From: Adam Langley Date: Mon, 23 Feb 2015 23:32:08 +0000 (-0800) Subject: crypto/x509: make behaviour of absolute DNS names match Chromium. X-Git-Tag: go1.5beta1~1905 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=abf8bbb709137c7212704dd0fb777b9c549a5fe1;p=gostls13.git crypto/x509: make behaviour of absolute DNS names match Chromium. Previously, we didn't handle absolute DNS names in certificates the same way as Chromium, and we probably shouldn't diverge from major browsers. Change-Id: I56a3962ad1002f68b5dbd65ae90991b82c2f5629 Reviewed-on: https://go-review.googlesource.com/5692 Reviewed-by: Andrew Gerrand Reviewed-by: Brad Fitzpatrick --- diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 7a7db75023..7226d0a8d5 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -324,6 +324,7 @@ nextIntermediate: func matchHostnames(pattern, host string) bool { host = strings.TrimSuffix(host, ".") + pattern = strings.TrimSuffix(pattern, ".") if len(pattern) == 0 || len(host) == 0 { return false diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index f3a9f3cdc9..6414488bd7 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -161,7 +161,6 @@ var matchHostnamesTests = []matchHostnamesTest{ {"", "b.b.c", false}, {"a.b.c", "", false}, {"example.com", "example.com", true}, - {"example.com", "example.com.", true}, {"example.com", "www.example.com", false}, {"*.example.com", "example.com", false}, {"*.example.com", "www.example.com", true}, @@ -174,6 +173,13 @@ var matchHostnamesTests = []matchHostnamesTest{ {"", ".", false}, {".", "", false}, {".", ".", false}, + {"example.com", "example.com.", true}, + {"example.com.", "example.com", true}, + {"example.com.", "example.com.", true}, + {"*.com.", "example.com.", true}, + {"*.com.", "example.com", true}, + {"*.com", "example.com", true}, + {"*.com", "example.com.", true}, } func TestMatchHostnames(t *testing.T) {