Support client-side hostname checks with leading .

skmcgrail · skmcgrail · commit 9c591a44afa0 · 2025-05-08T16:09:09.000Z
diff --git a/crypto/test/x509_util.h b/crypto/test/x509_util.h
@@ -9,10 +9,11 @@
 
 #include <openssl/x509.h>
 
-int Verify(X509 *leaf, const std::vector<X509 *> &roots,
-           const std::vector<X509 *> &intermediates,
-           const std::vector<X509_CRL *> &crls, unsigned long flags = 0,
-           std::function<void(X509_STORE_CTX *)> configure_callback = nullptr);
+int Verify(
+    X509 *leaf, const std::vector<X509 *> &roots,
+    const std::vector<X509 *> &intermediates,
+    const std::vector<X509_CRL *> &crls, unsigned long flags = 0,
+    std::function<void(X509_STORE_CTX *)> configure_callback = nullptr);
 
 // CRLsToStack converts a vector of |X509_CRL*| to an OpenSSL
 // STACK_OF(X509_CRL), bumping the reference counts for each CRL in question.
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
@@ -575,6 +575,11 @@ OPENSSL_EXPORT int validate_cidr_mask(CBS *cidr_mask);
 
 OPENSSL_EXPORT int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen);
 
+// Match reference identifiers starting with "." to any sub-domain.
+// This is a non-public flag, turned on implicitly when the subject
+// reference identity is a DNS name.
+#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
+
 #if defined(__cplusplus)
 }  // extern C
 #endif
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
@@ -686,10 +686,40 @@ typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
                         const unsigned char *subject, size_t subject_len,
                         unsigned int flags);
 
+// Skip pattern prefix to match "wildcard" subject
+static void skip_prefix(const unsigned char **p, size_t *plen,
+                        size_t subject_len, unsigned int flags) {
+  const unsigned char *pattern = *p;
+  size_t pattern_len = *plen;
+
+  // If subject starts with a leading '.' followed by more octets, and
+  // pattern is longer, compare just an equal-length suffix with the
+  // full subject (starting at the '.'), provided the prefix contains
+  // no NULs.
+  if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0) {
+    return;
+  }
+
+  while (pattern_len > subject_len && *pattern) {
+    if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) && *pattern == '.') {
+      break;
+    }
+    ++pattern;
+    --pattern_len;
+  }
+
+  // Skip if entire prefix acceptable
+  if (pattern_len == subject_len) {
+    *p = pattern;
+    *plen = pattern_len;
+  }
+}
+
 // Compare while ASCII ignoring case.
 static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
                         const unsigned char *subject, size_t subject_len,
                         unsigned int flags) {
+  skip_prefix(&pattern, &pattern_len, subject_len, flags);
   if (pattern_len != subject_len) {
     return 0;
   }
@@ -719,6 +749,7 @@ static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
 static int equal_case(const unsigned char *pattern, size_t pattern_len,
                       const unsigned char *subject, size_t subject_len,
                       unsigned int flags) {
+  skip_prefix(&pattern, &pattern_len, subject_len, flags);
   if (pattern_len != subject_len) {
     return 0;
   }
@@ -932,12 +963,20 @@ static int do_x509_check(const X509 *x, const char *chk, size_t chklen,
   int alt_type;
   int rv = 0;
   equal_fn equal;
+
+  // This flag is internal-only and is never expected to be set by caller.
+  flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
+
   if (check_type == GEN_EMAIL) {
     cnid = NID_pkcs9_emailAddress;
     alt_type = V_ASN1_IA5STRING;
     equal = equal_email;
   } else if (check_type == GEN_DNS) {
     cnid = NID_commonName;
+    // Implicit client-side DNS sub-domain pattern
+    if (chklen > 1 && chk[0] == '.') {
+      flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
+    }
     alt_type = V_ASN1_IA5STRING;
     if (flags & X509_CHECK_FLAG_NO_WILDCARDS) {
       equal = equal_nocase;
diff --git a/crypto/x509/x509_compat_test.cc b/crypto/x509/x509_compat_test.cc
@@ -1869,6 +1869,69 @@ Lw6dQq2WGG6gApL/Cc0QonvzksvY5Ewf2qIpu2Si
 -----END CERTIFICATE-----
 )";
 
+/*
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            13:c1:63:e7:03:6f:a3:26:ac:31:71:a9:fe:ad:a6:34:20:94:bf:3a
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=Washington, O=AWS Libcrypto, OU=Good CA, CN=Root CA 1
+        Validity
+            Not Before: Jan  1 00:00:00 2015 GMT
+            Not After : Jan  1 00:00:00 2100 GMT
+        Subject: C=US, ST=Washington, O=AWS Libcrypto, OU=Good Endpoint, SN=Wildcard Testing, CN=*.sub2.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:b2:b7:bd:35:f2:eb:da:86:d5:dc:40:44:c7:23:
+                    14:f9:d0:a5:40:17:30:85:b6:c6:11:38:c2:db:2c:
+                    c5:bc:0c:19:11:d8:68:61:d6:a3:92:6b:8a:18:52:
+                    2c:dc:86:a7:ad:29:ad:91:ac:7e:df:87:24:3b:f3:
+                    b4:71:2b:4e:58
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage:
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name:
+                DNS:*.sub1.example.com, DNS:*.example.org, DNS:host.example.com
+            X509v3 Subject Key Identifier:
+                C8:78:64:E9:F7:9C:0F:56:E2:1D:CE:EE:ED:24:E0:9F:1D:4B:A3:BF
+            X509v3 Authority Key Identifier:
+                19:19:E1:8C:09:E2:5D:5C:16:04:E1:9C:74:66:19:FD:B8:52:5B:DF
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:13:bc:6c:9c:3b:8e:c7:95:e7:9f:31:08:dd:7f:
+        6c:ea:97:4e:29:01:72:b5:9c:45:f1:29:bc:d7:ce:39:5a:21:
+        02:21:00:f5:77:2c:9d:23:6d:71:69:4d:93:eb:7e:fd:a5:17:
+        24:37:ee:97:01:4f:1c:54:09:cd:3d:87:e9:1d:da:5f:7e
+*/
+static char kFoo[] = R"(
+-----BEGIN CERTIFICATE-----
+MIICsDCCAlagAwIBAgIUE8Fj5wNvoyasMXGp/q2mNCCUvzowCgYIKoZIzj0EAwIw
+YDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xFjAUBgNVBAoMDUFX
+UyBMaWJjcnlwdG8xEDAOBgNVBAsMB0dvb2QgQ0ExEjAQBgNVBAMMCVJvb3QgQ0Eg
+MTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowgYoxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRYwFAYDVQQKDA1BV1MgTGliY3J5cHRv
+MRYwFAYDVQQLDA1Hb29kIEVuZHBvaW50MRkwFwYDVQQEDBBXaWxkY2FyZCBUZXN0
+aW5nMRswGQYDVQQDDBIqLnN1YjIuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggq
+hkjOPQMBBwNCAASyt7018uvahtXcQETHIxT50KVAFzCFtsYROMLbLMW8DBkR2Ghh
+1qOSa4oYUizchqetKa2RrH7fhyQ787RxK05Yo4HAMIG9MA4GA1UdDwEB/wQEAwIF
+oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA+
+BgNVHREENzA1ghIqLnN1YjEuZXhhbXBsZS5jb22CDSouZXhhbXBsZS5vcmeCEGhv
+c3QuZXhhbXBsZS5jb20wHQYDVR0OBBYEFMh4ZOn3nA9W4h3O7u0k4J8dS6O/MB8G
+A1UdIwQYMBaAFBkZ4YwJ4l1cFgThnHRmGf24UlvfMAoGCCqGSM49BAMCA0gAMEUC
+IBO8bJw7jseV558xCN1/bOqXTikBcrWcRfEpvNfOOVohAiEA9XcsnSNtcWlNk+t+
+/aUXJDfulwFPHFQJzT2H6R3aX34=
+-----END CERTIFICATE-----
+)";
+
 // EE certificate should not verify if signed by invalid root CA
 TEST(X509CompatTest, CertificatesFromTrustStoreValidated) {
   bssl::UniquePtr<X509> root = CertFromPEM(kRootBadBasicConstraints);
@@ -2367,3 +2430,121 @@ TEST(X509CompatTest, CommonNameToDNS) {
   }
 }
 
+
+TEST(X509CompatTest, WildcardNameBehaviors) {
+  bssl::UniquePtr<X509> root = CertFromPEM(kValidRootCA1);
+  ASSERT_TRUE(root);
+  bssl::UniquePtr<X509> leaf = CertFromPEM(kFoo);
+  ASSERT_TRUE(leaf);
+
+  EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH,
+            Verify(
+                leaf.get(), /*roots=*/{root.get()},
+                /*intermediates=*/{},
+                /*crls=*/{}, /*flags=*/0,
+                [](X509_STORE_CTX *ctx) {
+                  X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                  char host[] = "example.com";
+                  X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = "host.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = "foo.sub1.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  // *.sub2.example.com is in the commonName so not checked by default if DNS
+  // SAN is present
+  EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = "bar.sub2.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     X509_VERIFY_PARAM_set_hostflags(
+                         param, X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT);
+                     char host[] = "bar.sub2.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = "baz.example.org";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+
+  // client-side host name verification behavior with leading '.'
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = ".example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = ".sub1.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     char host[] = ".sub2.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     X509_VERIFY_PARAM_set_hostflags(
+                         param, X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT);
+                     char host[] = ".sub2.example.com";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_OK,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     X509_VERIFY_PARAM_set_hostflags(
+                         param, X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT);
+                     char host[] = ".example.org";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+  EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH,
+            Verify(leaf.get(), /*roots=*/{root.get()},
+                   /*intermediates=*/{},
+                   /*crls=*/{}, /*flags=*/0, [](X509_STORE_CTX *ctx) {
+                     X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
+                     X509_VERIFY_PARAM_set_hostflags(
+                         param, X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT);
+                     char host[] = ".baz.example.org";
+                     X509_VERIFY_PARAM_set1_host(param, host, sizeof(host) - 1);
+                   }));
+}
