diff options
| author | Toni <matzeton@googlemail.com> | 2021-05-11 21:38:26 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-11 21:38:26 +0200 |
| commit | 5918a6542d4640e702516fe92d7d23d5a969c73c (patch) | |
| tree | cc71825ded612b21fdb3382e85c7f9d0b50b1917 /src/lib | |
| parent | a5ecdf9df8a2ac3edc7fafb4475c37452b681f20 (diff) | |
Improved SSL certificate name wildcard handling and risk. #1182 (#1183)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/protocols/tls.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 1fdaf5dee..cb8180166 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -497,8 +497,20 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(matched_name == 0) { if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') matched_name = 1; /* No SNI */ - else if((dNSName[0] == '*') && strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1])) - matched_name = 1; + else if (dNSName[0] == '*') + { + char * label = strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]); + + if (label != NULL) + { + char * first_dot = strchr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, '.'); + + if (first_dot == NULL || first_dot >= label) + { + matched_name = 1; + } + } + } else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0) matched_name = 1; } |