| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/name_constraints.h" | 5 #include "net/cert/internal/name_constraints.h" |
| 6 | 6 |
| 7 #include <limits.h> | 7 #include <limits.h> |
| 8 | 8 |
| 9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
| 10 #include "net/cert/internal/verify_name_match.h" | 10 #include "net/cert/internal/verify_name_match.h" |
| (...skipping 478 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 489 // empty subject in such a case. | 489 // empty subject in such a case. |
| 490 if (subject_alt_name_extnvalue_tlv.Length() && | 490 if (subject_alt_name_extnvalue_tlv.Length() && |
| 491 subject_rdn_sequence.Length() == 0) { | 491 subject_rdn_sequence.Length() == 0) { |
| 492 return true; | 492 return true; |
| 493 } | 493 } |
| 494 | 494 |
| 495 return IsPermittedDirectoryName(subject_rdn_sequence); | 495 return IsPermittedDirectoryName(subject_rdn_sequence); |
| 496 } | 496 } |
| 497 | 497 |
| 498 bool NameConstraints::IsPermittedDNSName(const std::string& name) const { | 498 bool NameConstraints::IsPermittedDNSName(const std::string& name) const { |
| 499 // If there are no name constraints for DNS names, all names are accepted. | |
| 500 if (!(ConstrainedNameTypes() & GENERAL_NAME_DNS_NAME)) | |
| 501 return true; | |
| 502 | |
| 503 for (const std::string& excluded_name : excluded_subtrees_.dns_names) { | 499 for (const std::string& excluded_name : excluded_subtrees_.dns_names) { |
| 504 // When matching wildcard hosts against excluded subtrees, consider it a | 500 // When matching wildcard hosts against excluded subtrees, consider it a |
| 505 // match if the constraint would match any expansion of the wildcard. Eg, | 501 // match if the constraint would match any expansion of the wildcard. Eg, |
| 506 // *.bar.com should match a constraint of foo.bar.com. | 502 // *.bar.com should match a constraint of foo.bar.com. |
| 507 if (DNSNameMatches(name, excluded_name, WILDCARD_PARTIAL_MATCH)) | 503 if (DNSNameMatches(name, excluded_name, WILDCARD_PARTIAL_MATCH)) |
| 508 return false; | 504 return false; |
| 509 } | 505 } |
| 506 |
| 507 // If permitted subtrees are not constrained, any name that is not excluded is |
| 508 // allowed. |
| 509 if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_DNS_NAME)) |
| 510 return true; |
| 511 |
| 510 for (const std::string& permitted_name : permitted_subtrees_.dns_names) { | 512 for (const std::string& permitted_name : permitted_subtrees_.dns_names) { |
| 511 // When matching wildcard hosts against permitted subtrees, consider it a | 513 // When matching wildcard hosts against permitted subtrees, consider it a |
| 512 // match only if the constraint would match all expansions of the wildcard. | 514 // match only if the constraint would match all expansions of the wildcard. |
| 513 // Eg, *.bar.com should match a constraint of bar.com, but not foo.bar.com. | 515 // Eg, *.bar.com should match a constraint of bar.com, but not foo.bar.com. |
| 514 if (DNSNameMatches(name, permitted_name, WILDCARD_FULL_MATCH)) | 516 if (DNSNameMatches(name, permitted_name, WILDCARD_FULL_MATCH)) |
| 515 return true; | 517 return true; |
| 516 } | 518 } |
| 517 | 519 |
| 518 return false; | 520 return false; |
| 519 } | 521 } |
| 520 | 522 |
| 521 bool NameConstraints::IsPermittedDirectoryName( | 523 bool NameConstraints::IsPermittedDirectoryName( |
| 522 const der::Input& name_rdn_sequence) const { | 524 const der::Input& name_rdn_sequence) const { |
| 523 // If there are no name constraints for directory names, all names are | |
| 524 // accepted. | |
| 525 if (!(ConstrainedNameTypes() & GENERAL_NAME_DIRECTORY_NAME)) | |
| 526 return true; | |
| 527 | |
| 528 for (const auto& excluded_name : excluded_subtrees_.directory_names) { | 525 for (const auto& excluded_name : excluded_subtrees_.directory_names) { |
| 529 if (VerifyNameInSubtree( | 526 if (VerifyNameInSubtree( |
| 530 name_rdn_sequence, | 527 name_rdn_sequence, |
| 531 der::Input(excluded_name.data(), excluded_name.size()))) { | 528 der::Input(excluded_name.data(), excluded_name.size()))) { |
| 532 return false; | 529 return false; |
| 533 } | 530 } |
| 534 } | 531 } |
| 532 |
| 533 // If permitted subtrees are not constrained, any name that is not excluded is |
| 534 // allowed. |
| 535 if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_DIRECTORY_NAME)) |
| 536 return true; |
| 537 |
| 535 for (const auto& permitted_name : permitted_subtrees_.directory_names) { | 538 for (const auto& permitted_name : permitted_subtrees_.directory_names) { |
| 536 if (VerifyNameInSubtree( | 539 if (VerifyNameInSubtree( |
| 537 name_rdn_sequence, | 540 name_rdn_sequence, |
| 538 der::Input(permitted_name.data(), permitted_name.size()))) { | 541 der::Input(permitted_name.data(), permitted_name.size()))) { |
| 539 return true; | 542 return true; |
| 540 } | 543 } |
| 541 } | 544 } |
| 542 | 545 |
| 543 return false; | 546 return false; |
| 544 } | 547 } |
| 545 | 548 |
| 546 bool NameConstraints::IsPermittedIP(const IPAddressNumber& ip) const { | 549 bool NameConstraints::IsPermittedIP(const IPAddressNumber& ip) const { |
| 547 // If there are no name constraints for IP Address names, all names are | |
| 548 // accepted. | |
| 549 if (!(ConstrainedNameTypes() & GENERAL_NAME_IP_ADDRESS)) | |
| 550 return true; | |
| 551 | |
| 552 for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) { | 550 for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) { |
| 553 if (IPNumberMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) | 551 if (IPNumberMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) |
| 554 return false; | 552 return false; |
| 555 } | 553 } |
| 554 |
| 555 // If permitted subtrees are not constrained, any name that is not excluded is |
| 556 // allowed. |
| 557 if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS)) |
| 558 return true; |
| 559 |
| 556 for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) { | 560 for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) { |
| 557 if (IPNumberMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) | 561 if (IPNumberMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) |
| 558 return true; | 562 return true; |
| 559 } | 563 } |
| 560 | 564 |
| 561 return false; | 565 return false; |
| 562 } | 566 } |
| 563 | 567 |
| 564 int NameConstraints::ConstrainedNameTypes() const { | 568 int NameConstraints::ConstrainedNameTypes() const { |
| 565 return (permitted_subtrees_.present_name_types | | 569 return (permitted_subtrees_.present_name_types | |
| 566 excluded_subtrees_.present_name_types); | 570 excluded_subtrees_.present_name_types); |
| 567 } | 571 } |
| 568 | 572 |
| 569 } // namespace net | 573 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1546653004:
Name constraints with excluded names but no permitted names should allow names not matching the exc… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master