From 93534057710cef4a88f18f441fea20e733ebc253 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 11 Oct 2017 12:35:38 +0200 Subject: public_key: Fix bug in pkix_verify_hostname with IP addresses An IP address could in some circomstances be converted to a list and then to_lower was applied to it. So {$A,1,1,1} was changed to {$a,1,1,1} which of course didn't match.... --- lib/public_key/src/public_key.erl | 2 ++ lib/public_key/test/public_key_SUITE.erl | 14 ++++++++------ .../pkix_verify_hostname_subjAltName_IP.pem | 22 +++++++++++----------- .../public_key_SUITE_data/verify_hostname_ip.conf | 3 +-- 4 files changed, 22 insertions(+), 19 deletions(-) (limited to 'lib') diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index c3f2d791a3..453f34de64 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -1529,6 +1529,8 @@ verify_hostname_match_loop(Refs, Pres, MatchFun, FailCB, Cert) -> Refs). +to_lower_ascii({ip,_}=X) -> X; +to_lower_ascii({iPAddress,_}=X) -> X; to_lower_ascii(S) when is_list(S) -> lists:map(fun to_lower_ascii/1, S); to_lower_ascii({T,S}) -> {T, to_lower_ascii(S)}; to_lower_ascii(C) when $A =< C,C =< $Z -> C + ($a-$A); diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 0077c7908c..0100f0a912 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -991,7 +991,7 @@ pkix_verify_hostname_options(Config) -> %% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -extensions SAN -config public_key_SUITE_data/verify_hostname_ip.conf 2>/dev/null > public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem %% %% Subject: C=SE, CN=example.com -%% Subject Alternative Name: DNS:1.2.3.4, DNS: abcd:ef::1, IP:5.6.7.8, URI:https://10.11.12.13 +%% Subject Alternative Name: DNS:1.2.3.4, DNS: abcd:ef::1, IP:10.67.16.75, URI:https://10.11.12.13 pkix_verify_hostname_subjAltName_IP(Config) -> DataDir = proplists:get_value(data_dir, Config), @@ -1000,7 +1000,7 @@ pkix_verify_hostname_subjAltName_IP(Config) -> %% Print the tests that a matchfun has to handle catch public_key:pkix_verify_hostname(Cert, [{some_tag,"some.domain"}, - {ip, {5,6,7,8}} + {ip, {10,67,16,75}} ], [{match_fun, fun(Ref,Pres) -> @@ -1012,12 +1012,14 @@ pkix_verify_hostname_subjAltName_IP(Config) -> true = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.13"}]), true = public_key:pkix_verify_hostname(Cert, [{dns_id,"1.2.3.4"}]), true = public_key:pkix_verify_hostname(Cert, [{dns_id,<<"1.2.3.4">>}]), - false = public_key:pkix_verify_hostname(Cert, [{dns_id,"5.6.7.8"}]), + false = public_key:pkix_verify_hostname(Cert, [{dns_id,"10.67.16.75"}]), true = public_key:pkix_verify_hostname(Cert, [{ip, "aBcD:ef:0::0:1"}]), true = public_key:pkix_verify_hostname(Cert, [{ip, {16#abcd,16#ef,0,0,0,0,0,1}}]), - true = public_key:pkix_verify_hostname(Cert, [{ip, "5.6.7.8"}]), - true = public_key:pkix_verify_hostname(Cert, [{ip, <<"5.6.7.8">>}]), - true = public_key:pkix_verify_hostname(Cert, [{ip, {5,6,7,8}}]). + true = public_key:pkix_verify_hostname(Cert, [{ip, "10.67.16.75"}]), + true = public_key:pkix_verify_hostname(Cert, [{ip, <<"10.67.16.75">>}]), + true = public_key:pkix_verify_hostname(Cert, [{ip, {10,67,16,75}}]), + false = public_key:pkix_verify_hostname(Cert, [{ip, {1,2,3,4}}]), + false = public_key:pkix_verify_hostname(Cert, [{ip, {10,11,12,13}}]). %%-------------------------------------------------------------------- diff --git a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem index f9ffb257b5..97d12cdadf 100644 --- a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem +++ b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB/zCCAWigAwIBAgIJAMoSejmTjwAGMA0GCSqGSIb3DQEBCwUAMB8xCzAJBgNV -BAYTAlNFMRAwDgYDVQQDEwc1LjYuNy44MB4XDTE3MDkyODE0MDAxNVoXDTE3MTAy -ODE0MDAxNVowHzELMAkGA1UEBhMCU0UxEDAOBgNVBAMTBzUuNi43LjgwgZ8wDQYJ -KoZIhvcNAQEBBQADgY0AMIGJAoGBAMUPU89KwVbTCDkyxQSz3wprMbZTLe35K6jm -Q7oY1rJyVXjsFHwZrFqqNMScEyX40rJhczQ2Z9etEX6qYLbdb/DZeFcKo14fR583 -QMFZC+qqpLWHdvjaQN0KwD99VFeZIGpRgywG8SR+BXZjDHUkGsMrikAEJtf0Tgih -IPyiFtiJAgMBAAGjQzBBMD8GA1UdEQQ4MDaCBzEuMi4zLjSHBAUGBwiHEKvNAO8A -AAAAAAAAAAAAAAGGE2h0dHBzOi8vMTAuMTEuMTIuMTMwDQYJKoZIhvcNAQELBQAD -gYEAtWVeQaRFZ0kH/pzSWMSsOCUrjbwlWRwDNbagNKoM6nCRv0QQ59fG6XrVZwR3 -c0s5arlMh3U2+bjKE+Iq9+b/lN1lGzf8iaAqBNa7KptwTSUEY3TiNG5X0zlSXKTI -3z7AaUEtghL9ImCPj5V3tVksqWd7U0zLmeeLZnM+wGAL9Hc= +MIICBzCCAXCgAwIBAgIJAJgbo5FL73LuMA0GCSqGSIb3DQEBCwUAMCMxCzAJBgNV +BAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNvbTAeFw0xNzEwMTExMDM0NDJaFw0x +NzExMTAxMDM0NDJaMCMxCzAJBgNVBAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNv +bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5muN8NIRHuqXgtAFpaJ4EPnd +SD+hnzMiiWQ9qAsS8P4xFsl5aNH74BTgst6Rcq33qAw+4BtKFXMt7JbWMuZklFV3 +fzRSx099MVJSH3f2LDMNLfyDiSJnhBEv1rLPaosi91ZLvI5LiGTxzRLi3qftZBft +Ryw1OempB4chLcBy2rsCAwEAAaNDMEEwPwYDVR0RBDgwNoIHMS4yLjMuNIcECkMQ +S4cQq80A7wAAAAAAAAAAAAAAAYYTaHR0cHM6Ly8xMC4xMS4xMi4xMzANBgkqhkiG +9w0BAQsFAAOBgQDMn8aqs/5FkkWhspvN2n+D2l87M+33a5My54ZVZhayZ/KRmhCN +Gix/BiVYJ3UlmWmGcnQXb3MLt/LQHaD3S2whDaLN3xJ8BbnX7A4ZTybitdyeFhDw +K3iDVUM3bSsBJ4EcBPWIMnow3ALP5HlGRMlH/87Qt+uVPXuwNh9pmyIhRQ== -----END CERTIFICATE----- diff --git a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf index 0a738f2586..798592e4f6 100644 --- a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf +++ b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf @@ -5,14 +5,13 @@ distinguished_name = DN [DN] C=SE CN=example.com -CN=5.6.7.8 [SAN] subjectAltName = @alt_names [alt_names] DNS = 1.2.3.4 -IP.1 = 5.6.7.8 +IP.1 = 10.67.16.75 IP.2 = abcd:ef::1 URI = https://10.11.12.13 -- cgit v1.2.3