diff options
author | nelsonb%netscape.com <devnull@localhost> | 2003-11-19 00:56:59 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2003-11-19 00:56:59 +0000 |
commit | 8740ce6982e9efd09e7649022fbf9efd3bea0284 (patch) | |
tree | f18c8fd9e3de0b9eba896ab0ad83c5767a89a223 | |
parent | e2a6a1657bce59448c64d0ea3a7616fa42261282 (diff) | |
download | nss-hg-8740ce6982e9efd09e7649022fbf9efd3bea0284.tar.gz |
Fix bugs in the new implementation of URI name constraints.
Bugzilla Bug 221616.
-rw-r--r-- | security/nss/lib/certdb/genname.c | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index f8eb668bd..05feaaaa9 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -1093,30 +1093,37 @@ loser: } /* Returns SECSuccess if name matches constraint per RFC 3280 rules for -** DNS name constraints. SECFailure otherwise. -** The constraint string must match the right most substring of the same -** length in the name. If the name string is longer, then the leftmost -** character of the constraint string cannot be in the middle of a domain -** name component. Examples: +** URI name constraints. SECFailure otherwise. +** If the constraint begins with a dot, it is a domain name, otherwise +** It is a host name. Examples: ** Constraint Name Result ** ------------ --------------- -------- ** foo.bar.com foo.bar.com matches ** foo.bar.com FoO.bAr.CoM matches -** foo.bar.com www.foo.bar.com matches +** foo.bar.com www.foo.bar.com no match ** foo.bar.com nofoo.bar.com no match ** .foo.bar.com www.foo.bar.com matches +** .foo.bar.com nofoo.bar.com no match ** .foo.bar.com foo.bar.com no match ** .foo.bar.com www..foo.bar.com no match */ static SECStatus -compareDNSN2C(const SECItem *name, const SECItem *constraint) +compareURIN2C(const SECItem *name, const SECItem *constraint) { int offset; /* The spec is silent on intepreting zero-length constraints. - ** We interpret them as matching all DNSnames. + ** We interpret them as matching no URI names. */ if (!constraint->len) - return SECSuccess; + return SECFailure; + if (constraint->data[0] != '.') { + /* constraint is a host name. */ + if (name->len != constraint->len || + PL_strncasecmp(name->data, constraint->data, constraint->len)) + return SECFailure; + return SECSuccess; + } + /* constraint is a domain name. */ if (name->len < constraint->len) return SECFailure; offset = name->len - constraint->len; @@ -1128,6 +1135,35 @@ compareDNSN2C(const SECItem *name, const SECItem *constraint) return SECFailure; } +/* for DNSnames, the constraint matches any string to which it matches the +** rightmost characters in that string. +** Constraint Name Result +** ------------ --------------- -------- +** foo.bar.com foo.bar.com matches +** foo.bar.com FoO.bAr.CoM matches +** foo.bar.com www.foo.bar.com matches +** foo.bar.com nofoo.bar.com MATCHES +** .foo.bar.com www.foo.bar.com matches +** .foo.bar.com foo.bar.com no match +** .foo.bar.com www..foo.bar.com matches +*/ +static SECStatus +compareDNSN2C(const SECItem *name, const SECItem *constraint) +{ + int offset; + /* The spec is silent on intepreting zero-length constraints. + ** We interpret them as matching all DNSnames. + */ + if (!constraint->len) + return SECSuccess; + if (name->len < constraint->len) + return SECFailure; + offset = name->len - constraint->len; + if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len)) + return SECFailure; + return SECSuccess; +} + /* Returns SECSuccess if name matches constraint per RFC 3280 rules for ** internet email addresses. SECFailure otherwise. ** If constraint contains a '@' then the two strings much match exactly. @@ -1288,7 +1324,7 @@ cert_CompareNameWithConstraints(CERTGeneralName *name, rv = parseUriHostname(&uri); if (rv == SECSuccess) { /* does our hostname meet the constraint? */ - matched = compareDNSN2C(&uri, ¤t->name.name.other); + matched = compareURIN2C(&uri, ¤t->name.name.other); } } break; |