionLimit = (int) manager.GetMaxConnections ("*");
180 manager = (ConnectionManagementData) ConfigurationSettings.GetConfig (configKey);
181 if (manager != null) {
182 defaultConnectionLimit = (int) manager.GetMaxConnections ("*");
188 private ServicePointManager ()
194 [Obsolete ("Use ServerCertificateValidationCallback instead", false)]
195 public static ICertificatePolicy CertificatePolicy {
196 get { return policy; }
197 set { policy = value; }
200 [MonoTODO("CRL checks not implemented")]
201 public static bool CheckCertificateRevocationList {
202 get { return _checkCRL; }
203 set { _checkCRL = false; } // TODO - don't yet accept true
206 public static int DefaultConnectionLimit {
207 get { return defaultConnectionLimit; }
210 throw new ArgumentOutOfRangeException ("value");
212 defaultConnectionLimit = value;
215 manager.Add ("*", defaultConnectionLimit);
220 static Exception GetMustImplement ()
222 return new NotImplementedException ();
226 public static int DnsRefreshTimeout
229 throw GetMustImplement ();
232 throw GetMustImplement ();
237 public static bool EnableDnsRoundRobin
240 throw GetMustImplement ();
243 throw GetMustImplement ();
247 public static int MaxServicePointIdleTime {
249 return maxServicePointIdleTime;
252 if (value < -2 || value > Int32.MaxValue)
253 throw new ArgumentOutOfRangeException ("value");
254 maxServicePointIdleTime = value;
258 public static int MaxServicePoints {
260 return maxServicePoints;
264 throw new ArgumentException ("value");
266 maxServicePoints = value;
267 RecycleServicePoints ();
272 // we need it for SslClientStream
277 static SecurityProtocolType SecurityProtocol {
278 get { return _securityProtocol; }
279 set { _securityProtocol = value; }
282 public static RemoteCertificateValidationCallback ServerCertificateValidationCallback
285 return server_cert_cb;
288 server_cert_cb = value;
292 public static bool Expect100Continue {
293 get { return expectContinue; }
294 set { expectContinue = value; }
297 public static bool UseNagleAlgorithm {
298 get { return useNagle; }
299 set { useNagle = value; }
303 public static void SetTcpKeepAlive (bool enabled, int keepAliveTime, int keepAliveInterval)
306 if (keepAliveTime <= 0)
307 throw new ArgumentOutOfRangeException ("keepAliveTime", "Must be greater than 0");
308 if (keepAliveInterval <= 0)
309 throw new ArgumentOutOfRangeException ("keepAliveInterval", "Must be greater than 0");
312 tcp_keepalive = enabled;
313 tcp_keepalive_time = keepAliveTime;
314 tcp_keepalive_interval = keepAliveInterval;
317 public static ServicePoint FindServicePoint (Uri address)
319 return FindServicePoint (address, GlobalProxySelection.Select);
322 public static ServicePoint FindServicePoint (string uriString, IWebProxy proxy)
324 return FindServicePoint (new Uri(uriString), proxy);
327 public static ServicePoint FindServicePoint (Uri address, IWebProxy proxy)
330 throw new ArgumentNullException ("address");
332 if ((servicePoints.Count % 4) == 0)
333 RecycleServicePoints ();
335 var origAddress = new Uri (address.Scheme + "://" + address.Authority);
337 bool usesProxy = false;
338 bool useConnect = false;
339 if (proxy != null && !proxy.IsBypassed(address)) {
341 bool isSecure = address.Scheme == "https";
342 address = proxy.GetProxy (address);
343 if (address.Scheme != "http" && !isSecure)
344 throw new NotSupportedException ("Proxy scheme not supported.");
