Skip to content

Commit

Permalink
crypto/x509: allow wildcards only as the first label.
Browse files Browse the repository at this point in the history
RFC 6125 now specifies that wildcards are only allowed for the leftmost
label in a pattern: https://tools.ietf.org/html/rfc6125#section-6.4.3.

This change updates Go to match the behaviour of major browsers in this
respect.

Fixes golang#9834.

Change-Id: I37c10a35177133624568f2e0cf2767533926b04a
Reviewed-on: https://go-review.googlesource.com/5691
Reviewed-by: Andrew Gerrand <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
  • Loading branch information
agl committed Feb 24, 2015
1 parent 8f8d066 commit e7fae68
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 4 deletions.
2 changes: 1 addition & 1 deletion src/crypto/x509/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -337,7 +337,7 @@ func matchHostnames(pattern, host string) bool {
}

for i, patternPart := range patternParts {
if patternPart == "*" {
if i == 0 && patternPart == "*" {
continue
}
if patternPart != hostParts[i] {
Expand Down
9 changes: 6 additions & 3 deletions src/crypto/x509/x509_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,11 +163,14 @@ var matchHostnamesTests = []matchHostnamesTest{
{"example.com", "example.com", true},
{"example.com", "example.com.", true},
{"example.com", "www.example.com", false},
{"*.example.com", "example.com", false},
{"*.example.com", "www.example.com", true},
{"*.example.com", "www.example.com.", true},
{"*.example.com", "xyz.www.example.com", false},
{"*.*.example.com", "xyz.www.example.com", true},
{"*.www.*.com", "xyz.www.example.com", true},
{"*.*.example.com", "xyz.www.example.com", false},
{"*.www.*.com", "xyz.www.example.com", false},
{"*bar.example.com", "foobar.example.com", false},
{"f*.example.com", "foobar.example.com", false},
{"", ".", false},
{".", "", false},
{".", ".", false},
Expand All @@ -177,7 +180,7 @@ func TestMatchHostnames(t *testing.T) {
for i, test := range matchHostnamesTests {
r := matchHostnames(test.pattern, test.host)
if r != test.ok {
t.Errorf("#%d mismatch got: %t want: %t", i, r, test.ok)
t.Errorf("#%d mismatch got: %t want: %t when matching '%s' against '%s'", i, r, test.ok, test.host, test.pattern)
}
}
}
Expand Down

0 comments on commit e7fae68

Please sign in to comment.