Re: CVE Request: libesmtp does not check NULL bytes in commonName

[Brian Stafford <brian () stafford uklinux net>]

Hello all

I think the best approach is to apply Pawel's patch as this is the 
simplest in terms of changes to the existing code base, and perhaps move 
to Ludwig's for a later release of libESMTP.  In the slightly longer 
term, I think the internet draft at
http://tools.ietf.org/html/draft-saintandre-tls-server-id-check is the 
one to follow but this might change substantially or even fall of the 
rails entirely.

For the next libESMTP release I'm considering changing match_domain() as 
follows:
for each hostname component accept either a string or a single wildcard 
character '*' as the pattern.  In either case only characters from the 
set [A-Za-z0-9-] in the hostname shall be accepted, otherwise the match 
shall fail.  If the top level domain has only two characters then 
wildcards are barred from the 3 topmost components, otherwise from the 
topmost 2 components, e.g. *.example.com is acceptable but not *.co.uk.  
f*.bar.com would not be acceptable.  The I-D says only the leftmost 
component may contain a wildcard but this would rule out *.*.google.com 
The algorithm I've outlined is really a halfway house between RFC2818, 
which I think is too flexible, and the I-D; limit the positions of 
wildcards in the hostname and dont allow elaborate matches within a 
hostname component.  Any ideas or opinions on this would be useful.

Regards
Brian