346 if (isSecure && address.Scheme == "http")
350 address = new Uri (address.Scheme + "://" + address.Authority);
352 ServicePoint sp = null;
353 SPKey key = new SPKey (origAddress, usesProxy ? address : null, useConnect);
354 lock (servicePoints) {
355 sp = servicePoints [key] as ServicePoint;
359 if (maxServicePoints > 0 && servicePoints.Count >= maxServicePoints)
360 throw new InvalidOperationException ("maximum number of service points reached");
364 limit = defaultConnectionLimit;
366 string addr = address.ToString ();
367 limit = (int) manager.GetMaxConnections (addr);
369 sp = new ServicePoint (address, limit, maxServicePointIdleTime);
370 sp.Expect100Continue = expectContinue;
371 sp.UseNagleAlgorithm = useNagle;
372 sp.UsesProxy = usesProxy;
373 sp.UseConnect = useConnect;
374 sp.SetTcpKeepAlive (tcp_keepalive, tcp_keepalive_time, tcp_keepalive_interval);
375 servicePoints.Add (key, sp);
383 static void RecycleServicePoints ()
385 lock (servicePoints) {
386 var toRemove = new ArrayList ();
387 var idleList = new SortedDictionary<DateTime, ServicePoint> ();
388 IDictionaryEnumerator e = servicePoints.GetEnumerator ();
389 while (e.MoveNext ()) {
390 ServicePoint sp = (ServicePoint) e.Value;
392 if (sp.CheckAvailableForRecycling (out idleSince)) {
393 toRemove.Add (e.Key);
397 while (idleList.ContainsKey (idleSince))
398 idleSince = idleSince.AddMilliseconds (1);
399 idleList.Add (idleSince, sp);
402 for (int i = 0; i < toRemove.Count; i++)
403 servicePoints.Remove (toRemove [i]);
405 if (maxServicePoints == 0 || servicePoints.Count <= maxServicePoints)
408 // get rid of the ones with the longest idle time
409 foreach (var sp in idleList.Values) {
410 if (servicePoints.Count <= maxServicePoints)
412 servicePoints.Remove (sp);
417 internal class ChainValidationHelper {
420 RemoteCertificateValidationCallback cb;
423 static bool is_macosx = System.IO.File.Exists (OSX509Certificates.SecurityLibrary);
424 static X509RevocationMode revocation_mode;
426 static ChainValidationHelper ()
428 revocation_mode = X509RevocationMode.NoCheck;
430 string str = Environment.GetEnvironmentVariable ("MONO_X509_REVOCATION_MODE");
431 if (String.IsNullOrEmpty (str))
433 revocation_mode = (X509RevocationMode) Enum.Parse (typeof (X509RevocationMode), str, true);
439 public ChainValidationHelper (object sender, string hostName)
441 this.sender = sender;
445 public RemoteCertificateValidationCallback ServerCertificateValidationCallback {
448 cb = ServicePointManager.ServerCertificateValidationCallback;
454 // Used when the obsolete ICertificatePolicy is set to DefaultCertificatePolicy
455 // and the new ServerCertificateValidationCallback is not null
456 internal ValidationResult ValidateChain (MSX.X509CertificateCollection certs)
458 // user_denied is true if the user callback is called and returns false
459 bool user_denied = false;
460 if (certs == null || certs.Count == 0)
463 ICertificatePolicy policy = ServicePointManager.CertificatePolicy;
465 X509Certificate2 leaf = new X509Certificate2 (certs [0].RawData);
466 int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
467 SslPolicyErrors errors = 0;
468 X509Chain chain = null;
471 // The X509Chain is not really usable with MonoTouch (since the decision is not based on this data)
472 // However if someone wants to override the results (good or bad) from iOS then they will want all
