[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Viktor Dukhovni
viktor at openssl.org
Fri Jan 15 19:49:11 UTC 2016
The branch OpenSSL_1_0_2-stable has been updated
via 15debc128ac13420a4eec9b4a66d72f1dfd69126 (commit)
from e254d12c439c3e50dfccc98e3414c3e1849792f5 (commit)
- Log -----------------------------------------------------------------
commit 15debc128ac13420a4eec9b4a66d72f1dfd69126
Author: Zi Lin <zi at cloudflare.com>
Date: Fri Jan 15 13:19:42 2016 -0500
NGX-2040 - fix wildcard match on punycode/IDNA DNS names
- bugfix: should not treat '--' as invalid domain substring.
- '-' should not be the first letter of a domain
Signed-off-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509v3/v3_utl.c | 3 ++-
crypto/x509v3/v3nametest.c | 10 ++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 4d1ecc5..43b9cb9 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -841,7 +841,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
state = LABEL_START;
++dots;
} else if (p[i] == '-') {
- if ((state & LABEL_HYPHEN) != 0)
+ /* no domain/subdomain starts with '-' */
+ if ((state & LABEL_START) != 0)
return NULL;
state |= LABEL_HYPHEN;
} else
diff --git a/crypto/x509v3/v3nametest.c b/crypto/x509v3/v3nametest.c
index 7b5c1c8..ac5c9ff 100644
--- a/crypto/x509v3/v3nametest.c
+++ b/crypto/x509v3/v3nametest.c
@@ -6,12 +6,16 @@
static const char *const names[] = {
"a", "b", ".", "*", "@",
".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
+ "-example.com", "example-.com",
"@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
"*@example.com", "test@*.example.com", "example.com", "www.example.com",
"test.www.example.com", "*.example.com", "*.www.example.com",
"test.*.example.com", "www.*.com",
".www.example.com", "*www.example.com",
"example.net", "xn--rger-koa.example.com",
+ "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",
+ "*.good--example.com", "www.good--example.com",
+ "*.xn--bar.com", "xn--foo.xn--bar.com",
"a.example.com", "b.example.com",
"postmaster at example.com", "Postmaster at example.com",
"postmaster at EXAMPLE.COM",
@@ -27,6 +31,9 @@ static const char *const exceptions[] = {
"set CN: host: [*.www.example.com] matches [.www.example.com]",
"set CN: host: [*www.example.com] matches [www.example.com]",
"set CN: host: [test.www.example.com] matches [.www.example.com]",
+ "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
+ "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
+ "set CN: host: [*.good--example.com] matches [www.good--example.com]",
"set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
"set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
"set emailAddress: email: [postmaster at example.com] does not match [Postmaster at example.com]",
@@ -43,6 +50,9 @@ static const char *const exceptions[] = {
"set dnsName: host: [*.www.example.com] matches [.www.example.com]",
"set dnsName: host: [*www.example.com] matches [www.example.com]",
"set dnsName: host: [test.www.example.com] matches [.www.example.com]",
+ "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
+ "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
+ "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",
"set rfc822Name: email: [postmaster at example.com] does not match [Postmaster at example.com]",
"set rfc822Name: email: [Postmaster at example.com] does not match [postmaster at example.com]",
"set rfc822Name: email: [Postmaster at example.com] does not match [postmaster at EXAMPLE.COM]",
More information about the openssl-commits
mailing list