Disable commonName matching for certificates

net/cert/x509_certificate.cc

Index: net/cert/x509_certificate.cc
diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc
index 0d6fe95f1341bb2ea178b176304acd2fc2a6569b..356178c5caaae75cf4b8bacf9722d24cebdeb559 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -493,7 +493,7 @@ bool X509Certificate::VerifyHostname(
     const std::string& cert_common_name,
     const std::vector<std::string>& cert_san_dns_names,
     const std::vector<std::string>& cert_san_ip_addrs,
-    bool* common_name_fallback_used) {
+    bool allow_common_name_fallback) {
   DCHECK(!hostname.empty());
   // Perform name verification following http://tools.ietf.org/html/rfc6125.
   // The terminology used in this method is as per that RFC:-
@@ -514,14 +514,16 @@ bool X509Certificate::VerifyHostname(
   if (reference_name.empty())
     return false;
 
-  // Allow fallback to Common name matching?
-  const bool common_name_fallback = cert_san_dns_names.empty() &&
-                                    cert_san_ip_addrs.empty();
-  *common_name_fallback_used = common_name_fallback;
+  if (!allow_common_name_fallback && cert_san_dns_names.empty() &&
+      cert_san_ip_addrs.empty()) {
+    // Common Name matching is not allowed, so fail fast.
+    return false;
+  }
 
   // Fully handle all cases where |hostname| contains an IP address.
   if (host_info.IsIPAddress()) {
-    if (common_name_fallback && host_info.family == url::CanonHostInfo::IPV4) {
+    if (allow_common_name_fallback && cert_san_ip_addrs.empty() &&

[mattm, 2017/02/28 18:50:48]

These cases are a bit different than the old behavior (Eg, it can now fallback
to matching an IP from common name even if the cert has dnsName SANs, or vice
versa. Before that wouldn't happen.)
(Oh, it looks like patchset 2 fixed hostname case below but there's still the
ipaddr case here.)

+        host_info.family == url::CanonHostInfo::IPV4) {
       // Fallback to Common name matching. As this is deprecated and only
       // supported for compatibility refuse it for IPv6 addresses.
       return reference_name == cert_common_name;
@@ -580,7 +582,7 @@ bool X509Certificate::VerifyHostname(
   // fallback to use the common name instead.
   std::vector<std::string> common_name_as_vector;
   const std::vector<std::string>* presented_names = &cert_san_dns_names;
-  if (common_name_fallback) {
+  if (allow_common_name_fallback && cert_san_dns_names.empty()) {
     // Note: there's a small possibility cert_common_name is an international
     // domain name in non-standard encoding (e.g. UTF8String or BMPString
     // instead of A-label). As common name fallback is deprecated we're not
@@ -628,11 +630,11 @@ bool X509Certificate::VerifyHostname(
 }
 
 bool X509Certificate::VerifyNameMatch(const std::string& hostname,
-                                      bool* common_name_fallback_used) const {
+                                      bool allow_common_name_fallback) const {
   std::vector<std::string> dns_names, ip_addrs;
   GetSubjectAltName(&dns_names, &ip_addrs);
   return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs,
-                        common_name_fallback_used);
+                        allow_common_name_fallback);
 }
 
 // static