changeset:   83827:c627638753e2
branch:      3.3
parent:      83824:9682241dc8fc
user:        Antoine Pitrou <solipsis@pitrou.net>
date:        Sat May 18 17:56:42 2013 +0200
files:       Lib/ssl.py Lib/test/test_ssl.py Misc/NEWS
description:
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).


diff -r 9682241dc8fc -r c627638753e2 Lib/ssl.py
--- a/Lib/ssl.py	Sat May 18 07:52:34 2013 -0700
+++ b/Lib/ssl.py	Sat May 18 17:56:42 2013 +0200
@@ -129,9 +129,16 @@
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
diff -r 9682241dc8fc -r c627638753e2 Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py	Sat May 18 07:52:34 2013 -0700
+++ b/Lib/test/test_ssl.py	Sat May 18 17:56:42 2013 +0200
@@ -349,6 +349,17 @@
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
 
+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
     def test_server_side(self):
         # server_hostname doesn't work for server sockets
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
diff -r 9682241dc8fc -r c627638753e2 Misc/NEWS
--- a/Misc/NEWS	Sat May 18 07:52:34 2013 -0700
+++ b/Misc/NEWS	Sat May 18 17:56:42 2013 +0200
@@ -24,6 +24,9 @@
 Library
 -------
 
+- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
+  service using certificates with many wildcards (CVE-2013-2099).
+
 - Issue #17981: Closed socket on error in SysLogHandler.
 
 - Fix typos in the multiprocessing module.