473 // the certificates that the server provided (which generally does not include the root) so, only
474 // if there's a user callback, we'll create the X509Chain but won't build it
475 // ref: https://bugzilla.xamarin.com/show_bug.cgi?id=7245
476 if (ServerCertificateValidationCallback != null) {
478 chain = new X509Chain ();
479 chain.ChainPolicy = new X509ChainPolicy ();
481 chain.ChainPolicy.RevocationMode = revocation_mode;
483 for (int i = 1; i < certs.Count; i++) {
484 X509Certificate2 c2 = new X509Certificate2 (certs [i].RawData);
485 chain.ChainPolicy.ExtraStore.Add (c2);
491 if (!chain.Build (leaf))
492 errors |= GetErrorsFromChain (chain);
493 } catch (Exception e) {
494 Console.Error.WriteLine ("ERROR building certificate chain: {0}", e);
495 Console.Error.WriteLine ("Please, report this problem to the Mono team");
496 errors |= SslPolicyErrors.RemoteCertificateChainErrors;
499 // for OSX and iOS we're using the native API to check for the SSL server policy and host names
501 if (!CheckCertificateUsage (leaf)) {
502 errors |= SslPolicyErrors.RemoteCertificateChainErrors;
503 status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106
506 if (!CheckServerIdentity (certs [0], host)) {
507 errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
508 status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F
512 // Attempt to use OSX certificates
513 // Ideally we should return the SecTrustResult
514 OSX509Certificates.SecTrustResult trustResult = OSX509Certificates.SecTrustResult.Deny;
516 trustResult = OSX509Certificates.TrustEvaluateSsl (certs, host);
517 // We could use the other values of trustResult to pass this extra information
518 // to the .NET 2 callback for values like SecTrustResult.Confirm
519 result = (trustResult == OSX509Certificates.SecTrustResult.Proceed ||
520 trustResult == OSX509Certificates.SecTrustResult.Unspecified);
526 // TrustEvaluateSsl was successful so there's no trust error
527 // IOW we discard our own chain (since we trust OSX one instead)
530 // callback and DefaultCertificatePolicy needs this since 'result' is not specified
531 status11 = (int) trustResult;
532 errors |= SslPolicyErrors.RemoteCertificateChainErrors;
538 #if MONODROID && SECURITY_DEP
539 result = AndroidPlatform.TrustEvaluateSsl (certs, sender, leaf, chain, errors);
541 // chain.Build() + GetErrorsFromChain() (above) will ALWAYS fail on
542 // Android (there are no mozroots or preinstalled root certificates),
543 // thus `errors` will ALWAYS have RemoteCertificateChainErrors.
544 // Android just verified the chain; clear RemoteCertificateChainErrors.
545 errors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
549 if (policy != null && (!(policy is DefaultCertificatePolicy) || cb == null)) {
550 ServicePoint sp = null;
551 HttpWebRequest req = sender as HttpWebRequest;
553 sp = req.ServicePointNoLock;
554 if (status11 == 0 && errors != 0)
555 status11 = GetStatusFromChain (chain);
558 result = policy.CheckValidationResult (sp, leaf, req, status11);
559 user_denied = !result && !(policy is DefaultCertificatePolicy);
561 // If there's a 2.0 callback, it takes precedence
562 if (ServerCertificateValidationCallback != null) {
563 result = ServerCertificateValidationCallback (sender, leaf, chain, errors);
564 user_denied = !result;
566 return new ValidationResult (result, user_denied, status11);
569 static int GetStatusFromChain (X509Chain chain)
