From: Amos Jeffries Date: Fri, 1 May 2015 06:31:01 +0000 (-0700) Subject: Fix X509 server certificate domain matching X-Git-Tag: merge-candidate-3-v1~142 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f7f4cfc3198f4ad71c241c958a63cd554144cf8;p=thirdparty%2Fsquid.git Fix X509 server certificate domain matching The X509 certificate domain fields may contain non-ASCII encodings. Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible strings. --- diff --git a/src/acl/ServerName.cc b/src/acl/ServerName.cc index 27884e9c28..5af6d22308 100644 --- a/src/acl/ServerName.cc +++ b/src/acl/ServerName.cc @@ -71,7 +71,13 @@ check_cert_domain( void *check_data, ASN1_STRING *cn_data) if (cn_data->length > (int)sizeof(cn) - 1) return 1; // ignore data that does not fit our buffer - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(28, 4, "Verifying certificate name/subjectAltName " << cn); if (data->match(cn)) diff --git a/src/ssl/support.cc b/src/ssl/support.cc index f4f4a1b535..101f042a43 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -201,7 +201,13 @@ static int check_domain( void *check_data, ASN1_STRING *cn_data) if (cn_data->length > (int)sizeof(cn) - 1) { return 1; //if does not fit our buffer just ignore } - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);