<div dir="ltr">Updated patch. Do you actually prefer a github pull request?<div><br></div><div>Thanks,</div><div><br></div><div>Nicolas<br><div><br></div><div><br></div><div><br></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">
diff --git a/src/net/tls.c b/src/net/tls.c
index 5e18f72..3d8544c 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2456,10 +2456,38 @@ static void tls_validator_done ( struct tls_session *tls, int rc ) {
/* Verify server name */
if ( ( cert-><a href="http://subject.name">subject.name</a> == NULL ) ||
( strcmp ( cert-><a href="http://subject.name">subject.name</a>, tls->name ) != 0 ) ) {
- DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
- "%s)\n", tls, tls->name, cert-><a href="http://subject.name">subject.name</a> );
- rc = -EACCES_WRONG_NAME;
- goto err;
+ /* Check for wildcard matching the left-most subdomain */
+ if ( strncmp( cert-><a href="http://subject.name">subject.name</a>, "*.", 2 ) == 0 ) {
+ char *subject = cert-><a href="http://subject.name">subject.name</a> + 1;
+ int subject_len = strlen( subject );
+ int host_len = strlen( tls->name );
+ if ( ( host_len < subject_len ||
+ ( strcmp( tls->name + host_len - subject_len,
+ subject ) ) != 0 ) ) {
+ DBGC ( tls,
+ "TLS %p wildcard server name incorrect "
+ "(%s does not end with %s)\n", tls,
+ tls->name, subject);
+ rc = -EACCES_WRONG_NAME;
+ goto err;
+ }
+
+ /* Check for wildcard spanning multiple components */
+ char *first_dot = strchr( tls->name, '.' );
+ if ( first_dot != tls->name + host_len - subject_len ) {
+ DBGC ( tls, "TLS %p illegal use of wildcard "
+ "(Wildcard in %s spans more than one "
+ "components in %s)\n", tls,
+ cert-><a href="http://subject.name">subject.name</a>, tls->name);
+ rc = -EACCES_WRONG_NAME;
+ goto err;
+ }
+ } else {
+ DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
+ "%s)\n", tls, tls->name, cert-><a href="http://subject.name">subject.name</a> );
+ rc = -EACCES_WRONG_NAME;
+ goto err;
+ }
}
/* Initialise public key algorithm */</pre></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Sep 6, 2013 at 9:35 AM, Michael Brown <span dir="ltr"><<a href="mailto:mbrown@fensystems.co.uk" target="_blank">mbrown@fensystems.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 06/09/13 16:53, Nicolas Sylvain wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
From <a href="http://tools.ietf.org/html/rfc2818" target="_blank">http://tools.ietf.org/html/<u></u>rfc2818</a> I see "<br>
<br>
Names may contain the wildcard character * which is considered to match<br>
any single domain name component or component fragment. E.g., *.<a href="http://a.com" target="_blank">a.com</a><br></div>
<<a href="http://a.com" target="_blank">http://a.com</a>> matches <a href="http://foo.a.com" target="_blank">foo.a.com</a> <<a href="http://foo.a.com" target="_blank">http://foo.a.com</a>> but not<br>
<a href="http://bar.foo.a.com" target="_blank">bar.foo.a.com</a> <<a href="http://bar.foo.a.com" target="_blank">http://bar.foo.a.com</a>>. f*.com matches <a href="http://foo.com" target="_blank">foo.com</a><br>
<<a href="http://foo.com" target="_blank">http://foo.com</a>> but not <a href="http://bar.com" target="_blank">bar.com</a> <<a href="http://bar.com" target="_blank">http://bar.com</a>>.<div class="im"><br>
"<br>
<br>
I'm clearly not an HTTPS expert, but I'm not aware of any more rules. If<br>
it makes sense to you as well I can fix my patch to implement it.<br>
(unless someone else has a better patch already).<br>
</div></blockquote>
<br>
RFC6125 section 6.4.3 seems to have some additional rules. It seems unclear from the RFCs what behaviour is most expected, but it looks as though it would be acceptable (and simple) to allow only a single initial "*.", which should match against only the first component of the name.<span class="HOEnZb"><font color="#888888"><br>
<br>
Michael<br>
</font></span></blockquote></div><br></div>