diff options
| author | scott%scott-macgregor.org <devnull@localhost> | 2004-06-07 17:22:48 +0000 |
|---|---|---|
| committer | scott%scott-macgregor.org <devnull@localhost> | 2004-06-07 17:22:48 +0000 |
| commit | 07a3c3fcc7fd303aa0eb039e203d0a99ddb6adb1 (patch) | |
| tree | b18605dce5afa8904d8657c992572c3c0bba8007 | |
| parent | 1fc1ef799756c25cd017839a95fb8126e74b4032 (diff) | |
| download | nss-hg-07a3c3fcc7fd303aa0eb039e203d0a99ddb6adb1.tar.gz | |
Port Bug #234058 --> Certificate name matching for non-FQDNs is insecure
| -rw-r--r-- | security/nss/lib/certdb/certdb.c | 22 |
1 files changed, 1 insertions, 21 deletions
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 84039ea99..798a5ffe3 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -1336,20 +1336,7 @@ CERT_AddOKDomainName(CERTCertificate *cert, const char *hn) static SECStatus cert_TestHostName(char * cn, const char * hn) { - char * hndomain; - int regvalid; - - if ((hndomain = PORT_Strchr(hn, '.')) == NULL) { - /* No domain in URI host name */ - char * cndomain; - if ((cndomain = PORT_Strchr(cn, '.')) != NULL && - (cndomain - cn) > 0) { - /* there is a domain in the cn string, so chop it off */ - *cndomain = '\0'; - } - } - - regvalid = PORT_RegExpValid(cn); + int regvalid = PORT_RegExpValid(cn); if (regvalid != NON_SXP) { SECStatus rv; /* cn is a regular expression, try to match the shexp */ @@ -1370,13 +1357,6 @@ cert_TestHostName(char * cn, const char * hn) return SECSuccess; } - if ( hndomain ) { - /* compare just domain name with cert name */ - if ( PORT_Strcasecmp(hndomain+1, cn) == 0 ) { - return SECSuccess; - } - } - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); return SECFailure; } |