Skip to content

Commit 86d53ca

Browse files
pitroupitrou
committed
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
1 parent 8833c3b commit 86d53ca

File tree

3 files changed

+22
-1
lines changed

3 files changed

+22
-1
lines changed

Lib/ssl.py

+8-1
Original file line numberDiff line numberDiff line change
@@ -108,9 +108,16 @@ class CertificateError(ValueError):
108108
pass
109109

110110

111-
def _dnsname_to_pat(dn):
111+
def _dnsname_to_pat(dn, max_wildcards=1):
112112
pats = []
113113
for frag in dn.split(r'.'):
114+
if frag.count('*') > max_wildcards:
115+
# Issue #17980: avoid denials of service by refusing more
116+
# than one wildcard per fragment. A survery of established
117+
# policy among SSL implementations showed it to be a
118+
# reasonable choice.
119+
raise CertificateError(
120+
"too many wildcards in certificate DNS name: " + repr(dn))
114121
if frag == '*':
115122
# When '*' is a fragment by itself, it matches a non-empty dotless
116123
# fragment.

Lib/test/test_ssl.py

+11
Original file line numberDiff line numberDiff line change
@@ -326,6 +326,17 @@ def fail(cert, hostname):
326326
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
327327
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
328328

329+
# Issue #17980: avoid denials of service by refusing more than one
330+
# wildcard per fragment.
331+
cert = {'subject': ((('commonName', 'a*b.com'),),)}
332+
ok(cert, 'axxb.com')
333+
cert = {'subject': ((('commonName', 'a*b.co*'),),)}
334+
ok(cert, 'axxb.com')
335+
cert = {'subject': ((('commonName', 'a*b*.com'),),)}
336+
with self.assertRaises(ssl.CertificateError) as cm:
337+
ssl.match_hostname(cert, 'axxbxxc.com')
338+
self.assertIn("too many wildcards", str(cm.exception))
339+
329340
def test_server_side(self):
330341
# server_hostname doesn't work for server sockets
331342
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Misc/NEWS

+3
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ What's New in Python 3.2.5?
1010
Library
1111
-------
1212

13+
- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
14+
service using certificates with many wildcards (CVE-2013-2099).
15+
1316
- Issue #17192: Restore the patch for Issue #11729 and Issue #10309
1417
which were omitted in 3.2.4 when updating the bundled version of
1518
libffi used by ctypes.

0 commit comments

Comments
 (0)