crypto/x509: allow matchHostnames to work with absolute domain names

If an absolute domain name (i.e. ends in a '.' like "example.com.") is used with ssl/tls, the certificate will be reported as invalid. In matchHostnames, the host and patterns are split on '.' and if the lengths of the resulting slices do not match, the function returns false. When splitting an absolute domain name on '.', the slice will have an extra empty string at the end. This empty string should be discarded before comparison, if present. Fixes #9828 Change-Id: I0e39674b44a6f93b5024497e76cf1b550832a61d Reviewed-on: https://go-review.googlesource.com/4380 Reviewed-by: Adam Langley <agl@golang.org> TryBot: Adam Langley <agl@golang.org>
2015-02-10 10:24:01 -05:00 · 2015-02-10 10:24:01 -05:00 · 32304fc970
parent 6dd31660b0
commit 32304fc970
2 changed files with 7 additions and 0 deletions
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@ -323,6 +323,8 @@ nextIntermediate:
 }

 func matchHostnames(pattern, host string) bool {
+	host = strings.TrimSuffix(host, ".")
+
 	if len(pattern) == 0 || len(host) == 0 {
 		return false
 	}
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@ -161,11 +161,16 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"", "b.b.c", false},
 	{"a.b.c", "", false},
 	{"example.com", "example.com", true},
+	{"example.com", "example.com.", true},
 	{"example.com", "www.example.com", false},
 	{"*.example.com", "www.example.com", true},
+	{"*.example.com", "www.example.com.", true},
 	{"*.example.com", "xyz.www.example.com", false},
 	{"*.*.example.com", "xyz.www.example.com", true},
 	{"*.www.*.com", "xyz.www.example.com", true},
+	{"", ".", false},
+	{".", "", false},
+	{".", ".", false},
 }

 func TestMatchHostnames(t *testing.T) {