------------------------------------------------------------ revno: 13817 revision-id: squid3@treenet.co.nz-20150501065307-n25e76u1y4g350m4 parent: squid3@treenet.co.nz-20150501064348-3svy5evchveoygik author: Amos Jeffries , Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Thu 2015-04-30 23:53:07 -0700 message: Fix X509 server certificate domain matching The X509 certificate domain fields may contain non-ASCII encodings. Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible strings. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150501065307-n25e76u1y4g350m4 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: d5298db12fc84fefd80fd9bc8229d6d605cbce6b # timestamp: 2015-05-01 06:53:42 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150501064348-\ # 3svy5evchveoygik # # Begin patch === modified file 'src/acl/ServerName.cc' --- src/acl/ServerName.cc 2015-04-13 05:59:05 +0000 +++ src/acl/ServerName.cc 2015-05-01 06:53:07 +0000 @@ -71,7 +71,13 @@ if (cn_data->length > (int)sizeof(cn) - 1) return 1; // ignore data that does not fit our buffer - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(28, 4, "Verifying certificate name/subjectAltName " << cn); if (data->match(cn)) === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2015-04-26 16:44:23 +0000 +++ src/ssl/support.cc 2015-05-01 06:53:07 +0000 @@ -200,7 +200,13 @@ if (cn_data->length > (int)sizeof(cn) - 1) { return 1; //if does not fit our buffer just ignore } - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);