crypto/x509: allow wildcards only as the first label.

RFC 6125 now specifies that wildcards are only allowed for the leftmost
label in a pattern: https://tools.ietf.org/html/rfc6125#section-6.4.3.

This change updates Go to match the behaviour of major browsers in this
respect.

Fixes #9834.

Change-Id: I37c10a35177133624568f2e0cf2767533926b04a
Reviewed-on: https://go-review.googlesource.com/5691
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 0181f140fa53563dce6bae831eca1f1d4d0bb499..7a7db750232dc4516cd8e963b3bf5711340fabd9 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -337,7 +337,7 @@ func matchHostnames(pattern, host string) bool {
        }
 
        for i, patternPart := range patternParts {
-               if patternPart == "*" {
+               if i == 0 && patternPart == "*" {
                        continue
                }
                if patternPart != hostParts[i] {

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 011a84c07a2ecac563b05b53c96bec641c929502..f3a9f3cdc9497ea31eb9c3a898d0b4a0ef911584 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -163,11 +163,14 @@ var matchHostnamesTests = []matchHostnamesTest{
        {"example.com", "example.com", true},
        {"example.com", "example.com.", true},
        {"example.com", "www.example.com", false},
+       {"*.example.com", "example.com", false},
        {"*.example.com", "www.example.com", true},
        {"*.example.com", "www.example.com.", true},
        {"*.example.com", "xyz.www.example.com", false},
-       {"*.*.example.com", "xyz.www.example.com", true},
-       {"*.www.*.com", "xyz.www.example.com", true},
+       {"*.*.example.com", "xyz.www.example.com", false},
+       {"*.www.*.com", "xyz.www.example.com", false},
+       {"*bar.example.com", "foobar.example.com", false},
+       {"f*.example.com", "foobar.example.com", false},
        {"", ".", false},
        {".", "", false},
        {".", ".", false},
@@ -177,7 +180,7 @@ func TestMatchHostnames(t *testing.T) {
        for i, test := range matchHostnamesTests {
                r := matchHostnames(test.pattern, test.host)
                if r != test.ok {
-                       t.Errorf("#%d mismatch got: %t want: %t", i, r, test.ok)
+                       t.Errorf("#%d mismatch got: %t want: %t when matching '%s' against '%s'", i, r, test.ok, test.host, test.pattern)
                }
        }
 }