Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
0958-public_key-Fix-hotsname-comparison-bug.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0958-public_key-Fix-hotsname-comparison-bug.patch of Package erlang
From 1cb18a9fa3a9eb7d66235c802b4367dba212dd64 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Tue, 16 Jan 2024 12:10:45 +0100 Subject: [PATCH] public_key: Fix hotsname comparison bug When certificate CN (common name) contained several dots in a row prefix matches with fewer dots would wrongly match. Closes #8021 --- lib/public_key/src/public_key.erl | 4 ++-- lib/public_key/test/public_key_SUITE.erl | 9 +++++++-- .../public_key_SUITE_data/prefix-dots.pem | 20 +++++++++++++++++++ 3 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 lib/public_key/test/public_key_SUITE_data/prefix-dots.pem diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 858860e29c..8ad43c977f 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -2023,8 +2023,8 @@ verify_hostname_match_default0(_, _) -> verify_hostname_match_wildcard(FQDN, Name) -> - [F1|Fs] = string:tokens(to_lower_ascii(FQDN), "."), - [N1|Ns] = string:tokens(to_lower_ascii(Name), "."), + [F1|Fs] = string:split(to_lower_ascii(FQDN), "."), + [N1|Ns] = string:split(to_lower_ascii(Name), "."), match_wild(F1,N1) andalso Fs==Ns. diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 0c8cf07fb5..21cccaa889 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -1132,8 +1132,13 @@ pkix_verify_hostname_options(Config) -> true = public_key:pkix_verify_hostname(Cert, [{dns_id,"abb.bar.example.com"}]), false = public_key:pkix_verify_hostname(Cert, [{dns_id,"example.com"}, {dns_id,"abb.bar.example.com"}], - [{fqdn_fun,fun(_)->undefined end}]). - + [{fqdn_fun,fun(_)->undefined end}]), + %% Test that a common name is matched fully, that is do not allow prefix matches + %% with less dots (".") + {ok, PrefixBin} = file:read_file(filename:join(DataDir,"prefix-dots.pem")), + PrefixCert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(PrefixBin))), otp), + true = public_key:pkix_verify_hostname(PrefixCert, [{dns_id,"..a"}]), + false = public_key:pkix_verify_hostname(PrefixCert, [{dns_id,".a"}]). %%-------------------------------------------------------------------- %% To generate the PEM file contents: diff --git a/lib/public_key/test/public_key_SUITE_data/prefix-dots.pem b/lib/public_key/test/public_key_SUITE_data/prefix-dots.pem new file mode 100644 index 0000000000..c72ba84455 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/prefix-dots.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOzCCAiOgAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx +ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g +RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx +NzI0MDBaFw0yNDEyMTAwNTA3MTRaMA4xDDAKBgNVBAMTAy4uYTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBAKt8ORTxpKElswQ8QtFdXPcB642LllZ/wVmD +HDxvxeubnIb/eBMW8gl4FYyeJoXoGV7YWpKgBiC+LO7rCdsGMhzlYKyhx61LgXYD +M57TkFsTmjk1DoBQUuODX0V4kgf8Td2Gv6DETre/0eEMrNkCTDq6W+d6UHhMor/+ +rsK986kqNxDFweyc/2BhlF6yXFpl5BFnXEwEOwRTw0Zjx6jABnOLYAfxZu4oGiSW +T0Zb2Z5vbrq0kuDQ5t2zjFvEUj9pxkoR/QgWsKwA6nRPg2L3BdnLG98dvIZqFyEn +tsKWQ3Z6x8TP/4GSyGfbjoVAmYQJQ5DAoo2MCk8kcEqjZwc5T5kCAQOjUDBOMAwG +A1UdEwEB/wQCMAAwHQYDVR0OBBYEFCTNEK+XDJUYJ45yRL+l+zNeru17MB8GA1Ud +IwQYMBaAFJcswpcBl9XDsKD5xI6eZbKBX8qrMA0GCSqGSIb3DQEBCwUAA4IBAQCp +1nnkQrCtd31yT8cPcvnE83pS8eesGSrdblkzjcvgV56SG9+/boi6/U6u0rbGDqmx +HzmVtg6YsAz4km56sgdPBeVAh4Rm3TjzeFuhCw1YjqSrvL3MVZIMNdbY5Rs2SpxT +szPc5J139UWS5VQpZrwoPOqD7ny72ve1QbNZbkERiY2mC5fJ7/pdPMzms4d/+GOf +G+YMoIf9xYIUexKImHI1OfiLG3PcBd04qolgp/p4k0O3DaF8HBsK4IukWuFGhTUB +zWvN5QOVLYdrVEpF4tvrSb6EKzNp3VQ2ucweKGdF7hNs9Wv1KotnxnScolavfBCW +1XWBeXZVmw1bennWAlfr +-----END CERTIFICATE----- \ No newline at end of file -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor