diff options
author | wtchang%redhat.com <devnull@localhost> | 2006-12-06 02:38:55 +0000 |
---|---|---|
committer | wtchang%redhat.com <devnull@localhost> | 2006-12-06 02:38:55 +0000 |
commit | 5ef256af7f389ea4f69ea548db60716fde76ee27 (patch) | |
tree | 9478338c15f2b98198a5a0e793e748c939dab2b1 | |
parent | 36060f6ab73d961440bb66d5f4335b674dbc1e25 (diff) | |
download | nss-hg-5ef256af7f389ea4f69ea548db60716fde76ee27.tar.gz |
Bugzilla Bug 357197: when we compare hash algorithm identifiers, allow the
'parameters' to be either NULL or missing. r=nelsonb,relyea
Tag: NSS_3_11_BRANCH
-rw-r--r-- | security/nss/lib/certhigh/ocsp.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index fd7c6dce9..c74063bbe 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2682,8 +2682,7 @@ ocsp_CheckSignature(ocspSignature *signature, void *tbs, rv = VFY_VerifyDataWithAlgorithmID(encodedTBS->data, encodedTBS->len, signerKey, &rawSignature, - &signature->signatureAlgorithm, NULL, - pwArg); + &signature->signatureAlgorithm, NULL, pwArg); finish: if (signature->wasChecked) @@ -2821,8 +2820,14 @@ ocsp_CertIDsMatch(CERTCertDBHandle *handle, goto done; } - if (SECOID_CompareAlgorithmID(&certID1->hashAlgorithm, - &certID2->hashAlgorithm) == SECEqual) { + /* + * For all the supported hash algorithms, 'parameters' is NULL (two + * bytes 0x05 0x00), but we allow it to be missing (zero length). + */ + if ((SECITEM_CompareItem(&certID1->hashAlgorithm.algorithm, + &certID2->hashAlgorithm.algorithm) == SECEqual) + && (certID1->hashAlgorithm.parameters.len <= 2) + && (certID2->hashAlgorithm.parameters.len <= 2)) { /* * If the hash algorithms match then we can do a simple compare * of the hash values themselves. |