disable optional TLS features with implementations that rely on RegExp

phoddie · mkellner · commit 691dcb38bf5e · 2017-12-14T11:30:09.000-08:00
diff --git a/modules/crypt/etc/ber.js b/modules/crypt/etc/ber.js
@@ -396,6 +396,7 @@ export default class BER {
 			res = String.fromArrayBuffer(b.getChunk(len));
 			break;
 		case 0x17:	// ITC time
+/*
 		case 0x18: {// generalized time
 			let s = String.fromArrayBuffer(b.getChunk(len));
 			let prefix = ""
@@ -417,6 +418,7 @@ export default class BER {
 			res = date;
 			}
 			break;
+*/
 		case 0x19:	// graphics string
 		case 0x1a:	// ISO64 string
 		case 0x1b:	// general string
diff --git a/modules/crypt/ssl/ssl_handshake.js b/modules/crypt/ssl/ssl_handshake.js
@@ -430,24 +430,24 @@ let handshakeProtocol = {
 	certificate: {
 		name: "certificate",
 		msgType: certificate,
-		matchName(re, name) {
-			re = re.replace(/\./g, "\\.").replace(/\*/g, "[^.]*");
-			var a = name.match(new RegExp("^" + re + "$", "i"));
-			return a && a.length == 1;
-		},
-		verifyHost(session, cert) {
-//@@ this fails because (a) session.socket.host doesn't exist and (b) RegExp isn't (usually) available
-			var altNames = X509.decodeExtension(cert, 'subjectAlternativeName');
-			var hostname = session.socket.host;
-			for (var i = 0; i < altNames.length; i++) {
-				var name = altNames[i];
-				if (typeof name == "string" && this.matchName(name, hostname))
-					return true;
-			}
-			// @@ not supporting the common name
-			// var arr = X509.decodeTBS(cert).subject.match(/CN=([^,]*)/);
-			// return arr && arr.length > 1 && this.matchName(arr[1], hostname);
-		},
+//		matchName(re, name) {
+//			re = re.replace(/\./g, "\\.").replace(/\*/g, "[^.]*");
+//			var a = name.match(new RegExp("^" + re + "$", "i"));
+//			return a && a.length == 1;
+//		},
+//		verifyHost(session, cert) {
+//			//@@ this fails because session.socket.host doesn't exist
+//			var altNames = X509.decodeExtension(cert, 'subjectAlternativeName');
+//			var hostname = session.socket.host;
+//			for (var i = 0; i < altNames.length; i++) {
+//				var name = altNames[i];
+//				if (typeof name == "string" && this.matchName(name, hostname))
+//					return true;
+//			}
+//			var arr = X509.decodeTBS(cert).subject.match(/CN=([^,]*)/);
+//			return arr && arr.length > 1 && this.matchName(arr[1], hostname);
+//		},
+
 		unpacketize(session, s) {
 			session.traceProtocol(this);
 			let certs = [];
@@ -461,11 +461,12 @@ let handshakeProtocol = {
 				if (!session.certificateManager.verify(certs, session.options))
 					throw new Error("SSL: certificate: auth err");
 			}
+/*
 			if (session.options.verifyHost) {
 				if (!this.verifyHost(session, certs[0]))
 					throw new Error("SSL: certificate: bad host");
 			}
-
+*/
 			session.peerCert = certs[0].slice(0).buffer;		// could we store only the key?
 			return session.certificateManager.register(session.peerCert);	// tail call optimization
 		},
