Repository: trafficserver Updated Branches: refs/heads/master 109a92ac1 -> 2a2c8bdf1
TS-2710: ATS serves the wrong cert because it matches wildcard certs incorrectly Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2a2c8bdf Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2a2c8bdf Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2a2c8bdf Branch: refs/heads/master Commit: 2a2c8bdf1bc93b2324b39a2bf95be6dbd738ae45 Parents: 109a92a Author: Manish Thakrani <[email protected]> Authored: Thu Apr 17 11:44:28 2014 -0700 Committer: Bryan Call <[email protected]> Committed: Thu Apr 17 11:44:28 2014 -0700 ---------------------------------------------------------------------- iocore/net/SSLCertLookup.cc | 15 ++++----------- iocore/net/test_certlookup.cc | 13 +++++++++---- 2 files changed, 13 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a2c8bdf/iocore/net/SSLCertLookup.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc index 2d8bf54..1f03ddb 100644 --- a/iocore/net/SSLCertLookup.cc +++ b/iocore/net/SSLCertLookup.cc @@ -186,16 +186,8 @@ reverse_dns_name(const char * hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN+1] ssize_t len = strcspn(part, "."); ssize_t remain = ptr - reversed; - // We are going to put the '.' separator back for all components except the first. - if (*ptr == '\0') { - if (remain < len) { - return NULL; - } - } else { - if (remain < (len + 1)) { - return NULL; - } - *(--ptr) = '.'; + if (remain < (len + 1)) { + return NULL; } ptr -= len; @@ -206,6 +198,7 @@ reverse_dns_name(const char * hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN+1] part += len; if (*part == '.') { ++part; + *(--ptr) = '.'; } } @@ -239,7 +232,7 @@ SSLContextStorage::insert(SSL_CTX * ctx, const char * name) char * reversed; xptr<SSLEntry> entry; - reversed = reverse_dns_name(name + 2, namebuf); + reversed = reverse_dns_name(name + 1, namebuf); if (!reversed) { Error("wildcard name '%s' is too long", name); return false; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a2c8bdf/iocore/net/test_certlookup.cc ---------------------------------------------------------------------- diff --git a/iocore/net/test_certlookup.cc b/iocore/net/test_certlookup.cc index 9a78a5f..f87d398 100644 --- a/iocore/net/test_certlookup.cc +++ b/iocore/net/test_certlookup.cc @@ -43,6 +43,7 @@ REGRESSION_TEST(SSLCertificateLookup)(RegressionTest* t, int /* atype ATS_UNUSED SSL_CTX * notwild = SSL_CTX_new(SSLv23_server_method()); SSL_CTX * b_notwild = SSL_CTX_new(SSLv23_server_method()); SSL_CTX * foo = SSL_CTX_new(SSLv23_server_method()); + SSL_CTX * all_com = SSL_CTX_new(SSLv23_server_method()); box = REGRESSION_TEST_PASSED; @@ -50,32 +51,36 @@ REGRESSION_TEST(SSLCertificateLookup)(RegressionTest* t, int /* atype ATS_UNUSED assert(notwild != NULL); assert(b_notwild != NULL); assert(foo != NULL); + assert(all_com != NULL); box.check(lookup.insert(foo, "www.foo.com"), "insert host context"); box.check(lookup.insert(wild, "*.wild.com"), "insert wildcard context"); box.check(lookup.insert(notwild, "*.notwild.com"), "insert wildcard context"); box.check(lookup.insert(b_notwild, "*.b.notwild.com"), "insert wildcard context"); + box.check(lookup.insert(all_com, "*.com"), "insert wildcard context"); // To test name collisions, we need to shuffle the SSL_CTX's so that we try to // index the same name with a different SSL_CTX. - box.check(lookup.insert(wild, "www.foo.com") == false, "insert host duplicate"); + box.check(lookup.insert(wild, "*.com") == false, "insert host duplicate"); box.check(lookup.insert(foo, "*.wild.com") == false, "insert wildcard duplicate"); box.check(lookup.insert(b_notwild, "*.notwild.com") == false, "insert wildcard conext duplicate"); box.check(lookup.insert(notwild, "*.b.notwild.com") == false, "insert wildcard conext duplicate"); + box.check(lookup.insert(all_com, "www.foo.com") == false, "insert wildcard conext duplicate"); // Basic wildcard cases. box.check(lookup.findInfoInHash("a.wild.com") == wild, "wildcard lookup for a.wild.com"); box.check(lookup.findInfoInHash("b.wild.com") == wild, "wildcard lookup for b.wild.com"); - box.check(lookup.findInfoInHash("wild.com") == wild, "wildcard lookup for wild.com"); + box.check(lookup.insert(all_com, "www.foo.com") == false, "insert wildcard conext duplicate"); // Verify that wildcard does longest match. box.check(lookup.findInfoInHash("a.notwild.com") == notwild, "wildcard lookup for a.notwild.com"); - box.check(lookup.findInfoInHash("notwild.com") == notwild, "wildcard lookup for notwild.com"); + box.check(lookup.findInfoInHash("notwild.com") == all_com, "wildcard lookup for notwild.com"); box.check(lookup.findInfoInHash("c.b.notwild.com") == b_notwild, "wildcard lookup for c.b.notwild.com"); // Basic hostname cases. box.check(lookup.findInfoInHash("www.foo.com") == foo, "host lookup for www.foo.com"); - box.check(lookup.findInfoInHash("www.bar.com") == NULL, "host lookup for www.bar.com"); + box.check(lookup.findInfoInHash("www.bar.com") == all_com, "host lookup for www.bar.com"); + box.check(lookup.findInfoInHash("www.bar.net") == NULL, "host lookup for www.bar.net"); } REGRESSION_TEST(SSLAddressLookup)(RegressionTest* t, int /* atype ATS_UNUSED */, int * pstatus)
