Fix X509 server certificate domain matching

The X509 certificate domain fields may contain non-ASCII encodings.
Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible
strings.

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 2fa4052cc142ad353097f1e64bb03f7705c7b79a..696fb5a41d6f39fb25f98f25f64129ece18fe29a 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -195,7 +195,13 @@ static int check_domain( void *check_data, ASN1_STRING *cn_data)
     if (cn_data->length > (int)sizeof(cn) - 1) {
         return 1; //if does not fit our buffer just ignore
     }
-    memcpy(cn, cn_data->data, cn_data->length);
+    char *s = reinterpret_cast<char*>(cn_data->data);
+    char *d = cn;
+    for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
+        if (*s == '\0')
+            return 1; // always a domain mismatch. contains 0x00
+        *d = *s;
+    }
     cn[cn_data->length] = '\0';
     debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
     return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);