Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

std.crypto.Certificate: wildcard certs should only validate one level of sub-domain #14177

Closed
Tracked by #14178
andrewrk opened this issue Jan 3, 2023 · 0 comments · Fixed by #14249
Closed
Tracked by #14178

std.crypto.Certificate: wildcard certs should only validate one level of sub-domain #14177

andrewrk opened this issue Jan 3, 2023 · 0 comments · Fixed by #14249
Labels
bug Observed behavior contradicts documented or intended behavior contributor friendly This issue is limited in scope and/or knowledge of Zig internals. enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library.
Milestone
0.11.0

Comments

@andrewrk
Copy link
Member

andrewrk commented Jan 3, 2023

Extracted from #13980.

zig/lib/std/crypto/Certificate.zig

Lines 275 to 295 in c9ef277

fn checkHostName(host_name: []const u8, dns_name: []const u8) bool {
if (mem.eql(u8, dns_name, host_name)) {
return true; // exact match
}
if (mem.startsWith(u8, dns_name, "*.")) {
// wildcard certificate, matches any subdomain
// TODO: I think wildcards are not supposed to match any prefix but
// only match exactly one subdomain.
if (mem.endsWith(u8, host_name, dns_name[1..])) {
// The host_name has a subdomain, but the important part matches.
return true;
}
if (mem.eql(u8, dns_name[2..], host_name)) {
// The host_name has no subdomain and matches exactly.
return true;
}
}
return false;
}

This allows any prefix for wildcard hosts but it should only allow anything for one level of subdomain.

For example, *.ziglang.org should match foo.ziglang.org but it should not match bar.foo.ziglang.org.
@andrewrk andrewrk added bug Observed behavior contradicts documented or intended behavior enhancement Solving this issue will likely involve adding new logic or components to the codebase. contributor friendly This issue is limited in scope and/or knowledge of Zig internals. standard library This issue involves writing Zig code for the standard library. labels Jan 3, 2023
@andrewrk andrewrk added this to the 0.11.0 milestone Jan 3, 2023
@andrewrk andrewrk changed the title std.Certificate: wildcard certs should only validate one level of sub-domain std.crypto.Certificate: wildcard certs should only validate one level of sub-domain Jan 3, 2023
This was referenced Jan 3, 2023
Merged
Open
@yamashitax yamashitax mentioned this issue Jan 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Observed behavior contradicts documented or intended behavior contributor friendly This issue is limited in scope and/or knowledge of Zig internals. enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library.
Projects
None yet
Milestone
0.11.0
Development

Successfully merging a pull request may close this issue.

Wildcard certs should only validate one level of sub domain yamashitax/zig
1 participant
@andrewrk