sslutil: synchronize hostname matching logic with CPython
sslutil contains its own hostname matching logic. CPython has code
for the same intent. However, it is only available to Python 2.7.9+
(or distributions that have backported 2.7.9's ssl module
improvements).
This patch effectively imports CPython's hostname matching code
from its ssl.py into sslutil.py. The hostname matching code itself
is pretty similar. However, the DNS name matching code is much more
robust and spec conformant.
As the test changes show, this changes some behavior around
wildcard handling and IDNA matching. The new behavior allows
wildcards in the middle of words (e.g. 'f*.com' matches 'foo.com')
This is spec compliant according to RFC 6125 Section 6.5.3 item 3.
There is one test where the matcher is more strict. Before,
'*.a.com' matched '.a.com'. Now it doesn't match. Strictly speaking
this is a security vulnerability.
=== property cache ===
calllog: []
cached value (unfiltered): NOCACHE
= first access on unfiltered, should do a call
access: 0
calllog: [0]
cached value (unfiltered): 0
= second access on unfiltered, should not do call
access 0
calllog: [0]
cached value (unfiltered): 0
= first access on "visible" view, should do a call
cached value ("visible" view): NOCACHE
access: 7
calllog: [0, 7]
cached value (unfiltered): 0
cached value ("visible" view): 7
= second access on "visible view", should not do call
access: 7
calllog: [0, 7]
cached value (unfiltered): 0
cached value ("visible" view): 7
= no effect on other view
cached value ("immutable" view): NOCACHE
access: 9
calllog: [0, 7, 9]
cached value (unfiltered): 0
cached value ("visible" view): 7
cached value ("immutable" view): 9
=== unfiltered property cache ===
unficalllog: []
cached value (unfiltered): NOCACHE
cached value ("visible" view): NOCACHE
cached value ("immutable" view): NOCACHE
= first access on unfiltered, should do a call
access (unfiltered): 100
unficalllog: [100]
cached value (unfiltered): 100
= second access on unfiltered, should not do call
access (unfiltered): 100
unficalllog: [100]
cached value (unfiltered): 100
= access on view should use the unfiltered cache
access (unfiltered): 100
access ("visible" view): 100
access ("immutable" view): 100
unficalllog: [100]
cached value (unfiltered): 100
cached value ("visible" view): NOCACHE
cached value ("immutable" view): NOCACHE
= even if we clear the unfiltered cache
cached value (unfiltered): NOCACHE
cached value ("visible" view): NOCACHE
cached value ("immutable" view): NOCACHE
unficalllog: [100]
access ("visible" view): 100
unficalllog: [100, 100]
cached value (unfiltered): 100
cached value ("visible" view): NOCACHE
cached value ("immutable" view): NOCACHE
access ("immutable" view): 100
unficalllog: [100, 100]
cached value (unfiltered): 100
cached value ("visible" view): NOCACHE
cached value ("immutable" view): NOCACHE
access (unfiltered): 100
unficalllog: [100, 100]
cached value (unfiltered): 100
cached value ("visible" view): NOCACHE
cached value ("immutable" view): NOCACHE