summaryrefslogtreecommitdiff
path: root/ext
diff options
context:
space:
mode:
authornagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2015-04-13 13:09:18 +0000
committernagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2015-04-13 13:09:18 +0000
commit599bfa72332cf9dba6fff25dde5b17270c058635 (patch)
tree7cdd38f7430271ff95e3b8aa04283f2f3bf03565 /ext
parentcef3b0a89072b96d7cad9e568778e01172d02c30 (diff)
downloadruby-599bfa72332cf9dba6fff25dde5b17270c058635.tar.gz
* ext/openssl/lib/openssl/ssl.rb: stricter hostname verification
following RFC 6125. with the patch provided by Tony Arcieri and Hiroshi Nakamura [ruby-core:61545] [Bug #9644] * test/openssl/test_ssl.rb: add tests for above. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50292 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext')
-rw-r--r--ext/openssl/lib/openssl/ssl.rb62
1 files changed, 58 insertions, 4 deletions
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index ff1d4efb32..caf0b9ae44 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -143,8 +143,7 @@ module OpenSSL
case san.tag
when 2 # dNSName in GeneralName (RFC5280)
should_verify_common_name = false
- reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
- return true if /\A#{reg}\z/i =~ hostname
+ return true if verify_hostname(hostname, san.value)
when 7 # iPAddress in GeneralName (RFC5280)
should_verify_common_name = false
# follows GENERAL_NAME_print() in x509v3/v3_alt.c
@@ -159,8 +158,7 @@ module OpenSSL
if should_verify_common_name
cert.subject.to_a.each{|oid, value|
if oid == "CN"
- reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
- return true if /\A#{reg}\z/i =~ hostname
+ return true if verify_hostname(hostname, value)
end
}
end
@@ -168,11 +166,67 @@ module OpenSSL
end
module_function :verify_certificate_identity
+ def verify_hostname(hostname, san) # :nodoc:
+ # RFC 5280, IA5String is limited to the set of ASCII characters
+ return false unless san.ascii_only?
+ return false unless hostname.ascii_only?
+
+ # See RFC 6125, section 6.4.1
+ # Matching is case-insensitive.
+ san_parts = san.downcase.split(".")
+
+ # TODO: this behavior should probably be more strict
+ return san == hostname if san_parts.size < 2
+
+ # Matching is case-insensitive.
+ host_parts = hostname.downcase.split(".")
+
+ # RFC 6125, section 6.4.3, subitem 2.
+ # If the wildcard character is the only character of the left-most
+ # label in the presented identifier, the client SHOULD NOT compare
+ # against anything but the left-most label of the reference
+ # identifier (e.g., *.example.com would match foo.example.com but
+ # not bar.foo.example.com or example.com).
+ return false unless san_parts.size == host_parts.size
+
+ # RFC 6125, section 6.4.3, subitem 1.
+ # The client SHOULD NOT attempt to match a presented identifier in
+ # which the wildcard character comprises a label other than the
+ # left-most label (e.g., do not match bar.*.example.net).
+ return false unless verify_wildcard(host_parts.shift, san_parts.shift)
+
+ san_parts.join(".") == host_parts.join(".")
+ end
+ module_function :verify_hostname
+
+ def verify_wildcard(domain_component, san_component) # :nodoc:
+ parts = san_component.split("*", -1)
+
+ return false if parts.size > 2
+ return san_component == domain_component if parts.size == 1
+
+ # RFC 6125, section 6.4.3, subitem 3.
+ # The client SHOULD NOT attempt to match a presented identifier
+ # where the wildcard character is embedded within an A-label or
+ # U-label of an internationalized domain name.
+ return false if domain_component.start_with?("xn--") && san_component != "*"
+
+ parts[0].length + parts[1].length < domain_component.length &&
+ domain_component.start_with?(parts[0]) &&
+ domain_component.end_with?(parts[1])
+ end
+ module_function :verify_wildcard
+
class SSLSocket
include Buffering
include SocketForwarder
include Nonblock
+ ##
+ # Perform hostname verification after an SSL connection is established
+ #
+ # This method MUST be called after calling #connect to ensure that the
+ # hostname of a remote peer has been verified.
def post_connection_check(hostname)
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"