[ipxe-devel] Wildcard HTTPS cert support.

Sun Sep 8 01:35:29 UTC 2013

Updated patch.  Do you actually prefer a github pull request?

Thanks,

Nicolas

diff --git a/src/net/tls.c b/src/net/tls.c
index 5e18f72..3d8544c 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2456,10 +2456,38 @@ static void tls_validator_done ( struct
tls_session *tls, int rc ) {
 	/* Verify server name */
 	if ( ( cert->subject.name == NULL ) ||
 	     ( strcmp ( cert->subject.name, tls->name ) != 0 ) ) {
-		DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
-		       "%s)\n", tls, tls->name, cert->subject.name );
-		rc = -EACCES_WRONG_NAME;
-		goto err;
+		/* Check for wildcard matching the left-most subdomain */
+		if ( strncmp( cert->subject.name, "*.", 2 ) == 0 ) {
+			char *subject = cert->subject.name + 1;
+			int subject_len = strlen( subject );
+			int host_len = strlen( tls->name );
+			if ( ( host_len < subject_len ||
+			     ( strcmp( tls->name + host_len - subject_len,
+			               subject ) ) != 0 ) ) {
+				DBGC ( tls,
+				       "TLS %p wildcard server name incorrect "
+				       "(%s does not end with %s)\n", tls,
+				       tls->name, subject);
+				rc = -EACCES_WRONG_NAME;
+				goto err;
+			}
+
+			/* Check for wildcard spanning multiple components */
+			char *first_dot = strchr( tls->name, '.' );
+			if ( first_dot != tls->name + host_len - subject_len ) {
+                                DBGC ( tls, "TLS %p illegal use of wildcard "
+                                       "(Wildcard in %s spans more than one "
+				       "components in %s)\n", tls,
+				       cert->subject.name, tls->name);
+                                rc = -EACCES_WRONG_NAME;
+                                goto err;
+			}
+		} else {
+			DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
+			       "%s)\n", tls, tls->name, cert->subject.name );
+			rc = -EACCES_WRONG_NAME;
+			goto err;
+                }
 	}

 	/* Initialise public key algorithm */



On Fri, Sep 6, 2013 at 9:35 AM, Michael Brown <mbrown at fensystems.co.uk>wrote:

> On 06/09/13 16:53, Nicolas Sylvain wrote:
>
>>  From http://tools.ietf.org/html/**rfc2818<http://tools.ietf.org/html/rfc2818>I see "
>>
>> Names may contain the wildcard character * which is considered to match
>> any single domain name component or component fragment. E.g., *.a.com
>> <http://a.com> matches foo.a.com <http://foo.a.com> but not
>> bar.foo.a.com <http://bar.foo.a.com>. f*.com matches foo.com
>> <http://foo.com> but not bar.com <http://bar.com>.
>>
>> "
>>
>> I'm clearly not an HTTPS expert, but I'm not aware of any more rules. If
>> it makes sense to you as well I can fix my patch to implement it.
>> (unless someone else has a better patch already).
>>
>
> RFC6125 section 6.4.3 seems to have some additional rules.  It seems
> unclear from the RFCs what behaviour is most expected, but it looks as
> though it would be acceptable (and simple) to allow only a single initial
> "*.", which should match against only the first component of the name.
>
> Michael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20130907/9c873864/attachment.htm>
