This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 3d08c28 Augment wildcard_match to allow underscore in domain name
3d08c28 is described below
commit 3d08c28471b05b7f46d3dc84d64945a433be3571
Author: Susan Hinrichs <[email protected]>
AuthorDate: Mon Mar 11 13:53:34 2019 +0000
Augment wildcard_match to allow underscore in domain name
---
src/tscore/X509HostnameValidator.cc | 2 +-
tests/gold_tests/tls/ssl/wild-signed.pem | 18 ++++++++++++++++++
tests/gold_tests/tls/ssl/wild.key | 28 ++++++++++++++++++++++++++++
tests/gold_tests/tls/tls_verify.test.py | 28 ++++++++++++++++++++++++++++
4 files changed, 75 insertions(+), 1 deletion(-)
diff --git a/src/tscore/X509HostnameValidator.cc
b/src/tscore/X509HostnameValidator.cc
index ab3a780..73f03b0 100644
--- a/src/tscore/X509HostnameValidator.cc
+++ b/src/tscore/X509HostnameValidator.cc
@@ -166,7 +166,7 @@ wildcard_match(const unsigned char *prefix, size_t
prefix_len, const unsigned ch
* permitted characters and only matches a single label
*/
for (p = wildcard_start; p != wildcard_end; ++p) {
- if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') || ('a' <= *p
&& *p <= 'z') || *p == '-')) {
+ if (!(('a' <= *p && *p <= 'z') || ('A' <= *p && *p <= 'Z') || ('0' <= *p
&& *p <= '9') || *p == '-' || *p == '_')) {
return false;
}
}
diff --git a/tests/gold_tests/tls/ssl/wild-signed.pem
b/tests/gold_tests/tls/ssl/wild-signed.pem
new file mode 100644
index 0000000..d6f25ff
--- /dev/null
+++ b/tests/gold_tests/tls/ssl/wild-signed.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkICCQCTw2t3s0sIrjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAklMMRIwEAYDVQQHEwlDaGFtcGFpZ24xDjAMBgNVBAoTBVlh
+aG9vMQ0wCwYDVQQLEwRFZGdlMSgwJgYDVQQDEx9qdWljZXByb2R1Y2UuY29ycC5u
+ZTEueWFob28uY29tMSQwIgYJKoZIhvcNAQkBFhVwZXJzaWEuYXppekB5YWhvby5j
+b20wHhcNMTkwMzExMTQ1ODEzWhcNMjkwMzA4MTQ1ODEzWjBAMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCSUwxDzANBgNVBAoMBmFwYWNoZTETMBEGA1UEAwwKKi53aWxk
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM51MZvJ4anfZkoF
+w+yLI+qtSamz/nOEeaNYvpJIzfH/qG04hxujCMfodknWoElBcJfzJ6I+RTDev4DZ
+QFiDaetwQv4/+H17fTc2RJR1PdOKA06rRfm76P6CrlRttWFYLfcUTooTUoQUBFGu
+EFTBGWUpFWU4fVXbYKLT63PzEkCeeHU5wf7Xz88pTYI21ZWnQQt2ll+zXLgSHFCP
+m9XO5Q/Dr++XpFI2joCYj1GL/y3mku26sdK6ZYxRo9oseYiVX8K9T6Oeo4O32CcT
+3ZE4QMa1jXcb5r4Y6VBdneZkur10CW2+yDT9MX5dKBeeuB9UUTYClt7lJdncl5DH
+GdLrV9kCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCRpZoeIRSF83Iiy7COW59KG9qq
+T9pSCbJnqJr9ri1usmgcO9mfb7lQt94RXCtNz+tF85ciDE3zXcM6nJyosgStQEbb
+AkGcW0z29Lc+Owc6SYtN6o4fEgPM61SSABtdG26jhpzMjT8MZNXluqXJ6tR0HWki
+Rep/Bm0POzeUeKb8GA==
+-----END CERTIFICATE-----
diff --git a/tests/gold_tests/tls/ssl/wild.key
b/tests/gold_tests/tls/ssl/wild.key
new file mode 100644
index 0000000..a7b5720
--- /dev/null
+++ b/tests/gold_tests/tls/ssl/wild.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOdTGbyeGp32ZK
+BcPsiyPqrUmps/5zhHmjWL6SSM3x/6htOIcbowjH6HZJ1qBJQXCX8yeiPkUw3r+A
+2UBYg2nrcEL+P/h9e303NkSUdT3TigNOq0X5u+j+gq5UbbVhWC33FE6KE1KEFARR
+rhBUwRllKRVlOH1V22Ci0+tz8xJAnnh1OcH+18/PKU2CNtWVp0ELdpZfs1y4EhxQ
