Trim trailing dot from FQDN in SNI

rustls · Nov 22, 2020 · 20c4dab · 20c4dab
1 parent 931560d
commit 20c4dab
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -23,6 +23,8 @@ If you'd like to help out, please see [CONTRIBUTING.md](CONTRIBUTING.md).
 * Next release:
   - Ensured that `get_peer_certificates` is both better documented, and works
     uniformly for both full-handshake and resumed sessions.
+  - Fix bug: fully qualified hostnames should have had their trailing dot
+    stripped when quoted in the SNI extension.
   - Planned: removal of unused signature verification schemes at link-time.
   - Planned: removal of PEM parsing to a separate crate.
 * 0.18.1 (2020-08-16):

diff --git a/rustls/src/msgs/handshake.rs b/rustls/src/msgs/handshake.rs
@@ -697,12 +697,28 @@ impl Codec for ClientExtension {
     }
 }
 
+fn trim_hostname_trailing_dot_for_sni(dns_name: webpki::DNSNameRef) -> webpki::DNSName {
+    let dns_name_str: &str = dns_name.into();
+
+    // RFC6066: "The hostname is represented as a byte string using
+    // ASCII encoding without a trailing dot"
+    if dns_name_str.ends_with('.') {
+        let trimmed = &dns_name_str[0..dns_name_str.len()-1];
+        webpki::DNSNameRef::try_from_ascii_str(trimmed)
+            .unwrap()
+            .to_owned()
+    } else {
+        dns_name.to_owned()
+    }
+}
+
 impl ClientExtension {
     /// Make a basic SNI ServerNameRequest quoting `hostname`.
     pub fn make_sni(dns_name: webpki::DNSNameRef) -> ClientExtension {
         let name = ServerName {
             typ: ServerNameType::HostName,
-            payload: ServerNamePayload::HostName(dns_name.into()),
+            payload: ServerNamePayload::HostName(
+                trim_hostname_trailing_dot_for_sni(dns_name)),
         };
 
         ClientExtension::ServerName(vec![ name ])

diff --git a/rustls/tests/api.rs b/rustls/tests/api.rs
@@ -437,6 +437,25 @@ fn server_cert_resolve_with_alpn() {
     }
 }
 
+#[test]
+fn client_trims_terminating_dot() {
+    for kt in ALL_KEY_TYPES.iter() {
+        let client_config = make_client_config(*kt);
+        let mut server_config = make_server_config(*kt);
+
+        server_config.cert_resolver = Arc::new(ServerCheckCertResolve {
+            expected_sni: Some("some-host.com".into()),
+            ..Default::default()
+        });
+
+        let mut client = ClientSession::new(&Arc::new(client_config), dns_name("some-host.com."));
+        let mut server = ServerSession::new(&Arc::new(server_config));
+
+        let err = do_handshake_until_error(&mut client, &mut server);
+        assert_eq!(err.is_err(), true);
+    }
+}
+
 
 fn check_sigalgs_reduced_by_ciphersuite(kt: KeyType, suite: CipherSuite,
                                         expected_sigalgs: Vec<SignatureScheme>) {