diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-17 09:26:34 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-17 09:26:34 +0000 |
| commit | d5dd7dd75af62a5dbbea7c671e034765621bdeec (patch) | |
| tree | 6b63b2f50e042defda4342b9c40ee55990c13b5c /net/cert/x509_certificate.cc | |
| parent | 71e0c305e02ff19777b3cbd6972bf05e5347d81d (diff) | |
| download | chromium_src-d5dd7dd75af62a5dbbea7c671e034765621bdeec.zip chromium_src-d5dd7dd75af62a5dbbea7c671e034765621bdeec.tar.gz chromium_src-d5dd7dd75af62a5dbbea7c671e034765621bdeec.tar.bz2 | |
Disallow wildcards from matching top-level registry controlled domains during cert validation.
This only disallows wildcards for "ICANN" TLDs/registry controlled domains, and
excludes domains in the "private" registry (such as appspot.com or
s3.amazonaws.com)
BUG=100442
TEST=net_unittests:X509CertificateNameVerifyTest.*, as well as visiting sites
such as https://www.appspot.com continues to work without issue.
Review URL: https://chromiumcodereview.appspot.com/14741019
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@200771 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/x509_certificate.cc')
| -rw-r--r-- | net/cert/x509_certificate.cc | 36 |
1 files changed, 30 insertions, 6 deletions
diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc index 1b431ce..d583876 100644 --- a/net/cert/x509_certificate.cc +++ b/net/cert/x509_certificate.cc @@ -24,6 +24,7 @@ #include "base/time.h" #include "googleurl/src/url_canon.h" #include "net/base/net_util.h" +#include "net/base/registry_controlled_domains/registry_controlled_domain.h" #include "net/cert/pem_tokenizer.h" namespace net { @@ -552,10 +553,35 @@ bool X509Certificate::VerifyHostname( bool allow_wildcards = false; if (!reference_domain.empty()) { DCHECK(reference_domain.starts_with(".")); - // We required at least 3 components (i.e. 2 dots) as a basic protection - // against too-broad wild-carding. - // Also we don't attempt wildcard matching on a purely numerical hostname. - allow_wildcards = reference_domain.rfind('.') != 0 && + + // Do not allow wildcards for public/ICANN registry controlled domains - + // that is, prevent *.com or *.co.uk as valid presented names, but do not + // prevent *.appspot.com (a private registry controlled domain). + // In addition, unknown top-level domains (such as 'intranet' domains or + // new TLDs/gTLDs not yet added to the registry controlled domain dataset) + // are also implicitly prevented. + // Because |reference_domain| must contain at least one name component that + // is not registry controlled, this ensures that all reference domains + // contain at least three domain components when using wildcards. + size_t registry_length = + registry_controlled_domains::GetRegistryLength( + reference_name, + registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, + registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); + + // Because |reference_name| was already canonicalized, the following + // should never happen. + CHECK_NE(std::string::npos, registry_length); + + // Account for the leading dot in |reference_domain|. + bool is_registry_controlled = + registry_length != 0 && + registry_length == (reference_domain.size() - 1); + + // Additionally, do not attempt wildcard matching for purely numeric + // hostnames. + allow_wildcards = + !is_registry_controlled && reference_name.find_first_not_of("0123456789.") != std::string::npos; } @@ -622,13 +648,11 @@ bool X509Certificate::VerifyHostname( return false; } -#if !defined(USE_NSS) bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { std::vector<std::string> dns_names, ip_addrs; GetSubjectAltName(&dns_names, &ip_addrs); return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); } -#endif // static bool X509Certificate::GetPEMEncoded(OSCertHandle cert_handle, |