[git] NTBTLS - branch, master, updated. 19d9776ac40e7ff9fcfed7838ff8261ba8d61fac

by Werner Koch cvs at cvs.gnupg.org
Mon Feb 20 20:40:00 CET 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Not Too Bad TLS".

The branch, master has been updated
       via  19d9776ac40e7ff9fcfed7838ff8261ba8d61fac (commit)
       via  cd1bbb3182178fa1db487d8a1bcbc1647201ba97 (commit)
      from  379c449b6fa539f188fc1d7666ceae17c40a645a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 19d9776ac40e7ff9fcfed7838ff8261ba8d61fac
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Feb 20 20:37:11 2017 +0100

    Implement wildcards for hostname checking.
    
    * src/x509.c (count_labels): New.
    (check_hostname): Implement wildcards.
    --
    
    We support wildcards in the CN and subjectAltNames.  The wildcard
    must be the first label and macthes only one label.
    
      *.org             - bad
      *.example.org     - good
      *.foo.example.org - good
      *x.example.org    - bad
      foo.*.example.org - bad
      *.foo.example.org - good
    
    The name *.example.org mactes for example
    
      example.org
      www.example.org
      ftp.example.org
    
    but not for example
    
      ftp.foo.example.org
    
    In general wildcard certifcates are a bad idea and should be avoided.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/x509.c b/src/x509.c
index 651624a..f948b9c 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -531,6 +531,31 @@ _ntbtls_x509_can_do (x509_privkey_t privkey, pk_algo_t pk_alg)
 }
 
 
+/* Return the number of labels in the DNS NAME.  NAME is invalid 0 is
+ * returned. */
+static int
+count_labels (const char *name)
+{
+  const char *s;
+  int count = 0;
+
+  if (*name == '.')
+    name++; /* Skip a leading dot.  */
+  if (*name == '.')
+    return 0; /* Zero length labels at the start - invalid.  */
+  for (s = name; *s; s++)
+    {
+      if (*s == '.' && s[1] == '.')
+        return 0; /* Zero length label - invalid.  */
+      else if (*s == '.')
+        count++;
+    }
+  if (s > name && s[-1] == '.')
+    return 0; /* Trailing dot - invalid.  */
+
+  return count + 1; /* (NB. We are counting dots).  */
+}
+
 /* Check that CERT_NAME matches the hostname WANT_NAME.  Returns 0 if
  * they match, GPG_ERR_WRONG_NAME if they don't match, or an other
  * error code for a bad CERT_NAME.  */
@@ -538,13 +563,29 @@ static gpg_err_code_t
 check_hostname (const char *cert_name, const char *want_name)
 {
   const char *s;
+  int wildcard = 0;
+  int n_cert = 0;
+  int n_want = 0;
 
-  _ntbtls_debug_msg (2, "comparing hostname '%s' to '%s'\n",
+  _ntbtls_debug_msg (1, "comparing hostname '%s' to '%s'\n",
                      cert_name, want_name);
 
+  if (*cert_name == '*' && cert_name[1] == '.')
+    {
+      wildcard = 1;
+      cert_name += 2; /* Skip over the wildcard. */
+
+      n_cert = count_labels (cert_name);
+      n_want = count_labels (want_name);
+
+      if (n_cert < 2 || n_want < 2)
+        return GPG_ERR_WRONG_NAME; /* Less than 2 labels - no wildcards. */
+    }
+
   /* Check that CERT_NAME looks like a valid hostname.  We check the
    * LDH rule, no empty label, and no leading or trailing hyphen.  We
-   * do not check digit-only names.  */
+   * do not check digit-only names.  We also check that the hostname
+   * does not end in a dot.  */
   if (!*cert_name || *cert_name == '-')
     return GPG_ERR_INV_NAME;
 
@@ -556,12 +597,29 @@ check_hostname (const char *cert_name, const char *want_name)
         return GPG_ERR_INV_NAME;
     }
 
