Clean up 1.0.1 hostname verification
This commit is contained in:
Steven Fackler
parent
1867cf3ace
commit
34d700309c
|
|
@ -95,7 +95,7 @@ mod compat {
|
|||
mod tests {
|
||||
use dh::Dh;
|
||||
use bn::BigNum;
|
||||
use ssl::{SslMethod, SslContext};
|
||||
use ssl::{SslContext, SslMethod};
|
||||
|
||||
#[test]
|
||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||
|
|
@ -113,30 +113,23 @@ mod tests {
|
|||
fn test_dh() {
|
||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||
let p = BigNum::from_hex_str(
|
||||
"87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435\
|
||||
E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF429\
|
||||
6D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C02\
|
||||
2E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF1230\
|
||||
7F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9\
|
||||
A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251C\
|
||||
CACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE\
|
||||
621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D227\
|
||||
6E11715F693877FAD7EF09CADB094AE91E1A1597",
|
||||
"87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF\
|
||||
4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B47\
|
||||
58C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B6\
|
||||
3ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5\
|
||||
140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710\
|
||||
C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597",
|
||||
).unwrap();
|
||||
let g = BigNum::from_hex_str(
|
||||
"3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0\
|
||||
BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773\
|
||||
BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2D\
|
||||
DF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428E\
|
||||
BC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BF\
|
||||
FE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7\
|
||||
D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92\
|
||||
B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148\
|
||||
D47954515E2327CFEF98C582664B4C0F6CC41659",
|
||||
"3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED\
|
||||
4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A\
|
||||
57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5\
|
||||
045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E\
|
||||
052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67E\
|
||||
B6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659",
|
||||
).unwrap();
|
||||
let q = BigNum::from_hex_str(
|
||||
"8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F\
|
||||
5FBD3",
|
||||
"8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3",
|
||||
).unwrap();
|
||||
let dh = Dh::from_params(p, g, q).unwrap();
|
||||
ctx.set_tmp_dh(&dh).unwrap();
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ impl Pkcs12 {
|
|||
ffi::init();
|
||||
|
||||
Pkcs12Builder {
|
||||
nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
|
||||
nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
|
||||
nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC,
|
||||
iter: ffi::PKCS12_DEFAULT_ITER,
|
||||
mac_iter: ffi::PKCS12_DEFAULT_ITER,
|
||||
|
|
@ -147,16 +147,17 @@ impl Pkcs12Builder {
|
|||
password: &str,
|
||||
friendly_name: &str,
|
||||
pkey: &PKeyRef,
|
||||
cert: &X509,
|
||||
cert: &X509, // FIXME X509Ref
|
||||
) -> Result<Pkcs12, ErrorStack> {
|
||||
unsafe {
|
||||
let pass = CString::new(password).unwrap();
|
||||
let friendly_name = CString::new(friendly_name).unwrap();
|
||||
let pkey = pkey.as_ptr();
|
||||
let cert = cert.as_ptr();
|
||||
let ca = self.ca.as_ref().map(|ca| ca.as_ptr()).unwrap_or(
|
||||
ptr::null_mut(),
|
||||
);
|
||||
let ca = self.ca
|
||||
.as_ref()
|
||||
.map(|ca| ca.as_ptr())
|
||||
.unwrap_or(ptr::null_mut());
|
||||
let nid_key = self.nid_key.as_raw();
|
||||
let nid_cert = self.nid_cert.as_raw();
|
||||
|
||||
|
|
|
|||
|
|
@ -494,7 +494,7 @@ mod verify {
|
|||
}
|
||||
Err(_) => {
|
||||
if let Some(pattern) = name.dnsname() {
|
||||
if matches_dns(pattern, domain, false) {
|
||||
if matches_dns(pattern, domain) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
@ -506,26 +506,25 @@ mod verify {
|
|||
}
|
||||
|
||||
fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
|
||||
if let Some(pattern) = subject_name.entries_by_nid(nid::COMMONNAME).next() {
|
||||
let pattern = match str::from_utf8(pattern.data().as_slice()) {
|
||||
Ok(pattern) => pattern,
|
||||
Err(_) => return false,
|
||||
};
|
||||
match subject_name.entries_by_nid(nid::COMMONNAME).next() {
|
||||
Some(pattern) => {
|
||||
let pattern = match str::from_utf8(pattern.data().as_slice()) {
|
||||
Ok(pattern) => pattern,
|
||||
Err(_) => return false,
|
||||
};
|
||||
|
||||
// Unlike with SANs, IP addresses in the subject name don't have a
|
||||
// different encoding. We need to pass this down to matches_dns to
|
||||
// disallow wildcard matches with bogus patterns like *.0.0.1
|
||||
let is_ip = domain.parse::<IpAddr>().is_ok();
|
||||
|
||||
if matches_dns(&pattern, domain, is_ip) {
|
||||
return true;
|
||||
// Unlike SANs, IP addresses in the subject name don't have a
|
||||
// different encoding.
