lib: make tls.checkServerIdentity() more strict

Incorporates changes from commit e345253 ("tls: better error reporting at cert validation") to test/simple/test-tls-check-server-identity.js to make back-porting the patch easier. CVE-2016-7099 PR-URL: nodejs-private/node-private#62 Reviewed-By: Rod Vagg <rod@vagg.org>
nodejs · Sep 27, 2016 · 0d7e21e · 0d7e21e
1 parent 3614a17
commit 0d7e21e
Show file tree

Hide file tree

Showing 2 changed files with 248 additions and 138 deletions.
diff --git a/lib/tls.js b/lib/tls.js
@@ -96,115 +96,163 @@ function convertNPNProtocols(NPNProtocols, out) {
   }
 }
 
+function unfqdn(host) {
+  return host.replace(/[.]$/, '');
+}
 
-function checkServerIdentity(host, cert) {
-  // Create regexp to much hostnames
-  function regexpify(host, wildcards) {
-    // Add trailing dot (make hostnames uniform)
-    if (!/\.$/.test(host)) host += '.';
-
-    // The same applies to hostname with more than one wildcard,
-    // if hostname has wildcard when wildcards are not allowed,
-    // or if there are less than two dots after wildcard (i.e. *.com or *d.com)
-    //
-    // also
-    //
-    // "The client SHOULD NOT attempt to match a presented identifier in
-    // which the wildcard character comprises a label other than the
-    // left-most label (e.g., do not match bar.*.example.net)."
-    // RFC6125
-    if (!wildcards && /\*/.test(host) || /[\.\*].*\*/.test(host) ||
-        /\*/.test(host) && !/\*.*\..+\..+/.test(host)) {
-      return /$./;
-    }
+function splitHost(host) {
+  // String#toLowerCase() is locale-sensitive so we use
+  // a conservative version that only lowercases A-Z.
+  function replacer(c) {
+    return String.fromCharCode(32 + c.charCodeAt(0));
+  };
+  return unfqdn(host).replace(/[A-Z]/g, replacer).split('.');
+}
 
-    // Replace wildcard chars with regexp's wildcard and
-    // escape all characters that have special meaning in regexps
-    // (i.e. '.', '[', '{', '*', and others)
-    var re = host.replace(
-        /\*([a-z0-9\\-_\.])|[\.,\-\\\^\$+?*\[\]\(\):!\|{}]/g,
-        function(all, sub) {
-          if (sub) return '[a-z0-9\\-_]*' + (sub === '-' ? '\\-' : sub);
-          return '\\' + all;
-        });
-
-    return new RegExp('^' + re + '$', 'i');
+function check(hostParts, pattern, wildcards) {
+  // Empty strings, null, undefined, etc. never match.
+  if (!pattern)
+    return false;
+
+  var patternParts = splitHost(pattern);
+
+  if (hostParts.length !== patternParts.length)
+    return false;
+
+  // Pattern has empty components, e.g. "bad..example.com".
+  if (patternParts.indexOf('') !== -1)
+    return false;
+
+  // RFC 6125 allows IDNA U-labels (Unicode) in names but we have no
+  // good way to detect their encoding or normalize them so we simply
+  // reject them.  Control characters and blanks are rejected as well
+  // because nothing good can come from accepting them.
+  function isBad(s) {
+    return /[^\u0021-\u007F]/.test(s);
   }
 
-  var dnsNames = [],
-      uriNames = [],
-      ips = [],
-      matchCN = true,
-      valid = false;
+  if (patternParts.some(isBad))
+    return false;
 
-  // There're several names to perform check against:
-  // CN and altnames in certificate extension
-  // (DNS names, IP addresses, and URIs)
-  //
-  // Walk through altnames and generate lists of those names
-  if (cert.subjectaltname) {
-    cert.subjectaltname.split(/, /g).forEach(function(altname) {
-      if (/^DNS:/.test(altname)) {
-        dnsNames.push(altname.slice(4));
-      } else if (/^IP Address:/.test(altname)) {
-        ips.push(altname.slice(11));
-      } else if (/^URI:/.test(altname)) {
-        var uri = url.parse(altname.slice(4));
-        if (uri) uriNames.push(uri.hostname);
+  // Check host parts from right to left first.
+  for (var i = hostParts.length - 1; i > 0; i -= 1)
+    if (hostParts[i] !== patternParts[i])
+      return false;
+
+  var hostSubdomain = hostParts[0];
+  var patternSubdomain = patternParts[0];
+  var patternSubdomainParts = patternSubdomain.split('*');
+
+  // Short-circuit when the subdomain does not contain a wildcard.
+  // RFC 6125 does not allow wildcard substitution for components
+  // containing IDNA A-labels (Punycode) so match those verbatim.
+  if (patternSubdomainParts.length === 1 ||
+      patternSubdomain.indexOf('xn--') !== -1) {
+    return hostSubdomain === patternSubdomain;
+  }
+
+  if (!wildcards)
+    return false;
+
+  // More than one wildcard is always wrong.
+  if (patternSubdomainParts.length > 2)
+    return false;
+
+  // *.tld wildcards are not allowed.
+  if (patternParts.length <= 2)
+    return false;
+
+  var prefix = patternSubdomainParts[0];
+  var suffix = patternSubdomainParts[1];
+
+  if (prefix.length + suffix.length > hostSubdomain.length)
+    return false;
+
+  if (prefix.length > 0 && hostSubdomain.slice(0, prefix.length) !== prefix)
+    return false;
+
+  if (suffix.length > 0 && hostSubdomain.slice(-suffix.length) !== suffix)
+    return false;
+
+  return true;
+}
+
+function _checkServerIdentity(host, cert) {
+  var subject = cert.subject;
+  var altNames = cert.subjectaltname;
+  var dnsNames = [];
+  var uriNames = [];
+  var ips = [];
+
+  host = '' + host;
+
+  if (altNames) {
+    altNames.split(', ').forEach(function(name) {
+      if (/^DNS:/.test(name)) {
+        dnsNames.push(name.slice(4));
+      } else if (/^URI:/.test(name)) {
+        var uri = url.parse(name.slice(4));
+        uriNames.push(uri.hostname);  // TODO(bnoordhuis) Also use scheme.
+      } else if (/^IP Address:/.test(name)) {
+        ips.push(name.slice(11));
       }
     });
   }
 
-  // If hostname is an IP address, it should be present in the list of IP
-  // addresses.
+  var valid = false;
+  var reason = 'Unknown reason';
+
   if (net.isIP(host)) {
-    valid = ips.some(function(ip) {
-      return ip === host;
-    });
-  } else {
-    // Transform hostname to canonical form
-    if (!/\.$/.test(host)) host += '.';
+    valid = ips.indexOf(host) !== -1;
+    if (!valid)
+      reason = 'IP: ' + host + ' is not in the cert\'s list: ' + ips.join(', ');
+    // TODO(bnoordhuis) Also check URI SANs that are IP addresses.
+  } else if (subject) {
+    host = unfqdn(host);  // Remove trailing dot for error messages.
+    var hostParts = splitHost(host);
+
+    function wildcard(pattern) {
+      return check(hostParts, pattern, true);
+    }
 
-    // Otherwise check all DNS/URI records from certificate
-    // (with allowed wildcards)
-    dnsNames = dnsNames.map(function(name) {
-      return regexpify(name, true);
-    });
+    function noWildcard(pattern) {
+      return check(hostParts, pattern, false);
+    }
 
-    // Wildcards ain't allowed in URI names
-    uriNames = uriNames.map(function(name) {
-      return regexpify(name, false);
-    });
+    // Match against Common Name only if no supported identifiers are present.
+    if (dnsNames.length === 0 && ips.length === 0 && uriNames.length === 0) {
+      var cn = subject.CN;
 
-    dnsNames = dnsNames.concat(uriNames);
-
-    if (dnsNames.length > 0) matchCN = false;
-
-    // Match against Common Name (CN) only if no supported identifiers are
-    // present.
-    //
-    // "As noted, a client MUST NOT seek a match for a reference identifier
-    //  of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
-    //  URI-ID, or any application-specific identifier types supported by the
-    //  client."
-    // RFC6125
-    if (matchCN) {
-      var commonNames = cert.subject.CN;
-      if (Array.isArray(commonNames)) {
-        for (var i = 0, k = commonNames.length; i < k; ++i) {
-          dnsNames.push(regexpify(commonNames[i], true));
-        }
-      } else {
-        dnsNames.push(regexpify(commonNames, true));
+      if (Array.isArray(cn))
+        valid = cn.some(wildcard);
+      else if (cn)
+        valid = wildcard(cn);
+
+      if (!valid)
+        reason = 'Host: ' + host + '. is not cert\'s CN: ' + cn;
+    } else {
+      valid = dnsNames.some(wildcard) || uriNames.some(noWildcard);
+      if (!valid) {
+        reason =
+            'Host: ' + host + '. is not in the cert\'s altnames: ' + altNames;
       }
     }
+  } else {
+    reason = 'Cert is empty';
+  }
 
-    valid = dnsNames.some(function(re) {
-      return re.test(host);
-    });
+  if (!valid) {
+    var err = new Error('Hostname/IP doesn\'t match certificate\'s altnames');
+    err.reason = reason;
+    err.host = host;
+    err.cert = cert;
+    return err;
   }
+}
+exports._checkServerIdentity = _checkServerIdentity;
 
-  return valid;
+function checkServerIdentity(host, cert) {
+  return !!_checkServerIdentity(host, cert);
 }
 exports.checkServerIdentity = checkServerIdentity;
 
@@ -1384,12 +1432,8 @@ exports.connect = function(/* [port, host], options, cb */) {
 
     // Verify that server's identity matches it's certificate's names
     if (!verifyError) {
-      var validCert = checkServerIdentity(hostname,
-                                          pair.cleartext.getPeerCertificate());
-      if (!validCert) {
-        verifyError = new Error('Hostname/IP doesn\'t match certificate\'s ' +
-                                'altnames');
-      }
+      verifyError = _checkServerIdentity(hostname,
+                                         pair.cleartext.getPeerCertificate());
     }
 
     if (verifyError) {