diff options
author | Wan-Teh Chang <wtc@google.com> | 2014-02-25 18:17:08 +0100 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2014-02-25 18:17:08 +0100 |
commit | c4af229807d76666a292d6a3878f09ea4edb8d97 (patch) | |
tree | 6151643f539d014d763c67dec8383d05bb384239 /lib/certdb | |
parent | 3a9fb0ed32fd822a705e7295d99cbb85560e7873 (diff) | |
download | nss-hg-c4af229807d76666a292d6a3878f09ea4edb8d97.tar.gz |
Bug 903885, fix IDNA wildcard handling v4, r=kaie
Diffstat (limited to 'lib/certdb')
-rw-r--r-- | lib/certdb/certdb.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c index 6b460d10a..229490ecd 100644 --- a/lib/certdb/certdb.c +++ b/lib/certdb/certdb.c @@ -1381,27 +1381,26 @@ cert_TestHostName(char * cn, const char * hn) return rv; } } else { - /* New approach conforms to RFC 2818. */ + /* New approach conforms to RFC 6125. */ char *wildcard = PORT_Strchr(cn, '*'); char *firstcndot = PORT_Strchr(cn, '.'); char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; char *firsthndot = PORT_Strchr(hn, '.'); - /* RFC 6125 IDN matching */ - int firstace = PORT_Strncasecmp('xn--', cn, 4); /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and * - may be preceded by additional characters, and - * - must not be preceded by an IDN ACE prefix (xn--) + * - must not be preceded by an IDNA ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot - && firstcndot - wildcard == 1 - && secondcndot - firstcndot > 1 - && PORT_Strrchr(cn, '*') == wildcard + && firstcndot - wildcard == 1 /* no chars between * and . */ + && secondcndot - firstcndot > 1 /* not .. */ + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ && !PORT_Strncasecmp(cn, hn, wildcard - cn) && !PORT_Strcasecmp(firstcndot, firsthndot) - && firstace != 0) { + /* If hn starts with xn--, then cn must start with wildcard */ + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { /* valid wildcard pattern match */ return SECSuccess; } |