diff options
author | Christian Heimes <sites@cheimes.de> | 2014-02-24 17:50:25 +0100 |
---|---|---|
committer | Christian Heimes <sites@cheimes.de> | 2014-02-24 17:50:25 +0100 |
commit | 3a9fb0ed32fd822a705e7295d99cbb85560e7873 (patch) | |
tree | 8e71a394f62131ceb77c8d01b44214e3fd6f96c8 /lib/certdb | |
parent | f0b4f25f4927645911df36bf3063c7cdd5518728 (diff) | |
download | nss-hg-3a9fb0ed32fd822a705e7295d99cbb85560e7873.tar.gz |
Bug 903885, fix IDNA wildcard handling, r=kaie
Diffstat (limited to 'lib/certdb')
-rw-r--r-- | lib/certdb/certdb.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c index b7d22bd83..6b460d10a 100644 --- a/lib/certdb/certdb.c +++ b/lib/certdb/certdb.c @@ -1386,18 +1386,22 @@ cert_TestHostName(char * cn, const char * hn) char *firstcndot = PORT_Strchr(cn, '.'); char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; char *firsthndot = PORT_Strchr(hn, '.'); + /* RFC 6125 IDN matching */ + int firstace = PORT_Strncasecmp('xn--', cn, 4); /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and - * - may be preceded by additional characters + * - may be preceded by additional characters, and + * - must not be preceded by an IDN ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot && firstcndot - wildcard == 1 && secondcndot - firstcndot > 1 && PORT_Strrchr(cn, '*') == wildcard && !PORT_Strncasecmp(cn, hn, wildcard - cn) - && !PORT_Strcasecmp(firstcndot, firsthndot)) { + && !PORT_Strcasecmp(firstcndot, firsthndot) + && firstace != 0) { /* valid wildcard pattern match */ return SECSuccess; } |