From 2042ecfd242b35f3c60696e6a15c2abad15e70d6 Mon Sep 17 00:00:00 2001 From: "wchang0222%aol.com" Date: Fri, 4 Jun 2004 14:51:11 +0000 Subject: Remove code that attempted to compare simple host names in URLs with FQDNs in certificate host names. This was insecure. Bug 234058. r=wtc. a=dveditz for Mozilla 1.7. Modified Files: Tag: MOZILLA_1_7_BRANCH lib/certdb/certdb.c tests/ssl/ecssl.sh tests/ssl/ssl.sh --- security/nss/lib/certdb/certdb.c | 22 +--------------------- security/nss/tests/ssl/ecssl.sh | 16 ++++++++-------- security/nss/tests/ssl/ssl.sh | 16 ++++++++-------- 3 files changed, 17 insertions(+), 37 deletions(-) diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 84039ea99..798a5ffe3 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -1336,20 +1336,7 @@ CERT_AddOKDomainName(CERTCertificate *cert, const char *hn) static SECStatus cert_TestHostName(char * cn, const char * hn) { - char * hndomain; - int regvalid; - - if ((hndomain = PORT_Strchr(hn, '.')) == NULL) { - /* No domain in URI host name */ - char * cndomain; - if ((cndomain = PORT_Strchr(cn, '.')) != NULL && - (cndomain - cn) > 0) { - /* there is a domain in the cn string, so chop it off */ - *cndomain = '\0'; - } - } - - regvalid = PORT_RegExpValid(cn); + int regvalid = PORT_RegExpValid(cn); if (regvalid != NON_SXP) { SECStatus rv; /* cn is a regular expression, try to match the shexp */ @@ -1370,13 +1357,6 @@ cert_TestHostName(char * cn, const char * hn) return SECSuccess; } - if ( hndomain ) { - /* compare just domain name with cert name */ - if ( PORT_Strcasecmp(hndomain+1, cn) == 0 ) { - return SECSuccess; - } - } - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); return SECFailure; } diff --git a/security/nss/tests/ssl/ecssl.sh b/security/nss/tests/ssl/ecssl.sh index 512ed3fbb..f6658d775 100644 --- a/security/nss/tests/ssl/ecssl.sh +++ b/security/nss/tests/ssl/ecssl.sh @@ -131,15 +131,15 @@ is_selfserv_alive() ######################################################################## wait_for_selfserv() { - echo "tstclnt -p ${PORT} -h ${HOST} -q " + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q " echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \\" #echo "tstclnt -q started at `date`" - tstclnt -p ${PORT} -h ${HOST} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} + tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then html_failed " Wait for Server " - echo "RETRY: tstclnt -p ${PORT} -h ${HOST} -q \\" + echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOST} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} + tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} elif [ sparam = "-c ABCDEFGHIJKLMNOPQRSTabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then html_passed " Wait for Server" fi @@ -221,11 +221,11 @@ ssl_cov() fi is_selfserv_alive - echo "tstclnt -p ${PORT} -h ${HOST} -c ${param} ${TLS_FLAG} \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\" echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOST} -c ${param} ${TLS_FLAG} -f \ + tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -252,10 +252,10 @@ ssl_auth() cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv - echo "tstclnt -p ${PORT} -h ${HOST} -f -d ${P_R_CLIENTDIR} \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOST} -f ${cparam} \ + tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 5af782ac6..d921fb02f 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -127,15 +127,15 @@ is_selfserv_alive() ######################################################################## wait_for_selfserv() { - echo "tstclnt -p ${PORT} -h ${HOST} -q " + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q " echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \\" #echo "tstclnt -q started at `date`" - tstclnt -p ${PORT} -h ${HOST} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} + tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then html_failed " Wait for Server " - echo "RETRY: tstclnt -p ${PORT} -h ${HOST} -q \\" + echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOST} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} + tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then html_passed " Wait for Server" fi @@ -214,11 +214,11 @@ ssl_cov() fi is_selfserv_alive - echo "tstclnt -p ${PORT} -h ${HOST} -c ${param} ${TLS_FLAG} \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\" echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOST} -c ${param} ${TLS_FLAG} -f \ + tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -245,10 +245,10 @@ ssl_auth() cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv - echo "tstclnt -p ${PORT} -h ${HOST} -f -d ${P_R_CLIENTDIR} \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOST} -f ${cparam} \ + tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? -- cgit v1.2.1