]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cf06b1f)
crypto/x509: don't match bare wildcard
authorRoland Shoemaker <roland@golang.org>
Mon, 13 May 2024 20:20:37 +0000 (13:20 -0700)
committerGopher Robot <gobot@golang.org>
Wed, 22 May 2024 22:58:39 +0000 (22:58 +0000)
When verifying the name "test", a SAN with a bare wildcard ("*") should
not constitute a match.

Updates #65085

Change-Id: I02151761e2f29f3e358708a3f723af32b0d79288
Reviewed-on: https://go-review.googlesource.com/c/go/+/585076
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

src/crypto/x509/verify.go patch | blob | history
src/crypto/x509/verify_test.go patch | blob | history

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index ba972ae244f04b825c476ba1c38e44df12cbdaa4..7170087287644e76f9180993637d855fcce74d84 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -984,6 +984,11 @@ func validHostname(host string, isPattern bool) bool {
        if len(host) == 0 {
                return false
        }
+       if host == "*" {
+               // Bare wildcards are not allowed, they are not valid DNS names,
+               // nor are they allowed per RFC 6125.
+               return false
+       }
 
        for i, part := range strings.Split(host, ".") {
                if part == "" {
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index 8a7a5f6e2c6d457191afdb733af496d323268d64..ca330cac80977c7e1795b6145aecafd12ff278d8 100644 (file)
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -2811,3 +2811,29 @@ func TestVerifyNilPubKey(t *testing.T) {
                t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
        }
 }
+
+func TestVerifyBareWildcard(t *testing.T) {
+       k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+       if err != nil {
+               t.Fatalf("failed to generate key: %s", err)
+       }
+       tmpl := &Certificate{
+               SerialNumber: big.NewInt(1),
+               Subject:      pkix.Name{CommonName: "test"},
+               NotBefore:    time.Now().Add(-time.Hour),
+               NotAfter:     time.Now().Add(time.Hour),
+               DNSNames:     []string{"*"},
+       }
+       cDER, err := CreateCertificate(rand.Reader, tmpl, tmpl, k.Public(), k)
+       if err != nil {
+               t.Fatalf("failed to create certificate: %s", err)
+       }
+       c, err := ParseCertificate(cDER)
+       if err != nil {
+               t.Fatalf("failed to parse certificate: %s", err)
+       }
+
+       if err := c.VerifyHostname("label"); err == nil {
+               t.Fatalf("VerifyHostname unexpected success with bare wildcard SAN")
+       }
+}
Go GOST TLS 1.3