Skip to content

Commit

Permalink
transport: use reverse lookup to match wildcard DNS SAN
Browse files Browse the repository at this point in the history
  • Loading branch information
Anthony Romano committed Jul 19, 2017
1 parent 608df0f commit 9aed03f
Showing 1 changed file with 49 additions and 10 deletions.
59 changes: 49 additions & 10 deletions pkg/transport/listener_tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"fmt"
"io/ioutil"
"net"
"strings"
"sync"
)

Expand Down Expand Up @@ -206,20 +207,58 @@ func checkCertSAN(ctx context.Context, cert *x509.Certificate, remoteAddr string
}
}
if len(cert.DNSNames) > 0 {
for _, dns := range cert.DNSNames {
addrs, lerr := net.DefaultResolver.LookupHost(ctx, dns)
if lerr != nil {
continue
ok, err := isHostInDNS(ctx, h, cert.DNSNames)
if ok {
return nil
}
errStr := ""
if err != nil {
errStr = " (" + err.Error() + ")"
}
return fmt.Errorf("tls: %q does not match any of DNSNames %q"+errStr, h, cert.DNSNames)
}
return nil
}

func isHostInDNS(ctx context.Context, host string, dnsNames []string) (ok bool, err error) {
// reverse lookup
wildcards, names := []string{}, []string{}
for _, dns := range dnsNames {
if strings.HasPrefix(dns, "*.") {
wildcards = append(wildcards, dns[1:])
} else {
names = append(names, dns)
}
}
lnames, lerr := net.DefaultResolver.LookupAddr(ctx, host)
for _, name := range lnames {
for _, wc := range wildcards {
if strings.HasSuffix(name, wc) {
return true, nil
}
for _, addr := range addrs {
if addr == h {
return nil
}
}
for _, n := range names {
if n == name {
return true, nil
}
}
return fmt.Errorf("tls: %q does not match any of DNSNames %q", h, cert.DNSNames)
}
return nil
err = lerr

// forward lookup
for _, dns := range names {
addrs, lerr := net.DefaultResolver.LookupHost(ctx, dns)
if lerr != nil {
err = lerr
continue
}
for _, addr := range addrs {
if addr == host {
return true, nil
}
}
}
return false, err
}

func (l *tlsListener) Close() error {
Expand Down

0 comments on commit 9aed03f

Please sign in to comment.