Fix X509 server certificate domain matching

The X509 certificate domain fields may contain non-ASCII encodings.
Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible
strings.

diff --git a/src/acl/ServerName.cc b/src/acl/ServerName.cc
index 27884e9c282ff8693b13605d087ff058b8082402..5af6d223088cf9064c4bf91ad37d0656c9cf3de1 100644 (file)
--- a/src/acl/ServerName.cc
+++ b/src/acl/ServerName.cc
@@ -71,7 +71,13 @@ check_cert_domain( void *check_data, ASN1_STRING *cn_data)
     if (cn_data->length > (int)sizeof(cn) - 1)
         return 1; // ignore data that does not fit our buffer
 
-    memcpy(cn, cn_data->data, cn_data->length);
+    char *s = reinterpret_cast<char *>(cn_data->data);
+    char *d = cn;
+    for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
+        if (*s == '\0')
+            return 1; // always a domain mismatch. contains 0x00
+        *d = *s;
+    }
     cn[cn_data->length] = '\0';
     debugs(28, 4, "Verifying certificate name/subjectAltName " << cn);
     if (data->match(cn))

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index f4f4a1b53505dda30e1e470829b25900cd9fa55f..101f042a4311fb72fe50e9f6079fa124531c53c1 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -201,7 +201,13 @@ static int check_domain( void *check_data, ASN1_STRING *cn_data)
     if (cn_data->length > (int)sizeof(cn) - 1) {
         return 1; //if does not fit our buffer just ignore
     }
-    memcpy(cn, cn_data->data, cn_data->length);
+    char *s = reinterpret_cast<char*>(cn_data->data);
+    char *d = cn;
+    for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
+        if (*s == '\0')
+            return 1; // always a domain mismatch. contains 0x00
+        *d = *s;
+    }
     cn[cn_data->length] = '\0';
     debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
     return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);