572 foreach (var status in chain.ChainStatus) {
573 X509ChainStatusFlags flags = status.Status;
574 if (flags == X509ChainStatusFlags.NoError)
578 if ((flags & X509ChainStatusFlags.NotTimeValid) != 0) result = 0x800B0101;
579 // CERT_E_VALIDITYPERIODNESTING
580 else if ((flags & X509ChainStatusFlags.NotTimeNested) != 0) result = 0x800B0102;
582 else if ((flags & X509ChainStatusFlags.Revoked) != 0) result = 0x800B010C;
583 // TRUST_E_CERT_SIGNATURE
584 else if ((flags & X509ChainStatusFlags.NotSignatureValid) != 0) result = 0x80096004;
585 // CERT_E_WRONG_USAGE
586 else if ((flags & X509ChainStatusFlags.NotValidForUsage) != 0) result = 0x800B0110;
587 // CERT_E_UNTRUSTEDROOT
588 else if ((flags & X509ChainStatusFlags.UntrustedRoot) != 0) result = 0x800B0109;
589 // CRYPT_E_NO_REVOCATION_CHECK
590 else if ((flags & X509ChainStatusFlags.RevocationStatusUnknown) != 0) result = 0x80092012;
592 else if ((flags & X509ChainStatusFlags.Cyclic) != 0) result = 0x800B010A;
593 // TRUST_E_FAIL - generic
594 else if ((flags & X509ChainStatusFlags.InvalidExtension) != 0) result = 0x800B010B;
595 // CERT_E_UNTRUSTEDROOT
596 else if ((flags & X509ChainStatusFlags.InvalidPolicyConstraints) != 0) result = 0x800B010D;
597 // TRUST_E_BASIC_CONSTRAINTS
598 else if ((flags & X509ChainStatusFlags.InvalidBasicConstraints) != 0) result = 0x80096019;
599 // CERT_E_INVALID_NAME
600 else if ((flags & X509ChainStatusFlags.InvalidNameConstraints) != 0) result = 0x800B0114;
601 // CERT_E_INVALID_NAME
602 else if ((flags & X509ChainStatusFlags.HasNotSupportedNameConstraint) != 0) result = 0x800B0114;
603 // CERT_E_INVALID_NAME
604 else if ((flags & X509ChainStatusFlags.HasNotDefinedNameConstraint) != 0) result = 0x800B0114;
605 // CERT_E_INVALID_NAME
606 else if ((flags & X509ChainStatusFlags.HasNotPermittedNameConstraint) != 0) result = 0x800B0114;
607 // CERT_E_INVALID_NAME
608 else if ((flags & X509ChainStatusFlags.HasExcludedNameConstraint) != 0) result = 0x800B0114;
610 else if ((flags & X509ChainStatusFlags.PartialChain) != 0) result = 0x800B010A;
612 else if ((flags & X509ChainStatusFlags.CtlNotTimeValid) != 0) result = 0x800B0101;
613 // TRUST_E_CERT_SIGNATURE
614 else if ((flags & X509ChainStatusFlags.CtlNotSignatureValid) != 0) result = 0x80096004;
615 // CERT_E_WRONG_USAGE
616 else if ((flags & X509ChainStatusFlags.CtlNotValidForUsage) != 0) result = 0x800B0110;
617 // CRYPT_E_NO_REVOCATION_CHECK
618 else if ((flags & X509ChainStatusFlags.OfflineRevocation) != 0) result = 0x80092012;
619 // CERT_E_ISSUERCHAINING
620 else if ((flags & X509ChainStatusFlags.NoIssuanceChainPolicy) != 0) result = 0x800B0107;
621 else result = 0x800B010B; // TRUST_E_FAIL - generic
623 break; // Exit the loop on the first error
628 static SslPolicyErrors GetErrorsFromChain (X509Chain chain)
630 SslPolicyErrors errors = SslPolicyErrors.None;
631 foreach (var status in chain.ChainStatus) {
632 if (status.Status == X509ChainStatusFlags.NoError)
634 errors |= SslPolicyErrors.RemoteCertificateChainErrors;
640 static X509KeyUsageFlags s_flags = X509KeyUsageFlags.DigitalSignature |
641 X509KeyUsageFlags.KeyAgreement |
642 X509KeyUsageFlags.KeyEncipherment;
643 // Adapted to System 2.0+ from TlsServerCertificate.cs
644 //------------------------------
645 // Note: this method only works for RSA certificates
646 // DH certificates requires some changes - does anyone use one ?
