Backport changes from ssl.match_hostname in Python 3.3.

Includes two commits:
* Fix potential CPU DoS via abusive wildcard pattern
  http://hg.python.org/cpython/rev/fafd33db6ff6
* Fall back to common name when SAN doesn't contain any DNS names
  http://hg.python.org/cpython/rev/1b37827984ba

Closes #799.

diff --git a/tornado/netutil.py b/tornado/netutil.py
index 098f8bf8b209bb759070e303b1f00962d30450d1..839c285e503eb0fa0b76b1c8a11130dfc6bc8a55 100644 (file)
--- a/tornado/netutil.py
+++ b/tornado/netutil.py
@@ -354,9 +354,16 @@ else:
     class SSLCertificateError(ValueError):
         pass
 
-    def _dnsname_to_pat(dn):
+    def _dnsname_to_pat(dn, max_wildcards=1):
         pats = []
         for frag in dn.split(r'.'):
+            if frag.count('*') > max_wildcards:
+                # Issue #17980: avoid denials of service by refusing more
+                # than one wildcard per fragment.  A survery of established
+                # policy among SSL implementations showed it to be a
+                # reasonable choice.
+                raise CertificateError(
+                    "too many wildcards in certificate DNS name: " + repr(dn))
             if frag == '*':
                 # When '*' is a fragment by itself, it matches a non-empty dotless
                 # fragment.
@@ -384,8 +391,9 @@ else:
                 if _dnsname_to_pat(value).match(hostname):
                     return
                 dnsnames.append(value)
-        if not san:
-            # The subject is only checked when subjectAltName is empty
+        if not dnsnames:
+            # The subject is only checked when there is no dNSName entry
+            # in subjectAltName
             for sub in cert.get('subject', ()):
                 for key, value in sub:
                     # XXX according to RFC 2818, the most specific Common Name