-  if (s[-1] == '-')
+  if (s[-1] == '-' || s[-1] == '.')
     return GPG_ERR_INV_NAME;
 
   if (strstr (cert_name, ".."))
     return GPG_ERR_INV_NAME;
 
+  /* In case of wildcards prepare our name for the strcmp.  */
+  if (wildcard)
+    {
+      if (n_cert == n_want)
+        ; /* Compare direct.  */
+      else if (n_cert + 1 == n_want)
+        {
+          /* We know that n_want has at least one dot.  */
+          want_name = strchr (want_name, '.');
+          if (!want_name)
+            return GPG_ERR_BUG;
+          want_name++;
+        }
+      else
+        return GPG_ERR_WRONG_NAME;  /* max one label may be wild - no match.  */
+    }
+
   /* Now do the actual strcmp.  */
   if (_ntbtls_ascii_strcasecmp (cert_name, want_name))
     return GPG_ERR_WRONG_NAME;

commit cd1bbb3182178fa1db487d8a1bcbc1647201ba97
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Feb 20 20:30:18 2017 +0100

    ntbtls-cli: New option --head and use a default SNI.
    
    * src/ntbtls-cli.c (opt_head): New var.
    (simple_client): Request "HEAD".
    (main): Add option --head.  Use default SNI value.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/ntbtls-cli.c b/src/ntbtls-cli.c
index 29b2784..1656376 100644
--- a/src/ntbtls-cli.c
+++ b/src/ntbtls-cli.c
@@ -45,6 +45,8 @@
 static int verbose;
 static int errorcount;
 static char *opt_hostname;
+static int opt_head;
+
 
 

 /*
@@ -247,7 +249,7 @@ simple_client (const char *server, int port)
 
   do
     {
-      es_fputs ("GET / HTTP/1.0\r\n", writefp);
+      es_fprintf (writefp, "%s / HTTP/1.0\r\n", opt_head? "HEAD":"GET");
       if (opt_hostname)
         es_fprintf (writefp, "Host: %s\r\n", opt_hostname);
       es_fprintf (writefp, "X-ntbtls: %s\r\n",
@@ -272,6 +274,7 @@ main (int argc, char **argv)
   int last_argc = -1;
   int debug_level = 0;
   int port = 443;
+  char *host;
 
   if (argc)
     { argc--; argv++; }
@@ -292,7 +295,8 @@ main (int argc, char **argv)
                  "  --verbose       show more diagnostics\n"
                  "  --debug LEVEL   enable debugging at LEVEL\n"
                  "  --port N        connect to port N (default is 443)\n"
-                 "  --hostname NAME use NAME for SNI\n"
+                 "  --hostname NAME use NAME instead of HOST for SNI\n"
+                 "  --head          send a HEAD and not a GET request\n"
                  "\n", stdout);
           return 0;
         }
@@ -339,10 +343,21 @@ main (int argc, char **argv)
           opt_hostname = *argv;
           argc--; argv++;
         }
+      else if (!strcmp (*argv, "--head"))
+        {
+          opt_head = 1;
+          argc--; argv++;
+        }
       else if (!strncmp (*argv, "--", 2) && (*argv)[2])
         die ("Invalid option '%s'\n", *argv);
     }
 
+  host = argc? *argv : "localhost";
+  if (!opt_hostname)
+    opt_hostname = host;
+  if (!*opt_hostname)
+    opt_hostname = NULL;
+
   if (!ntbtls_check_version (PACKAGE_VERSION))
     die ("NTBTLS library too old (need %s, have %s)\n",
          PACKAGE_VERSION, ntbtls_check_version (NULL));
@@ -350,6 +365,6 @@ main (int argc, char **argv)
   if (debug_level)
     ntbtls_set_debug (debug_level, NULL, NULL);
 
-  simple_client (argc? *argv : "localhost", port);
+  simple_client (host, port);
   return 0;
 }

-----------------------------------------------------------------------

Summary of changes:
 src/ntbtls-cli.c | 21 ++++++++++++++++---
 src/x509.c       | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 79 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
Not Too Bad TLS
http://git.gnupg.org

More information about the Gnupg-commits mailing list