diff options
| author | Toshio Kuratomi <toshio@fedoraproject.org> | 2013-10-28 10:35:37 -0700 | 
|---|---|---|
| committer | Toshio Kuratomi <toshio@fedoraproject.org> | 2013-10-28 12:42:02 -0700 | 
| commit | 38fcb3e366ee7a21ff5f0f550fe190b1326fc04b (patch) | |
| tree | d672c63421f21669976e6a277ebd05e822ac748a /setuptools/ssl_support.py | |
| parent | 1e0a9fb4a7f76e45970d11955caf5a1e5eb1db47 (diff) | |
| download | python-setuptools-git-38fcb3e366ee7a21ff5f0f550fe190b1326fc04b.tar.gz | |
Update ssl_match_hostname to match new stdlib code that fixes a security issue with IDNA domains.
Diffstat (limited to 'setuptools/ssl_support.py')
| -rw-r--r-- | setuptools/ssl_support.py | 76 | 
1 files changed, 54 insertions, 22 deletions
| diff --git a/setuptools/ssl_support.py b/setuptools/ssl_support.py index 90359b2c..4941d94e 100644 --- a/setuptools/ssl_support.py +++ b/setuptools/ssl_support.py @@ -88,30 +88,62 @@ except ImportError:      class CertificateError(ValueError):          pass -    def _dnsname_to_pat(dn, max_wildcards=1): +    def _dnsname_match(dn, hostname, max_wildcards=1): +        """Matching according to RFC 6125, section 6.4.3 + +        http://tools.ietf.org/html/rfc6125#section-6.4.3 +        """          pats = [] -        for frag in dn.split(r'.'): -            if frag.count('*') > max_wildcards: -                # Issue #17980: avoid denials of service by refusing more -                # than one wildcard per fragment.  A survery of established -                # policy among SSL implementations showed it to be a -                # reasonable choice. -                raise CertificateError( -                    "too many wildcards in certificate DNS name: " + repr(dn)) -            if frag == '*': -                # When '*' is a fragment by itself, it matches a non-empty dotless -                # fragment. -                pats.append('[^.]+') -            else: -                # Otherwise, '*' matches any dotless fragment. -                frag = re.escape(frag) -                pats.append(frag.replace(r'\*', '[^.]*')) -        return re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) +        if not dn: +            return False + +        # Ported from python3-syntax: +        # leftmost, *remainder = dn.split(r'.') +        parts = dn.split(r'.') +        leftmost = parts[0] +        remainder = parts[1:] + +        wildcards = leftmost.count('*') +        if wildcards > max_wildcards: +            # Issue #17980: avoid denials of service by refusing more +            # than one wildcard per fragment.  A survey of established +            # policy among SSL implementations showed it to be a +            # reasonable choice. +            raise CertificateError( +                "too many wildcards in certificate DNS name: " + repr(dn)) + +        # speed up common case w/o wildcards +        if not wildcards: +            return dn.lower() == hostname.lower() + +        # RFC 6125, section 6.4.3, subitem 1. +        # The client SHOULD NOT attempt to match a presented identifier in which +        # the wildcard character comprises a label other than the left-most label. +        if leftmost == '*': +            # When '*' is a fragment by itself, it matches a non-empty dotless +            # fragment. +            pats.append('[^.]+') +        elif leftmost.startswith('xn--') or hostname.startswith('xn--'): +            # RFC 6125, section 6.4.3, subitem 3. +            # The client SHOULD NOT attempt to match a presented identifier +            # where the wildcard character is embedded within an A-label or +            # U-label of an internationalized domain name. +            pats.append(re.escape(leftmost)) +        else: +            # Otherwise, '*' matches any dotless string, e.g. www* +            pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) + +        # add the remaining fragments, ignore any wildcards +        for frag in remainder: +            pats.append(re.escape(frag)) + +        pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) +        return pat.match(hostname)      def match_hostname(cert, hostname):          """Verify that *cert* (in decoded format as returned by -        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 rules -        are mostly followed, but IP addresses are not accepted for *hostname*. +        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125 +        rules are followed, but IP addresses are not accepted for *hostname*.          CertificateError is raised on failure. On success, the function          returns nothing. @@ -122,7 +154,7 @@ except ImportError:          san = cert.get('subjectAltName', ())          for key, value in san:              if key == 'DNS': -                if _dnsname_to_pat(value).match(hostname): +                if _dnsname_match(value, hostname):                      return                  dnsnames.append(value)          if not dnsnames: @@ -133,7 +165,7 @@ except ImportError:                      # XXX according to RFC 2818, the most specific Common Name                      # must be used.                      if key == 'commonName': -                        if _dnsname_to_pat(value).match(hostname): +                        if _dnsname_match(value, hostname):                              return                          dnsnames.append(value)          if len(dnsnames) > 1: | 
