crypto/x509: allow matchHostnames to work with absolute domain names

If an absolute domain name (i.e. ends in a '.' like "example.com.") is used
with ssl/tls, the certificate will be reported as invalid. In matchHostnames,
the host and patterns are split on '.' and if the lengths of the resulting
slices do not match, the function returns false. When splitting an absolute
domain name on '.', the slice will have an extra empty string at the end. This
empty string should be discarded before comparison, if present.

Fixes #9828

Change-Id: I0e39674b44a6f93b5024497e76cf1b550832a61d
Reviewed-on: https://go-review.googlesource.com/4380Reviewed-by: Adam Langley <agl@golang.org>
TryBot: Adam Langley <agl@golang.org>

src/crypto/x509/verify.go

@@ -323,6 +323,8 @@ nextIntermediate:
 }
 
 func matchHostnames(pattern, host string) bool {
+	host = strings.TrimSuffix(host, ".")
+
 	if len(pattern) == 0 || len(host) == 0 {
 		return false
 	}

src/crypto/x509/x509_test.go

@@ -161,11 +161,16 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"", "b.b.c", false},
 	{"a.b.c", "", false},
 	{"example.com", "example.com", true},
+	{"example.com", "example.com.", true},
 	{"example.com", "www.example.com", false},
 	{"*.example.com", "www.example.com", true},
+	{"*.example.com", "www.example.com.", true},
 	{"*.example.com", "xyz.www.example.com", false},
 	{"*.*.example.com", "xyz.www.example.com", true},
 	{"*.www.*.com", "xyz.www.example.com", true},
+	{"", ".", false},
+	{".", "", false},
+	{".", ".", false},
 }
 
 func TestMatchHostnames(t *testing.T) {