Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(715)

Side by Side Diff: net/base/x509_certificate.cc

Issue 8362023: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Handle npos Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/base/x509_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <map> 10 #include <map>
11 #include <string> 11 #include <string>
12 #include <vector> 12 #include <vector>
13 13
14 #include "base/lazy_instance.h" 14 #include "base/lazy_instance.h"
15 #include "base/logging.h" 15 #include "base/logging.h"
16 #include "base/memory/singleton.h" 16 #include "base/memory/singleton.h"
17 #include "base/metrics/histogram.h" 17 #include "base/metrics/histogram.h"
18 #include "base/pickle.h" 18 #include "base/pickle.h"
19 #include "base/sha1.h" 19 #include "base/sha1.h"
20 #include "base/string_piece.h" 20 #include "base/string_piece.h"
21 #include "base/string_util.h" 21 #include "base/string_util.h"
22 #include "base/synchronization/lock.h" 22 #include "base/synchronization/lock.h"
23 #include "base/time.h" 23 #include "base/time.h"
24 #include "googleurl/src/url_canon_ip.h" 24 #include "googleurl/src/url_canon_ip.h"
25 #include "net/base/cert_status_flags.h" 25 #include "net/base/cert_status_flags.h"
26 #include "net/base/cert_verify_result.h" 26 #include "net/base/cert_verify_result.h"
27 #include "net/base/net_errors.h" 27 #include "net/base/net_errors.h"
28 #include "net/base/net_util.h" 28 #include "net/base/net_util.h"
29 #include "net/base/pem_tokenizer.h" 29 #include "net/base/pem_tokenizer.h"
30 #include "net/base/registry_controlled_domain.h"
30 31
31 namespace net { 32 namespace net {
32 33
33 namespace { 34 namespace {
34 35
35 // Indicates the order to use when trying to decode binary data, which is 36 // Indicates the order to use when trying to decode binary data, which is
36 // based on (speculation) as to what will be most common -> least common 37 // based on (speculation) as to what will be most common -> least common
37 const X509Certificate::Format kFormatDecodePriority[] = { 38 const X509Certificate::Format kFormatDecodePriority[] = {
38 X509Certificate::FORMAT_SINGLE_CERTIFICATE, 39 X509Certificate::FORMAT_SINGLE_CERTIFICATE,
39 X509Certificate::FORMAT_PKCS7 40 X509Certificate::FORMAT_PKCS7
(...skipping 460 matching lines...) Expand 10 before | Expand all | Expand 10 after
500 base::StringPiece ip_addr_string( 501 base::StringPiece ip_addr_string(
501 reinterpret_cast<const char*>(host_info.address), 502 reinterpret_cast<const char*>(host_info.address),
502 host_info.AddressLength()); 503 host_info.AddressLength());
503 return std::find(cert_san_ip_addrs.begin(), cert_san_ip_addrs.end(), 504 return std::find(cert_san_ip_addrs.begin(), cert_san_ip_addrs.end(),
504 ip_addr_string) != cert_san_ip_addrs.end(); 505 ip_addr_string) != cert_san_ip_addrs.end();
505 } 506 }
506 507
507 // |reference_domain| is the remainder of |host| after the leading host 508 // |reference_domain| is the remainder of |host| after the leading host
508 // component is stripped off, but includes the leading dot e.g. 509 // component is stripped off, but includes the leading dot e.g.
509 // "www.f.com" -> ".f.com". 510 // "www.f.com" -> ".f.com".
510 // If there is no meaningful domain part to |host| (e.g. it contains no dots) 511 // If there is no meaningful domain part to |host| (e.g. it contains no
511 // then |reference_domain| will be empty. 512 // dots) then |reference_domain| will be empty.
512 base::StringPiece reference_host, reference_domain; 513 base::StringPiece reference_host, reference_domain;
513 SplitOnChar(reference_name, '.', &reference_host, &reference_domain); 514 SplitOnChar(reference_name, '.', &reference_host, &reference_domain);
514 bool allow_wildcards = false; 515 bool allow_wildcards = false;
515 if (!reference_domain.empty()) { 516 if (!reference_domain.empty()) {
516 DCHECK(reference_domain.starts_with(".")); 517 DCHECK(reference_domain.starts_with("."));
517 // We required at least 3 components (i.e. 2 dots) as a basic protection 518
518 // against too-broad wild-carding. 519 // Do not allow wildcards for registry controlled domains, so as to
519 // Also we don't attempt wildcard matching on a purely numerical hostname. 520 // prevent accepting *.com or *.co.uk as valid presented names. Passing
520 allow_wildcards = reference_domain.rfind('.') != 0 && 521 // true for |allow_unknown_registries| so that top-level domains which are
522 // unknown (intranet domains, new TLDs/gTLDs not yet recognized) are
523 // treated as registry-controlled domains. Because the |reference_domain|
524 // must contain at least one name component that is not registry
525 // controlled, this ensures that all reference names have at least three
526 // domain components in order to permit wildcards.
527 size_t registry_length =
528 RegistryControlledDomainService::GetRegistryLength(reference_name,
529 true);
530 // As the |reference_name| was already canonicalized, this should never
531 // happen.
532 CHECK_NE(registry_length, std::string::npos);
533
534 // Subtracting 1 to account for the leading dot in |reference_domain|.
535 bool is_registry_controlled = registry_length != 0 &&
536 registry_length == (reference_domain.size() - 1);
537
538 // Additionally, do not attempt wildcard matching for purely numeric
539 // hostnames.
540 allow_wildcards = !is_registry_controlled &&
521 reference_name.find_first_not_of("0123456789.") != std::string::npos; 541 reference_name.find_first_not_of("0123456789.") != std::string::npos;
522 } 542 }
523 543
524 // Now step through the DNS names doing wild card comparison (if necessary) 544 // Now step through the DNS names doing wild card comparison (if necessary)
525 // on each against the reference name. If subjectAltName is empty, then 545 // on each against the reference name. If subjectAltName is empty, then
526 // fallback to use the common name instead. 546 // fallback to use the common name instead.
527 std::vector<std::string> common_name_as_vector; 547 std::vector<std::string> common_name_as_vector;
528 const std::vector<std::string>* presented_names = &cert_san_dns_names; 548 const std::vector<std::string>* presented_names = &cert_san_dns_names;
529 if (common_name_fallback) { 549 if (common_name_fallback) {
530 // Note: there's a small possibility cert_common_name is an international 550 // Note: there's a small possibility cert_common_name is an international
(...skipping 471 matching lines...) Expand 10 before | Expand all | Expand 10 after
1002 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, 1022 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
1003 const uint8* array, 1023 const uint8* array,
1004 size_t array_byte_len) { 1024 size_t array_byte_len) {
1005 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); 1025 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);
1006 const size_t arraylen = array_byte_len / base::kSHA1Length; 1026 const size_t arraylen = array_byte_len / base::kSHA1Length;
1007 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, 1027 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,
1008 CompareSHA1Hashes); 1028 CompareSHA1Hashes);
1009 } 1029 }
1010 1030
1011 } // namespace net 1031 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/base/x509_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698