+j5vVzuUPw6/vl6RSNo6AmI9Ri/8t5pLturHSumWMUaPaLHmIlV/CvU+jnqODt9gn
+E92ROEDGtY13G+a+GOlQXZ3mZLq9dAltvsg0/TF+XSgXnrgfVFE2Apbe5SXZ3JeQ
+xxnS61fZAgMBAAECggEARyRdFtjHGRkxDzrTW5RKqRhTdNXgTYANxjrTWGccCFLX
+f+NlsyFH6lLxR9pcW0HggYu5UY/xmbh39vdl09pcylNh0mjKwLqn2DmsAhgwWM+K
++jXMpBSbYfA4EEHJqaSQGj72HWAxI/Ad2OOJHxt3G8O/aqS/k7FHqHQsA0V0Oa2D
+NFLscCQxzH3IzUhbhZhtoCrtNfFkxSgx7RQbHMHNxMqaNU3MtKafQ1KJqR+SuuQL
+donKPL6A0Xi8MKOc8qsyrGtKL/+EEY0W77SRJAkY8N29X1oMNPnGzLsicarwhHLX
+1KT+rxBISJ/tbGuTvaJNbCepvO6I6QLZshQZt3MuAQKBgQDvbdSoEzfDO3vcbphH
+QMGjASMkGP7T/goCvFQwUGN03GtMnoHuYbbfpZ6iOcYVGefU6v0LDOqhczTwKFVq
+44msdQt/T1k9A+wHp6/1SnxObJT8wJoGmJO9qryc0yoRYt3lv20jl3GSC5xMjrJL
+2Ko9DwNZaZNTlOFLJzzOOSUqwQKBgQDcvy7zupQivgK90gFId/iRjXz0UuVWseGo
+osDL+BV4w4jTltLUE6AMVRQCqF85O1spCcn3AKjU+kWj0fIcB38y2UZRv6Moy/u8
+w5fRAhHONqNPwb9yOLNplLdm7lOE6mm+nYVgauh13nca8bxeNKmRZe7tyEu2i/4o
+kZqTecvrGQKBgAm/QuUEw0Rja4txxSlBbaChLzkM+3LN6MJrwFGnNCVRw9x+p3N4
+7uTz7R1VlMbPIyz71AlbIUIpWoJcYf3T/YrTyQAJzuw4+KbnILavrZfTu8z+Wkbi
+d0FFbiBESHYkvDvaKytDww/bASXsuT11OJj7v3soXSMN8I4KruMGWIkBAoGBAMQl
+GNo2ylQIlDUIul0jRPpIR2RtmBytmH6Yh0l2GdYhoJ2qIZGSEp+CpXIrG9ml1T2k
+1hGlQ19jNqf27/NZ8ftDtskCyD6C6h9ziJ2OAjZCtGA1HyCmIz1IiKJsWEf9ZpKa
+Mx5WQFIjp5+IdsEaeCWa9m/Qjv4YbHCt2DT8f2ZZAoGBALzd1ju4Sf5k+eP4QDO9
+jWRRRyjHIrT8RX4Hb3YZWJmW8edxjlV63GKVyuwv+PNyaP0hrLpVEw7h9tAYaIoL
+DAjqph02ujDBe5oJrOMrO3IkxVqHj2PQFBnFR0MCbkQ9/+vyTt7ftmwXwQQFeDVW
+YcOEYXCqeaAzjN9t0xidlkX7
+-----END PRIVATE KEY-----
diff --git a/tests/gold_tests/tls/tls_verify.test.py
b/tests/gold_tests/tls/tls_verify.test.py
index 609f56c..52571e6 100644
--- a/tests/gold_tests/tls/tls_verify.test.py
+++ b/tests/gold_tests/tls/tls_verify.test.py
@@ -30,6 +30,7 @@ Test.SkipUnless(
ts = Test.MakeATSProcess("ts", select_ports=False)
server_foo = Test.MakeOriginServer("server_foo", ssl=True, options = {"--key":
"{0}/signed-foo.key".format(Test.RunDirectory), "--cert":
"{0}/signed-foo.pem".format(Test.RunDirectory)})
server_bar = Test.MakeOriginServer("server_bar", ssl=True, options = {"--key":
"{0}/signed-bar.key".format(Test.RunDirectory), "--cert":
"{0}/signed-bar.pem".format(Test.RunDirectory)})
+server_wild = Test.MakeOriginServer("server_wild", ssl=True, options =
{"--key": "{0}/wild.key".format(Test.RunDirectory), "--cert":
"{0}/wild-signed.pem".format(Test.RunDirectory)})
server = Test.MakeOriginServer("server", ssl=True)
request_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: foo.com\r\n\r\n",
"timestamp": "1469733493.993", "body": ""}
@@ -41,6 +42,7 @@ server_foo.addResponse("sessionlog.json", request_foo_header,
response_header)
server_foo.addResponse("sessionlog.json", request_bad_foo_header,
response_header)
server_bar.addResponse("sessionlog.json", request_bar_header, response_header)
server_bar.addResponse("sessionlog.json", request_bad_bar_header,
response_header)
+server_wild.addResponse("sessionlog.json", request_bar_header, response_header)
# add ssl materials like key, certificates for the server
ts.addSSLfile("ssl/signed-foo.pem")