647 static bool CheckCertificateUsage (X509Certificate2 cert)
650 // certificate extensions are required for this
651 // we "must" accept older certificates without proofs
652 if (cert.Version < 3)
655 X509KeyUsageExtension kux = (cert.Extensions ["2.5.29.15"] as X509KeyUsageExtension);
656 X509EnhancedKeyUsageExtension eku = (cert.Extensions ["2.5.29.37"] as X509EnhancedKeyUsageExtension);
657 if (kux != null && eku != null) {
658 // RFC3280 states that when both KeyUsageExtension and
659 // ExtendedKeyUsageExtension are present then BOTH should
661 if ((kux.KeyUsages & s_flags) == 0)
663 return eku.EnhancedKeyUsages ["1.3.6.1.5.5.7.3.1"] != null ||
664 eku.EnhancedKeyUsages ["2.16.840.1.113730.4.1"] != null;
665 } else if (kux != null) {
666 return ((kux.KeyUsages & s_flags) != 0);
667 } else if (eku != null) {
668 // Server Authentication (1.3.6.1.5.5.7.3.1) or
669 // Netscape Server Gated Crypto (2.16.840.1.113730.4)
670 return eku.EnhancedKeyUsages ["1.3.6.1.5.5.7.3.1"] != null ||
671 eku.EnhancedKeyUsages ["2.16.840.1.113730.4.1"] != null;
674 // last chance - try with older (deprecated) Netscape extensions
675 X509Extension ext = cert.Extensions ["2.16.840.1.113730.1.1"];
677 string text = ext.NetscapeCertType (false);
678 return text.IndexOf ("SSL Server Authentication", StringComparison.Ordinal) != -1;
681 } catch (Exception e) {
682 Console.Error.WriteLine ("ERROR processing certificate: {0}", e);
683 Console.Error.WriteLine ("Please, report this problem to the Mono team");
688 // RFC2818 - HTTP Over TLS, Section 3.1
689 // http://www.ietf.org/rfc/rfc2818.txt
691 // 1. if present MUST use subjectAltName dNSName as identity
692 // 1.1. if multiples entries a match of any one is acceptable
693 // 1.2. wildcard * is acceptable
694 // 2. URI may be an IP address -> subjectAltName.iPAddress
695 // 2.1. exact match is required
696 // 3. Use of the most specific Common Name (CN=) in the Subject
697 // 3.1 Existing practice but DEPRECATED
698 static bool CheckServerIdentity (MSX.X509Certificate cert, string targetHost)
701 MSX.X509Extension ext = cert.Extensions ["2.5.29.17"];
704 SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension (ext);
705 // 1.1 - multiple dNSName
706 foreach (string dns in subjectAltName.DNSNames) {
707 // 1.2 TODO - wildcard support
708 if (Match (targetHost, dns))
712 foreach (string ip in subjectAltName.IPAddresses) {
713 // 2.1. Exact match required
714 if (ip == targetHost)
718 // 3. Common Name (CN=)
719 return CheckDomainName (cert.SubjectName, targetHost);
720 } catch (Exception e) {
721 Console.Error.WriteLine ("ERROR processing certificate: {0}", e);
722 Console.Error.WriteLine ("Please, report this problem to the Mono team");
727 static bool CheckDomainName (string subjectName, string targetHost)
729 string domainName = String.Empty;
730 Regex search = new Regex(@"CN\s*=\s*([^,]*)");
731 MatchCollection elements = search.Matches(subjectName);
732 if (elements.Count == 1) {
733 if (elements[0].Success)
734 domainName = elements[0].Groups[1].Value.ToString();
737 return Match (targetHost, domainName);
740 // ensure the pattern is valid wrt to RFC2595 and RFC2818
741 // http://www.ietf.org/rfc/rfc2595.txt
742 // http://www.ietf.org/rfc/rfc2818.txt
743 static bool Match (string hostname, string pattern)
745 // check if this is a pattern
746 int index = pattern.IndexOf ('*');
748 // not a pattern, do a direct case-insensitive comparison
749 return (String.Compare (hostname, pattern, true, CultureInfo.InvariantCulture) == 0);
752 // check pattern validity
753 // A "*" wildcard character MAY be used as the left-most name component in the certificate.
755 // unless this is the last char (valid)
756 if (index != pattern.Length - 1) {
757 // then the next char must be a dot .'.
758 if (pattern [index + 1] != '.')
762 // only one (A) wildcard is supported
763 int i2 = pattern.IndexOf ('*', index + 1);
767 // match the end of the pattern
768 string end = pattern.Substring (index + 1);
769 int length = hostname.Length - end.Length;
770 // no point to check a pattern that is longer than the hostname
774 if (String.Compare (hostname, length, end, 0, end.Length, true, CultureInfo.InvariantCulture) != 0)
777 // special case, we start with the wildcard
779 // ensure we hostname non-matched part (start) doesn't contain a dot
780 int i3 = hostname.IndexOf ('.');
781 return ((i3 == -1) || (i3 >= (hostname.Length - end.Length)));
784 // match the start of the pattern
785 string start = pattern.Substring (0, index);
786 return (String.Compare (hostname, 0, start, 0, start.Length, true, CultureInfo.InvariantCulture) == 0);