|
||||
match domain.parse::<IpAddr>() {
|
||||
Ok(ip) => pattern.parse::<IpAddr>().ok().map_or(false, |pattern| pattern == ip),
|
||||
Err(_) => matches_dns(pattern, domain),
|
||||
}
|
||||
}
|
||||
None => false,
|
||||
}
|
||||
|
||||
false
|
||||
}
|
||||
|
||||
fn matches_dns(mut pattern: &str, mut hostname: &str, is_ip: bool) -> bool {
|
||||
fn matches_dns(mut pattern: &str, mut hostname: &str) -> bool {
|
||||
// first strip trailing . off of pattern and hostname to normalize
|
||||
if pattern.ends_with('.') {
|
||||
pattern = &pattern[..pattern.len() - 1];
|
||||
|
|
@ -534,12 +533,12 @@ mod verify {
|
|||
hostname = &hostname[..hostname.len() - 1];
|
||||
}
|
||||
|
||||
matches_wildcard(pattern, hostname, is_ip).unwrap_or_else(|| pattern == hostname)
|
||||
matches_wildcard(pattern, hostname).unwrap_or_else(|| pattern == hostname)
|
||||
}
|
||||
|
||||
fn matches_wildcard(pattern: &str, hostname: &str, is_ip: bool) -> Option<bool> {
|
||||
// IP addresses and internationalized domains can't involved in wildcards
|
||||
if is_ip || pattern.starts_with("xn--") {
|
||||
fn matches_wildcard(pattern: &str, hostname: &str) -> Option<bool> {
|
||||
// internationalized domains can't involved in wildcards
|
||||
if pattern.starts_with("xn--") {
|
||||
return None;
|
||||
}
|
||||
|
||||
|
|
@ -601,22 +600,9 @@ mod verify {
|
|||
}
|
||||
|
||||
fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool {
|
||||
match (expected, actual.len()) {
|
||||
(&IpAddr::V4(ref addr), 4) => actual == addr.octets(),
|
||||
(&IpAddr::V6(ref addr), 16) => {
|
||||
let segments = [
|
||||
((actual[0] as u16) << 8) | actual[1] as u16,
|
||||
((actual[2] as u16) << 8) | actual[3] as u16,
|
||||
((actual[4] as u16) << 8) | actual[5] as u16,
|
||||
((actual[6] as u16) << 8) | actual[7] as u16,
|
||||
((actual[8] as u16) << 8) | actual[9] as u16,
|
||||
((actual[10] as u16) << 8) | actual[11] as u16,
|
||||
((actual[12] as u16) << 8) | actual[13] as u16,
|
||||
((actual[14] as u16) << 8) | actual[15] as u16,
|
||||
];
|
||||
segments == addr.segments()
|
||||
}
|
||||
_ => false,
|
||||
match *expected {
|
||||
IpAddr::V4(ref addr) => actual == addr.octets(),
|
||||
IpAddr::V6(ref addr) => actual == addr.octets(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue