From cb712ff37d3c20a21695e00c52fff213a6fd40b4 Mon Sep 17 00:00:00 2001 From: Wim Date: Sun, 16 Jun 2019 23:33:25 +0200 Subject: Update vendor (#852) --- .../golang.org/x/crypto/acme/autocert/autocert.go | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'vendor/golang.org/x/crypto/acme') diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go index a50d9bfc..e562609c 100644 --- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go +++ b/vendor/golang.org/x/crypto/acme/autocert/autocert.go @@ -32,6 +32,7 @@ import ( "time" "golang.org/x/crypto/acme" + "golang.org/x/net/idna" ) // createCertRetryAfter is how much time to wait before removing a failed state @@ -62,10 +63,16 @@ type HostPolicy func(ctx context.Context, host string) error // HostWhitelist returns a policy where only the specified host names are allowed. // Only exact matches are currently supported. Subdomains, regexp or wildcard // will not match. +// +// Note that all hosts will be converted to Punycode via idna.Lookup.ToASCII so that +// Manager.GetCertificate can handle the Unicode IDN and mixedcase hosts correctly. +// Invalid hosts will be silently ignored. func HostWhitelist(hosts ...string) HostPolicy { whitelist := make(map[string]bool, len(hosts)) for _, h := range hosts { - whitelist[h] = true + if h, err := idna.Lookup.ToASCII(h); err == nil { + whitelist[h] = true + } } return func(_ context.Context, host string) error { if !whitelist[host] { @@ -243,7 +250,17 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, if !strings.Contains(strings.Trim(name, "."), ".") { return nil, errors.New("acme/autocert: server name component count invalid") } - if strings.ContainsAny(name, `+/\`) { + + // Note that this conversion is necessary because some server names in the handshakes + // started by some clients (such as cURL) are not converted to Punycode, which will + // prevent us from obtaining certificates for them. In addition, we should also treat + // example.com and EXAMPLE.COM as equivalent and return the same certificate for them. + // Fortunately, this conversion also helped us deal with this kind of mixedcase problems. + // + // Due to the "σςΣ" problem (see https://unicode.org/faq/idn.html#22), we can't use + // idna.Punycode.ToASCII (or just idna.ToASCII) here. + name, err := idna.Lookup.ToASCII(name) + if err != nil { return nil, errors.New("acme/autocert: server name contains invalid character") } -- cgit v1.2.3