crypto/x509: treat hostnames with colons as invalid

FiloSottile · FiloSottile · commit f81aa23cf04f · 2020-05-08T00:05:56.000Z
Colons are port separators, so it's risky to allow them in hostnames. Per the CL 231377 rule, if we at least consider them invalid we will not apply wildcard processing to them, making behavior a little more predictable. We were considering hostnames with colons valid (against spec) because that meant we'd not ignore them in Common Name. (There was at least one deployment that was putting colons in Common Name and expecting it to verify.) Now that Common Name is ignored by default, those clients will break again, so it's a good time to drop the exception. Hopefully they moved to SANs, where invalid hostnames are checked 1:1 (ignoring wildcards) but still work. (If they didn't, this change means they can't use GODEBUG=x509ignoreCN=0 to opt back in, but again you don't get to use a legacy deprecated field AND invalid hostnames.) Updates #24151 Change-Id: Id44b4fecb2d620480acdfc65fea1473f7abbca7f Reviewed-on: https://go-review.googlesource.com/c/go/+/231381 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
@@ -940,8 +940,8 @@ func validHostname(host string, isPattern bool) bool {
 			if c == '-' && j != 0 {
 				continue
 			}
-			if c == '_' || c == ':' {
-				// Not valid characters in hostnames, but commonly
+			if c == '_' {
+				// Not a valid character in hostnames, but commonly
 				// found in deployments outside the WebPKI.
 				continue
 			}
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
@@ -2004,7 +2004,7 @@ func TestValidHostname(t *testing.T) {
 		{host: "foo.*.example.com"},
 		{host: "exa_mple.com", validInput: true, validPattern: true},
 		{host: "foo,bar"},
-		{host: "project-dev:us-central1:main", validInput: true, validPattern: true},
+		{host: "project-dev:us-central1:main"},
 	}
 	for _, tt := range tests {
 		if got := validHostnamePattern(tt.host); got != tt.validPattern {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
@@ -376,7 +376,15 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"*.com", "example.com", true},
 	{"*.com", "example.com.", true},
 	{"foo:bar", "foo:bar", true},
-	{"*.foo:bar", "xxx.foo:bar", true},
+	{"*.foo:bar", "xxx.foo:bar", false},
+	{"*.2.3.4", "1.2.3.4", false},
+	{"*.2.3.4", "[1.2.3.4]", false},
+	{"*:4860:4860::8888", "2001:4860:4860::8888", false},
+	{"*:4860:4860::8888", "[2001:4860:4860::8888]", false},
+	{"2001:4860:4860::8888", "2001:4860:4860::8888", false},
+	{"2001:4860:4860::8888", "[2001:4860:4860::8888]", false},
+	{"[2001:4860:4860::8888]", "2001:4860:4860::8888", false},
+	{"[2001:4860:4860::8888]", "[2001:4860:4860::8888]", false},
 }
 
 func TestMatchHostnames(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -940,8 +940,8 @@ func validHostname(host string, isPattern bool) bool {`
`940`	`940`	`if c == '-' && j != 0 {`
`941`	`941`	`continue`
`942`	`942`	`}`
`943`		`- if c == '_' \|\| c == ':' {`
`944`		`- // Not valid characters in hostnames, but commonly`
	`943`	`+ if c == '_' {`
	`944`	`+ // Not a valid character in hostnames, but commonly`
`945`	`945`	`// found in deployments outside the WebPKI.`
`946`	`946`	`continue`
`947`	`947`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2004,7 +2004,7 @@ func TestValidHostname(t *testing.T) {`
`2004`	`2004`	`{host: "foo.*.example.com"},`
`2005`	`2005`	`{host: "exa_mple.com", validInput: true, validPattern: true},`
`2006`	`2006`	`{host: "foo,bar"},`
`2007`		`- {host: "project-dev:us-central1:main", validInput: true, validPattern: true},`
	`2007`	`+ {host: "project-dev:us-central1:main"},`
`2008`	`2008`	`}`
`2009`	`2009`	`for _, tt := range tests {`
`2010`	`2010`	`if got := validHostnamePattern(tt.host); got != tt.validPattern {`