[release-branch.go1.22] crypto/x509: properly check for IPv6 hosts in URIs

rolandshoemaker · gopherbot · commit 19d21034157b · 2025-01-16T11:07:05.000-08:00
When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For golang#71156 Fixes golang#71207 Fixes CVE-2024-45341 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> Change-Id: I1d97723e0f29fcf1404fb868ba0495282da70f6e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1780 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/643105 TryBot-Bypass: Michael Knyszek <mknyszek@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com>
diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
@@ -1599,6 +1599,24 @@ var nameConstraintsTests = []nameConstraintsTest{
 			cn:   "foo.bar",
 		},
 	},
+
+	// #86: URIs with IPv6 addresses with zones and ports are rejected
+	{
+		roots: []constraintsSpec{
+			{
+				ok: []string{"uri:example.com"},
+			},
+		},
+		intermediates: [][]constraintsSpec{
+			{
+				{},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"uri:http://[2006:abcd::1%25.example.com]:16/"},
+		},
+		expectedError: "URI with IP",
+	},
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"net/url"
 	"reflect"
 	"runtime"
@@ -429,8 +430,10 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
 		}
 	}
 
-	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") ||
-		net.ParseIP(host) != nil {
+	// netip.ParseAddr will reject the URI IPv6 literal form "[...]", so we
+	// check if _either_ the string parses as an IP, or if it is enclosed in
+	// square brackets.
+	if _, err := netip.ParseAddr(host); err == nil || (strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]")) {
 		return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`	`"errors"`
`12`	`12`	`"fmt"`
`13`	`13`	`"net"`
	`14`	`+ "net/netip"`
`14`	`15`	`"net/url"`
`15`	`16`	`"reflect"`
`16`	`17`	`"runtime"`
`@@ -429,8 +430,10 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {`
`429`	`430`	`}`
`430`	`431`	`}`
`431`	`432`
`432`		`- if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") \|\|`
`433`		`- net.ParseIP(host) != nil {`
	`433`	`+ // netip.ParseAddr will reject the URI IPv6 literal form "[...]", so we`
	`434`	`+ // check if _either_ the string parses as an IP, or if it is enclosed in`
	`435`	`+ // square brackets.`
	`436`	`+ if _, err := netip.ParseAddr(host); err == nil \|\| (strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]")) {`
`434`	`437`	`return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())`
`435`	`438`	`}`
`436`	`439`