]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6dd3166)
crypto/x509: allow matchHostnames to work with absolute domain names
authorrubyist <scott.barron@github.com>
Tue, 10 Feb 2015 15:24:01 +0000 (10:24 -0500)
committerAdam Langley <agl@golang.org>
Wed, 11 Feb 2015 01:20:35 +0000 (01:20 +0000)
If an absolute domain name (i.e. ends in a '.' like "example.com.") is used
with ssl/tls, the certificate will be reported as invalid. In matchHostnames,
the host and patterns are split on '.' and if the lengths of the resulting
slices do not match, the function returns false. When splitting an absolute
domain name on '.', the slice will have an extra empty string at the end. This
empty string should be discarded before comparison, if present.

Fixes #9828

Change-Id: I0e39674b44a6f93b5024497e76cf1b550832a61d
Reviewed-on: https://go-review.googlesource.com/4380
Reviewed-by: Adam Langley <agl@golang.org>
TryBot: Adam Langley <agl@golang.org>

src/crypto/x509/verify.go patch | blob | history
src/crypto/x509/x509_test.go patch | blob | history

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index ec1981423dba5af2c535bfd6199010bc7c8c63a8..0181f140fa53563dce6bae831eca1f1d4d0bb499 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -323,6 +323,8 @@ nextIntermediate:
 }
 
 func matchHostnames(pattern, host string) bool {
+       host = strings.TrimSuffix(host, ".")
+
        if len(pattern) == 0 || len(host) == 0 {
                return false
        }
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index bd7cbed8a27848621cbe3bf664a65e4b7626cf54..45d49ce3e37a15a423ee5e151964a7a2e09f0195 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -161,11 +161,16 @@ var matchHostnamesTests = []matchHostnamesTest{
        {"", "b.b.c", false},
        {"a.b.c", "", false},
        {"example.com", "example.com", true},
+       {"example.com", "example.com.", true},
        {"example.com", "www.example.com", false},
        {"*.example.com", "www.example.com", true},
+       {"*.example.com", "www.example.com.", true},
        {"*.example.com", "xyz.www.example.com", false},
        {"*.*.example.com", "xyz.www.example.com", true},
        {"*.www.*.com", "xyz.www.example.com", true},
+       {"", ".", false},
+       {".", "", false},
+       {".", ".", false},
 }
 
 func TestMatchHostnames(t *testing.T) {
Go GOST TLS 1.3