diff options
author | Brian Cunnie <brian.cunnie@gmail.com> | 2018-01-29 20:08:49 -0800 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-09-26 19:15:53 +0900 |
commit | fc04f4a8b95cfe353e7ed51f1b9279729b1b7401 (patch) | |
tree | 3569671f0c57fb4900ed18b19465fd0408f72839 /test/test_ssl.rb | |
parent | acc8079b4a6b88d3376a8ed941a18d3dfc556cc5 (diff) | |
download | ruby-openssl-fc04f4a8b95cfe353e7ed51f1b9279729b1b7401.tar.gz |
Correctly verify abbreviated IPv6 SANs
[ This is a backport to the 2.1 branch. ]
IPv6 SAN-verification accommodates
["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2).
It also accommodates non-compressed addresses.
Previously the verification of IPv6 addresses would fail unless the
address syntax matched a specific format (no zero-compression, no
leading zeroes).
As an example, the IPv6 loopback address, if represented as `::1`, would
not verify. Nor would it verify if represented as
`0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations
are valid, RFC-compliant representations. The library would only accept
a very specific representation (i.e. `0:0:0:0:0:0:0:1`).
This commit addresses that shortcoming, and ensures that any valid IPv6
representation will correctly verify.
(cherry picked from commit 9322a104d16b02c7a79f9ab589859c9d63fabf52)
Diffstat (limited to 'test/test_ssl.rb')
-rw-r--r-- | test/test_ssl.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index ea98bec8..1ddc7913 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -526,8 +526,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, "www.example.com\0.evil.com")) assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1')) - assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::18')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '44:0:0:0:0:0:0:17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '0013:0000:0000:0000:0000:0000:0000:0017')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '1313:0000:0000:0000:0000:0000:0000:0017')) end end |