From: Adam Langley <agl@golang.org>
Date: Mon, 23 Feb 2015 23:11:39 +0000 (-0800)
Subject: crypto/x509: allow wildcards only as the first label.
X-Git-Tag: go1.5beta1~1906
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=e7fae6854008c163ba83e2eac52ae9f12003a9a9;p=gostls13.git

crypto/x509: allow wildcards only as the first label.

RFC 6125 now specifies that wildcards are only allowed for the leftmost
label in a pattern: https://tools.ietf.org/html/rfc6125#section-6.4.3.

This change updates Go to match the behaviour of major browsers in this
respect.

Fixes #9834.

Change-Id: I37c10a35177133624568f2e0cf2767533926b04a
Reviewed-on: https://go-review.googlesource.com/5691
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 0181f140fa..7a7db75023 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -337,7 +337,7 @@ func matchHostnames(pattern, host string) bool {
 	}
 
 	for i, patternPart := range patternParts {
-		if patternPart == "*" {
+		if i == 0 && patternPart == "*" {
 			continue
 		}
 		if patternPart != hostParts[i] {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 011a84c07a..f3a9f3cdc9 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -163,11 +163,14 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"example.com", "example.com", true},
 	{"example.com", "example.com.", true},
 	{"example.com", "www.example.com", false},
+	{"*.example.com", "example.com", false},
 	{"*.example.com", "www.example.com", true},
 	{"*.example.com", "www.example.com.", true},
 	{"*.example.com", "xyz.www.example.com", false},
-	{"*.*.example.com", "xyz.www.example.com", true},
-	{"*.www.*.com", "xyz.www.example.com", true},
+	{"*.*.example.com", "xyz.www.example.com", false},
+	{"*.www.*.com", "xyz.www.example.com", false},
+	{"*bar.example.com", "foobar.example.com", false},
+	{"f*.example.com", "foobar.example.com", false},
 	{"", ".", false},
 	{".", "", false},
 	{".", ".", false},
@@ -177,7 +180,7 @@ func TestMatchHostnames(t *testing.T) {
 	for i, test := range matchHostnamesTests {
 		r := matchHostnames(test.pattern, test.host)
 		if r != test.ok {
-			t.Errorf("#%d mismatch got: %t want: %t", i, r, test.ok)
+			t.Errorf("#%d mismatch got: %t want: %t when matching '%s' against '%s'", i, r, test.ok, test.host, test.pattern)
 		}
 	}
 }