From a2b502ffc3bb569bac470f5924ee8bc9627d23cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 19 Jul 2018 12:50:13 +0200
Subject: Remove trailing dot from hostname input
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #532

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
---
 src/cli.c             | 11 +++++++----
 src/socket.c          | 21 +++++++++++++--------
 tests/sni-hostname.sh |  3 +++
 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/src/cli.c b/src/cli.c
index 42b8e51324..21be015dc8 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -331,9 +331,10 @@ static int cert_verify_callback(gnutls_session_t session)
 		ssh = strictssh;
 	}
 
-	if (HAVE_OPT(VERIFY_HOSTNAME))
+	if (HAVE_OPT(VERIFY_HOSTNAME)) {
 		host = OPT_ARG(VERIFY_HOSTNAME);
-	else
+		canonicalize_host((char *) host, NULL, 0);
+	} else
 		host = hostname;
 
 	/* Save certificate and OCSP response */
@@ -603,8 +604,10 @@ gnutls_session_t init_tls_session(const char *host)
 	 */
 	if (disable_extensions == 0 && disable_sni == 0) {
 		if (HAVE_OPT(SNI_HOSTNAME)) {
-			gnutls_server_name_set(session, GNUTLS_NAME_DNS,
-					       OPT_ARG(SNI_HOSTNAME), strlen(OPT_ARG(SNI_HOSTNAME)));
+			const char *sni_host = OPT_ARG(SNI_HOSTNAME);
+
+			canonicalize_host((char *) sni_host, NULL, 0);
+			gnutls_server_name_set(session, GNUTLS_NAME_DNS, sni_host, strlen(sni_host));
 		} else if (host != NULL && is_ip(host) == 0)
 			gnutls_server_name_set(session, GNUTLS_NAME_DNS,
 					       host, strlen(host));
diff --git a/src/socket.c b/src/socket.c
index 253607e5a8..eacff01b42 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -401,17 +401,22 @@ void socket_bye(socket_st * socket, unsigned polite)
 void canonicalize_host(char *hostname, char *service, unsigned service_size)
 {
 	char *p;
-	unsigned char buf[64];
 
-	p = strchr(hostname, ':');
-	if (p == NULL)
-		return;
+	if ((p = strchr(hostname, ':'))) {
+		unsigned char buf[64];
 
-	if (inet_pton(AF_INET6, hostname, buf) == 1)
-		return;
+		if (inet_pton(AF_INET6, hostname, buf) == 1)
+			return;
+
+		*p = 0;
+
+		if (service && service_size)
+			snprintf(service, service_size, "%s", p+1);
+	} else
+		p = hostname + strlen(hostname);
 
-	*p = 0;
-	snprintf(service, service_size, "%s", p+1);
+	if (p > hostname && p[-1] == '.')
+		p[-1] = 0; // remove trailing dot on FQDN
 }
 
 static ssize_t
diff --git a/tests/sni-hostname.sh b/tests/sni-hostname.sh
index afc2a0099b..4c5f8d2a94 100755
--- a/tests/sni-hostname.sh
+++ b/tests/sni-hostname.sh
@@ -74,6 +74,9 @@ ${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 ${NOOPTS} --priority "NORMAL" --x509
 ${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname example.com --priority "NORMAL" --x509cafile ${CA1} </dev/null >/dev/null && \
 	fail ${PID} "5. handshake should have failed!"
 
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname example.com. --verify-hostname example.com. --priority "NORMAL" --x509cafile ${CA1} </dev/null >/dev/null || \
+	fail ${PID} "6. handshake should have succeeded!"
+
 kill ${PID}
 wait
 
-- 
cgit v1.2.1