diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-25 07:05:09 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-25 07:05:09 +0000 |
| commit | a383b348f7a625a25d0306d36be86ebc706b66f6 (patch) | |
| tree | 97839b9bd07a27105d3f59826230deb1dc6602a0 /net | |
| parent | 1109bb1d5125583c4f23fb67aad39fd2e2587be4 (diff) | |
| download | chromium_src-a383b348f7a625a25d0306d36be86ebc706b66f6.zip chromium_src-a383b348f7a625a25d0306d36be86ebc706b66f6.tar.gz chromium_src-a383b348f7a625a25d0306d36be86ebc706b66f6.tar.bz2 | |
Disallow wildcards from matching top-level registry controlled domains during cert validation.
BUG=100442
TEST=net_unittests:X509CertificateNameVerifyTest.*
Review URL: http://codereview.chromium.org/8362023
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107075 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/x509_certificate.cc | 32 | ||||
| -rw-r--r-- | net/base/x509_certificate_unittest.cc | 19 |
2 files changed, 41 insertions, 10 deletions
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc index 9158388..451583b 100644 --- a/net/base/x509_certificate.cc +++ b/net/base/x509_certificate.cc @@ -27,6 +27,7 @@ #include "net/base/net_errors.h" #include "net/base/net_util.h" #include "net/base/pem_tokenizer.h" +#include "net/base/registry_controlled_domain.h" namespace net { @@ -507,17 +508,36 @@ bool X509Certificate::VerifyHostname( // |reference_domain| is the remainder of |host| after the leading host // component is stripped off, but includes the leading dot e.g. // "www.f.com" -> ".f.com". - // If there is no meaningful domain part to |host| (e.g. it contains no dots) - // then |reference_domain| will be empty. + // If there is no meaningful domain part to |host| (e.g. it contains no + // dots) then |reference_domain| will be empty. base::StringPiece reference_host, reference_domain; SplitOnChar(reference_name, '.', &reference_host, &reference_domain); bool allow_wildcards = false; if (!reference_domain.empty()) { DCHECK(reference_domain.starts_with(".")); - // We required at least 3 components (i.e. 2 dots) as a basic protection - // against too-broad wild-carding. - // Also we don't attempt wildcard matching on a purely numerical hostname. - allow_wildcards = reference_domain.rfind('.') != 0 && + + // Do not allow wildcards for registry controlled domains, so as to + // prevent accepting *.com or *.co.uk as valid presented names. Passing + // true for |allow_unknown_registries| so that top-level domains which are + // unknown (intranet domains, new TLDs/gTLDs not yet recognized) are + // treated as registry-controlled domains. Because the |reference_domain| + // must contain at least one name component that is not registry + // controlled, this ensures that all reference names have at least three + // domain components in order to permit wildcards. + size_t registry_length = + RegistryControlledDomainService::GetRegistryLength(reference_name, + true); + // As the |reference_name| was already canonicalized, this should never + // happen. + CHECK_NE(registry_length, std::string::npos); + + // Subtracting 1 to account for the leading dot in |reference_domain|. + bool is_registry_controlled = registry_length != 0 && + registry_length == (reference_domain.size() - 1); + + // Additionally, do not attempt wildcard matching for purely numeric + // hostnames. + allow_wildcards = !is_registry_controlled && reference_name.find_first_not_of("0123456789.") != std::string::npos; } diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 9ba1124..d61750b 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -1298,7 +1298,6 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = { "xn--poema-*.com.br," "xn--*-9qae5a.com.br," "*--poema-9qae5a.com.br" }, - { true, "xn--poema-9qae5a.com.br", "*.com.br" }, // The following are adapted from the examples quoted from // http://tools.ietf.org/html/rfc6125#section-6.4.3 // (e.g., *.example.com would match foo.example.com but @@ -1312,12 +1311,21 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = { { true, "baz1.example.net", "baz*.example.net" }, { true, "foobaz.example.net", "*baz.example.net" }, { true, "buzz.example.net", "b*z.example.net" }, - // Wildcards should not be valid unless there are at least three name - // components. - { true, "h.co.uk", "*.co.uk" }, + // Wildcards should not be valid for registry-controlled domains, and for + // unknown/unrecognized domains, at least three domain components must be + // present. + { true, "www.test.example", "*.test.example" }, + { true, "test.example.co.uk", "*.example.co.uk" }, + { false, "test.example", "*.example" }, + { false, "example.co.uk", "*.co.uk" }, { false, "foo.com", "*.com" }, { false, "foo.us", "*.us" }, { false, "foo", "*" }, + // IDN variants of wildcards and registry-controlled domains. + { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, + { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" }, + { false, "xn--poema-9qae5a.com.br", "*.com.br" }, + { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" }, // Multiple wildcards are not valid. { false, "foo.example.com", "*.*.com" }, { false, "foo.bar.example.com", "*.bar.*.com" }, @@ -1338,6 +1346,9 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = { { false, "example.com.", "*.com" }, { false, "example.com.", "*.com." }, { false, "foo.", "*." }, + { false, "foo", "*." }, + { false, "foo.co.uk", "*.co.uk." }, + { false, "foo.co.uk.", "*.co.uk." }, // IP addresses in common name; IPv4 only. { true, "127.0.0.1", "127.0.0.1" }, { true, "192.168.1.1", "192.168.1.1" }, |