Commit 636f93c6 authored by Antoine Pitrou's avatar Antoine Pitrou

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service...

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
parent ef9683b7
...@@ -129,9 +129,16 @@ class CertificateError(ValueError): ...@@ -129,9 +129,16 @@ class CertificateError(ValueError):
pass pass
def _dnsname_to_pat(dn): def _dnsname_to_pat(dn, max_wildcards=1):
pats = [] pats = []
for frag in dn.split(r'.'): for frag in dn.split(r'.'):
if frag.count('*') > max_wildcards:
# Issue #17980: avoid denials of service by refusing more
# than one wildcard per fragment. A survery of established
# policy among SSL implementations showed it to be a
# reasonable choice.
raise CertificateError(
"too many wildcards in certificate DNS name: " + repr(dn))
if frag == '*': if frag == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless # When '*' is a fragment by itself, it matches a non-empty dotless
# fragment. # fragment.
......
...@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase): ...@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase):
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
# Issue #17980: avoid denials of service by refusing more than one
# wildcard per fragment.
cert = {'subject': ((('commonName', 'a*b.com'),),)}
ok(cert, 'axxb.com')
cert = {'subject': ((('commonName', 'a*b.co*'),),)}
ok(cert, 'axxb.com')
cert = {'subject': ((('commonName', 'a*b*.com'),),)}
with self.assertRaises(ssl.CertificateError) as cm:
ssl.match_hostname(cert, 'axxbxxc.com')
self.assertIn("too many wildcards", str(cm.exception))
def test_server_side(self): def test_server_side(self):
# server_hostname doesn't work for server sockets # server_hostname doesn't work for server sockets
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
......
...@@ -24,6 +24,9 @@ Core and Builtins ...@@ -24,6 +24,9 @@ Core and Builtins
Library Library
------- -------
- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
service using certificates with many wildcards (CVE-2013-2099).
- Issue #17981: Closed socket on error in SysLogHandler. - Issue #17981: Closed socket on error in SysLogHandler.
- Fix typos in the multiprocessing module. - Fix typos in the multiprocessing module.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment