bpo-23033: Improve SSL Certificate handling (GH-937)

author Mandeep Singh <daxlab@users.noreply.github.com>

Sun, 26 Nov 2017 22:31:27 +0000 (04:01 +0530)

committer Mariatta <Mariatta@users.noreply.github.com>

Sun, 26 Nov 2017 22:31:27 +0000 (14:31 -0800)
author Mandeep Singh <daxlab@users.noreply.github.com>
Sun, 26 Nov 2017 22:31:27 +0000 (04:01 +0530)
committer Mariatta <Mariatta@users.noreply.github.com>
Sun, 26 Nov 2017 22:31:27 +0000 (14:31 -0800)
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst

index 9b3bdd5489d4a900943cde2ea064f6b92258c8e7..45bb65ff0715e335822b8de9de49f72f808f1dc0 100644 (file)
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -429,6 +429,10 @@ Certificate handling
        Matching of IP addresses, when present in the subjectAltName field
        of the certificate, is now supported.
  
+   .. versionchanged:: 3.7
+      Allow wildcard when it is the leftmost and the only character
+      in that segment.
+
  .. function:: cert_time_to_seconds(cert_time)
  
     Return the time in seconds since the Epoch, given the ``cert_time``
diff --git a/Lib/ssl.py b/Lib/ssl.py

index 75caae0c440566cc8dbe45b9fa36e8c97852d37d..fa83606e7cd5a57eddeeb226603759bf5baa8ceb 100644 (file)
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -221,7 +221,7 @@ class CertificateError(ValueError):
      pass
  
  
-def _dnsname_match(dn, hostname, max_wildcards=1):
+def _dnsname_match(dn, hostname):
      """Matching according to RFC 6125, section 6.4.3
  
      http://tools.ietf.org/html/rfc6125#section-6.4.3
@@ -233,7 +233,12 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
      leftmost, *remainder = dn.split(r'.')
  
      wildcards = leftmost.count('*')
-    if wildcards > max_wildcards:
+    if wildcards == 1 and len(leftmost) > 1:
+        # Only match wildcard in leftmost segment.
+        raise CertificateError(
+            "wildcard can only be present in the leftmost segment: " + repr(dn))
+
+    if wildcards > 1:
          # Issue #17980: avoid denials of service by refusing more
          # than one wildcard per fragment.  A survey of established
          # policy among SSL implementations showed it to be a
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

index aa2429ac9827aef42b5f22738a341974609dd270..c65290b945f6c98ff3434d64fe8a681c957b7abf 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -512,10 +512,11 @@ class BasicSocketTests(unittest.TestCase):
          fail(cert, 'Xa.com')
          fail(cert, '.a.com')
  
-        # only match one left-most wildcard
+        # only match wildcards when they are the only thing
+        # in left-most segment
          cert = {'subject': ((('commonName', 'f*.com'),),)}
-        ok(cert, 'foo.com')
-        ok(cert, 'f.com')
+        fail(cert, 'foo.com')
+        fail(cert, 'f.com')
          fail(cert, 'bar.com')
          fail(cert, 'foo.a.com')
          fail(cert, 'bar.foo.com')
@@ -552,8 +553,8 @@ class BasicSocketTests(unittest.TestCase):
          # are supported.
          idna = 'www*.pythön.org'.encode("idna").decode("ascii")
          cert = {'subject': ((('commonName', idna),),)}
-        ok(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
-        ok(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
+        fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
+        fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
          fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
          fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
  
@@ -637,7 +638,7 @@ class BasicSocketTests(unittest.TestCase):
          # Issue #17980: avoid denials of service by refusing more than one
          # wildcard per fragment.
          cert = {'subject': ((('commonName', 'a*b.com'),),)}
-        ok(cert, 'axxb.com')
+        fail(cert, 'axxb.com')
          cert = {'subject': ((('commonName', 'a*b.co*'),),)}
          fail(cert, 'axxb.com')
          cert = {'subject': ((('commonName', 'a*b*.com'),),)}
diff --git a/Misc/ACKS b/Misc/ACKS

index fc7154f762ecb451b108c16e99cd248a7ad9229e..54d8d62b633f7065dadba1bb7015cbee63351a40 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1467,6 +1467,7 @@ Nathan Paul Simons
  Guilherme Simões
  Adam Simpkins
  Ravi Sinha
+Mandeep Singh
  Janne Sinkkonen
  Ng Pheng Siong
  Yann Sionneau
diff --git a/Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst b/Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst

new file mode 100644 (file)

index 0000000..cecc10a
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst
@@ -0,0 +1,3 @@
+Wildcard is now supported in hostname when it is one and only character in
+the left most segment of hostname in second argument of
+:meth:`ssl.match_hostname`.  Patch by Mandeep Singh.
author	Mandeep Singh <daxlab@users.noreply.github.com>
	Sun, 26 Nov 2017 22:31:27 +0000 (04:01 +0530)
committer	Mariatta <Mariatta@users.noreply.github.com>
	Sun, 26 Nov 2017 22:31:27 +0000 (14:31 -0800)
Doc/library/ssl.rst		patch \| blob \| history
Lib/ssl.py		patch \| blob \| history
Lib/test/test_ssl.py		patch \| blob \| history
Misc/ACKS		patch \| blob \| history
Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst	[new file with mode: 0644]	patch \| blob