File 0958-public_key-Fix-hotsname-comparison-bug.patch of Package erlang
From 1cb18a9fa3a9eb7d66235c802b4367dba212dd64 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 16 Jan 2024 12:10:45 +0100
Subject: [PATCH] public_key: Fix hotsname comparison bug
When certificate CN (common name) contained several dots in a row prefix matches with
fewer dots would wrongly match.
Closes #8021
---
lib/public_key/src/public_key.erl | 4 ++--
lib/public_key/test/public_key_SUITE.erl | 9 +++++++--
.../public_key_SUITE_data/prefix-dots.pem | 20 +++++++++++++++++++
3 files changed, 29 insertions(+), 4 deletions(-)
create mode 100644 lib/public_key/test/public_key_SUITE_data/prefix-dots.pem
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 858860e29c..8ad43c977f 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -2023,8 +2023,8 @@ verify_hostname_match_default0(_, _) ->
verify_hostname_match_wildcard(FQDN, Name) ->
- [F1|Fs] = string:tokens(to_lower_ascii(FQDN), "."),
- [N1|Ns] = string:tokens(to_lower_ascii(Name), "."),
+ [F1|Fs] = string:split(to_lower_ascii(FQDN), "."),
+ [N1|Ns] = string:split(to_lower_ascii(Name), "."),
match_wild(F1,N1) andalso Fs==Ns.
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 0c8cf07fb5..21cccaa889 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -1132,8 +1132,13 @@ pkix_verify_hostname_options(Config) ->
true = public_key:pkix_verify_hostname(Cert, [{dns_id,"abb.bar.example.com"}]),
false = public_key:pkix_verify_hostname(Cert, [{dns_id,"example.com"},
{dns_id,"abb.bar.example.com"}],
- [{fqdn_fun,fun(_)->undefined end}]).
-
+ [{fqdn_fun,fun(_)->undefined end}]),
+ %% Test that a common name is matched fully, that is do not allow prefix matches
+ %% with less dots (".")
+ {ok, PrefixBin} = file:read_file(filename:join(DataDir,"prefix-dots.pem")),
+ PrefixCert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(PrefixBin))), otp),
+ true = public_key:pkix_verify_hostname(PrefixCert, [{dns_id,"..a"}]),
+ false = public_key:pkix_verify_hostname(PrefixCert, [{dns_id,".a"}]).
%%--------------------------------------------------------------------
%% To generate the PEM file contents:
diff --git a/lib/public_key/test/public_key_SUITE_data/prefix-dots.pem b/lib/public_key/test/public_key_SUITE_data/prefix-dots.pem
new file mode 100644
index 0000000000..c72ba84455
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/prefix-dots.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
+ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
+RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
+NzI0MDBaFw0yNDEyMTAwNTA3MTRaMA4xDDAKBgNVBAMTAy4uYTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBAKt8ORTxpKElswQ8QtFdXPcB642LllZ/wVmD
+HDxvxeubnIb/eBMW8gl4FYyeJoXoGV7YWpKgBiC+LO7rCdsGMhzlYKyhx61LgXYD
+M57TkFsTmjk1DoBQUuODX0V4kgf8Td2Gv6DETre/0eEMrNkCTDq6W+d6UHhMor/+
+rsK986kqNxDFweyc/2BhlF6yXFpl5BFnXEwEOwRTw0Zjx6jABnOLYAfxZu4oGiSW
+T0Zb2Z5vbrq0kuDQ5t2zjFvEUj9pxkoR/QgWsKwA6nRPg2L3BdnLG98dvIZqFyEn
+tsKWQ3Z6x8TP/4GSyGfbjoVAmYQJQ5DAoo2MCk8kcEqjZwc5T5kCAQOjUDBOMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFCTNEK+XDJUYJ45yRL+l+zNeru17MB8GA1Ud
+IwQYMBaAFJcswpcBl9XDsKD5xI6eZbKBX8qrMA0GCSqGSIb3DQEBCwUAA4IBAQCp
+1nnkQrCtd31yT8cPcvnE83pS8eesGSrdblkzjcvgV56SG9+/boi6/U6u0rbGDqmx
+HzmVtg6YsAz4km56sgdPBeVAh4Rm3TjzeFuhCw1YjqSrvL3MVZIMNdbY5Rs2SpxT
+szPc5J139UWS5VQpZrwoPOqD7ny72ve1QbNZbkERiY2mC5fJ7/pdPMzms4d/+GOf
+G+YMoIf9xYIUexKImHI1OfiLG3PcBd04qolgp/p4k0O3DaF8HBsK4IukWuFGhTUB
+zWvN5QOVLYdrVEpF4tvrSb6EKzNp3VQ2ucweKGdF7hNs9Wv1KotnxnScolavfBCW
+1XWBeXZVmw1bennWAlfr
+-----END CERTIFICATE-----
\ No newline at end of file
--
2.35.3