@@ -51,6 +53,8 @@ ts.addSSLfile("ssl/server.pem")
ts.addSSLfile("ssl/server.key")
ts.addSSLfile("ssl/signer.pem")
ts.addSSLfile("ssl/signer.key")
+ts.addSSLfile("ssl/wild.key")
+ts.addSSLfile("ssl/wild-signed.pem")
ts.Variables.ssl_port = 4443
ts.Disk.remap_config.AddLine(
@@ -63,6 +67,10 @@ ts.Disk.remap_config.AddLine(
'map https://bar.com/
https://127.0.0.1:{0}'.format(server_bar.Variables.SSL_Port))
ts.Disk.remap_config.AddLine(
'map https://bad_bar.com/
https://127.0.0.1:{0}'.format(server_bar.Variables.SSL_Port))
+ts.Disk.remap_config.AddLine(
+ 'map https://foo.wild.com/
https://127.0.0.1:{0}'.format(server_wild.Variables.SSL_Port))
+ts.Disk.remap_config.AddLine(
+ 'map https://foo_bar.wild.com/
https://127.0.0.1:{0}'.format(server_wild.Variables.SSL_Port))
ts.Disk.ssl_multicert_config.AddLine(
'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
@@ -89,6 +97,9 @@ ts.Disk.ssl_server_name_yaml.AddLines([
'- fqdn: bar.com',
' verify_server_policy: ENFORCED',
' verify_server_properties: ALL',
+ '- fqdn: "*.wild.com"',
+ ' verify_server_policy: ENFORCED',
+ ' verify_server_properties: ALL',
'- fqdn: bad_bar.com',
' verify_server_policy: ENFORCED',
' verify_server_properties: ALL'
@@ -99,12 +110,15 @@ tr.Setup.Copy("ssl/signed-foo.key")
tr.Setup.Copy("ssl/signed-foo.pem")
tr.Setup.Copy("ssl/signed-bar.key")
tr.Setup.Copy("ssl/signed-bar.pem")
+tr.Setup.Copy("ssl/wild-signed.pem")
+tr.Setup.Copy("ssl/wild.key")
tr.Processes.Default.Command = "curl -v -k -H \"host: foo.com\"
https://127.0.0.1:{0}".format(ts.Variables.ssl_port)
tr.ReturnCode = 0
# time delay as proxy.config.http.wait_for_cache could be broken
tr.Processes.Default.StartBefore(server_foo)
tr.Processes.Default.StartBefore(server_bar)
tr.Processes.Default.StartBefore(server)
+tr.Processes.Default.StartBefore(server_wild)
tr.Processes.Default.StartBefore(Test.Processes.ts,
ready=When.PortOpen(ts.Variables.ssl_port))
tr.StillRunningAfter = server
tr.StillRunningAfter = ts
@@ -124,6 +138,20 @@ tr3.ReturnCode = 0
tr3.StillRunningAfter = server
tr3.StillRunningAfter = ts
+tr4 = Test.AddTestRun("Exercise-wildcard-cert-name-check")
+tr4.Processes.Default.Command = "curl -v -k -H \"host: foo.wild.com\"
https://127.0.0.1:{0}".format(ts.Variables.ssl_port)
+tr4.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr4.ReturnCode = 0
+tr4.StillRunningAfter = server
+tr4.StillRunningAfter = ts
+
+tr5 = Test.AddTestRun("Exercise-wildcard-cert-underscore-name-check")
+tr5.Processes.Default.Command = "curl -v -k -H \"host: foo_bar.wild.com\"
https://127.0.0.1:{0}".format(ts.Variables.ssl_port)
+tr5.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr5.ReturnCode = 0
+tr5.StillRunningAfter = server
+tr5.StillRunningAfter = ts
+
# Over riding the built in ERROR check since we expect tr3 to fail
ts.Disk.diags_log.Content = Testers.ExcludesExpression("verification failed",
"Make sure the signatures didn't fail")
ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI
\(bad_bar.com\) not in certificate", "Make sure bad_bar name checked failed.")
