You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2014/04/17 20:45:02 UTC
git commit: TS-2710: ATS serves the wrong cert because it matches
wildcard certs incorrectly
Repository: trafficserver
Updated Branches:
refs/heads/master 109a92ac1 -> 2a2c8bdf1
TS-2710: ATS serves the wrong cert because it matches wildcard certs incorrectly
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2a2c8bdf
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2a2c8bdf
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2a2c8bdf
Branch: refs/heads/master
Commit: 2a2c8bdf1bc93b2324b39a2bf95be6dbd738ae45
Parents: 109a92a
Author: Manish Thakrani <ma...@yahoo-inc.com>
Authored: Thu Apr 17 11:44:28 2014 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Thu Apr 17 11:44:28 2014 -0700
----------------------------------------------------------------------
iocore/net/SSLCertLookup.cc | 15 ++++-----------
iocore/net/test_certlookup.cc | 13 +++++++++----
2 files changed, 13 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a2c8bdf/iocore/net/SSLCertLookup.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc
index 2d8bf54..1f03ddb 100644
--- a/iocore/net/SSLCertLookup.cc
+++ b/iocore/net/SSLCertLookup.cc
@@ -186,16 +186,8 @@ reverse_dns_name(const char * hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN+1]
ssize_t len = strcspn(part, ".");
ssize_t remain = ptr - reversed;
- // We are going to put the '.' separator back for all components except the first.
- if (*ptr == '\0') {
- if (remain < len) {
- return NULL;
- }
- } else {
- if (remain < (len + 1)) {
- return NULL;
- }
- *(--ptr) = '.';
+ if (remain < (len + 1)) {
+ return NULL;
}
ptr -= len;
@@ -206,6 +198,7 @@ reverse_dns_name(const char * hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN+1]
part += len;
if (*part == '.') {
++part;
+ *(--ptr) = '.';
}
}
@@ -239,7 +232,7 @@ SSLContextStorage::insert(SSL_CTX * ctx, const char * name)
char * reversed;
xptr<SSLEntry> entry;
- reversed = reverse_dns_name(name + 2, namebuf);
+ reversed = reverse_dns_name(name + 1, namebuf);
if (!reversed) {
Error("wildcard name '%s' is too long", name);
return false;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a2c8bdf/iocore/net/test_certlookup.cc
----------------------------------------------------------------------
diff --git a/iocore/net/test_certlookup.cc b/iocore/net/test_certlookup.cc
index 9a78a5f..f87d398 100644
--- a/iocore/net/test_certlookup.cc
+++ b/iocore/net/test_certlookup.cc
@@ -43,6 +43,7 @@ REGRESSION_TEST(SSLCertificateLookup)(RegressionTest* t, int /* atype ATS_UNUSED
SSL_CTX * notwild = SSL_CTX_new(SSLv23_server_method());
SSL_CTX * b_notwild = SSL_CTX_new(SSLv23_server_method());
SSL_CTX * foo = SSL_CTX_new(SSLv23_server_method());
+ SSL_CTX * all_com = SSL_CTX_new(SSLv23_server_method());
box = REGRESSION_TEST_PASSED;
@@ -50,32 +51,36 @@ REGRESSION_TEST(SSLCertificateLookup)(RegressionTest* t, int /* atype ATS_UNUSED
assert(notwild != NULL);
assert(b_notwild != NULL);
assert(foo != NULL);
+ assert(all_com != NULL);
box.check(lookup.insert(foo, "www.foo.com"), "insert host context");
box.check(lookup.insert(wild, "*.wild.com"), "insert wildcard context");
box.check(lookup.insert(notwild, "*.notwild.com"), "insert wildcard context");
box.check(lookup.insert(b_notwild, "*.b.notwild.com"), "insert wildcard context");
+ box.check(lookup.insert(all_com, "*.com"), "insert wildcard context");
// To test name collisions, we need to shuffle the SSL_CTX's so that we try to
// index the same name with a different SSL_CTX.
- box.check(lookup.insert(wild, "www.foo.com") == false, "insert host duplicate");
+ box.check(lookup.insert(wild, "*.com") == false, "insert host duplicate");
box.check(lookup.insert(foo, "*.wild.com") == false, "insert wildcard duplicate");
box.check(lookup.insert(b_notwild, "*.notwild.com") == false, "insert wildcard conext duplicate");
box.check(lookup.insert(notwild, "*.b.notwild.com") == false, "insert wildcard conext duplicate");
+ box.check(lookup.insert(all_com, "www.foo.com") == false, "insert wildcard conext duplicate");
// Basic wildcard cases.
box.check(lookup.findInfoInHash("a.wild.com") == wild, "wildcard lookup for a.wild.com");
box.check(lookup.findInfoInHash("b.wild.com") == wild, "wildcard lookup for b.wild.com");
- box.check(lookup.findInfoInHash("wild.com") == wild, "wildcard lookup for wild.com");
+ box.check(lookup.insert(all_com, "www.foo.com") == false, "insert wildcard conext duplicate");
// Verify that wildcard does longest match.
box.check(lookup.findInfoInHash("a.notwild.com") == notwild, "wildcard lookup for a.notwild.com");
- box.check(lookup.findInfoInHash("notwild.com") == notwild, "wildcard lookup for notwild.com");
+ box.check(lookup.findInfoInHash("notwild.com") == all_com, "wildcard lookup for notwild.com");
box.check(lookup.findInfoInHash("c.b.notwild.com") == b_notwild, "wildcard lookup for c.b.notwild.com");
// Basic hostname cases.
box.check(lookup.findInfoInHash("www.foo.com") == foo, "host lookup for www.foo.com");
- box.check(lookup.findInfoInHash("www.bar.com") == NULL, "host lookup for www.bar.com");
+ box.check(lookup.findInfoInHash("www.bar.com") == all_com, "host lookup for www.bar.com");
+ box.check(lookup.findInfoInHash("www.bar.net") == NULL, "host lookup for www.bar.net");
}
REGRESSION_TEST(SSLAddressLookup)(RegressionTest* t, int /* atype ATS_UNUSED */, int * pstatus)