Nixyri/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2025-02-16 01:20:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
c1e7eb7389
zig/lib
History
Igor Anić c1e7eb7389 crypto.Certificate: case insensitive host name check 
This makes comparing host name with dns name from certificate case
insensitive.

I found a few domains (from the
[cloudflare](https://radar.cloudflare.com/domains) list of top domains)
for which tls.Client fails to connect. Error is:

```zig
error: TlsInitializationFailed
Code/zig/lib/std/crypto/Certificate.zig:336:9: 0x1177b1f in verifyHostName (http_get_std)
        return error.CertificateHostMismatch;
Code/zig/lib/std/crypto/tls23/handshake_client.zig:461:25: 0x11752bd in parseServerCertificate (http_get_std)
                        try subject.verifyHostName(opt.host);
```
In its certificate this domains have host names which are not strictly
lower case. This is what checkHostName is comparing:

 |host_name            |  dns_name                |
 |------------------------------------------------|
 |ey.com               | EY.COM                   |
 |truist.com           | Truist.com               |
 |wscampanhas.bradesco | WSCAMPANHAS.BRADESCO     |
 |dell.com             | Dell.com                 |

From
[RFC2818](https://datatracker.ietf.org/doc/html/rfc2818#section-2.4):
>  Matching is performed using the matching rules specified by
   [RFC2459].
From [RFC2459](https://datatracker.ietf.org/doc/html/rfc2459#section-4.2.1.7):
> When comparing URIs, conforming implementations
> MUST compare the scheme and host without regard to case, but assume
> the remainder of the scheme-specific-part is case sensitive.

Testing with:

```
const std = @import("std");

pub fn main() !void {
    var gpa = std.heap.GeneralPurposeAllocator(.{}){};
    const allocator = gpa.allocator();

    const args = try std.process.argsAlloc(allocator);
    defer std.process.argsFree(allocator, args);

    if (args.len > 1) {
        const domain = args[1];

        var client: std.http.Client = .{ .allocator = allocator };
        defer client.deinit();

        // Add https:// prefix if needed
        const url = brk: {
            const scheme = "https://";
            if (domain.len >= scheme.len and std.mem.eql(u8, domain[0..scheme.len], scheme))
                break :brk domain;

            var url_buf: [128]u8 = undefined;
            break :brk try std.fmt.bufPrint(&url_buf, "https://{s}", .{domain});
        };

        const uri = try std.Uri.parse(url);
        var server_header_buffer: [16 * 1024]u8 = undefined;
        var req = try client.open(.GET, uri, .{ .server_header_buffer = &server_header_buffer });
        defer req.deinit();

        try req.send();
        try req.wait();
    }
}
```
`$ zig run example/main.zig -- truist.com `
2024-07-09 16:35:41 -04:00
..
compiler build_runner: fix oob access 2024-07-08 16:59:38 -04:00
compiler_rt stage2-wasm: bit_reverse 2024-06-16 11:53:33 +02:00
docs Autodoc: only group structs under "namespaces" 2024-07-09 15:58:03 -04:00
include update C language headers to LLVM 18 2024-05-08 19:37:28 -07:00
init seriously people, don't put "zig-" in your package names 2024-06-05 15:49:47 -07:00
libc glibc headers: arc4random* functions added in glibc 2.36 2024-07-03 02:57:24 -04:00
libcxx update libcxx and libcxxabi to llvm 18.1.6 2024-05-20 16:12:36 -04:00
libcxxabi update libcxx and libcxxabi to llvm 18.1.6 2024-05-20 16:12:36 -04:00
libunwind libunwind: update to LLVM 18 2024-05-08 19:37:29 -07:00
std crypto.Certificate: case insensitive host name check 2024-07-09 16:35:41 -04:00
tsan tsan: update rtl files to LLVM 17.0.6 2024-01-10 01:00:37 -07:00
c.zig std.builtin: make link mode fields lowercase 2024-03-11 07:09:10 -07:00
compiler_rt.zig stage2-wasm: bit_reverse 2024-06-16 11:53:33 +02:00
zig.h cbe: fix for export changes 2024-07-04 21:01:42 +01:00