ALT Linux repos
Group :: System/Libraries
RPM: nss
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: nss-3.12.1-CVE-2009-2404.patch
Download
Download
Index: mozilla/security/nss/lib/certdb/certdb.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v
retrieving revision 1.96
diff -p -u -r1.96 certdb.c
--- mozilla/security/nss/lib/certdb/certdb.c 9 Feb 2009 07:51:30 -0000 1.96
+++ mozilla/security/nss/lib/certdb/certdb.c 11 Mar 2009 20:02:23 -0000
@@ -1446,32 +1446,61 @@ CERT_AddOKDomainName(CERTCertificate *ce
** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
** returns SECFailure with some other error code if another error occurs.
**
-** may modify cn, so caller must pass a modifiable copy.
+** This function may modify *cn, so caller must pass a modifiable copy.
*/
static SECStatus
cert_TestHostName(char * cn, const char * hn)
{
- int regvalid = PORT_RegExpValid(cn);
- if (regvalid != NON_SXP) {
- SECStatus rv;
- /* cn is a regular expression, try to match the shexp */
- int match = PORT_RegExpCaseSearch(hn, cn);
+ static int useShellExp = -1;
- if ( match == 0 ) {
- rv = SECSuccess;
- } else {
- PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
- rv = SECFailure;
- }
- return rv;
- }
- /* cn is not a regular expression */
+ if (useShellExp < 0) {
+ useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_WILDCARDS"));
+ }
+ if (useShellExp) {
+ /* Backward compatible code, uses full Regular Expressions. */
+ int regvalid = PORT_RegExpValid(cn);
+ if (regvalid != NON_SXP) {
+ SECStatus rv;
+ /* cn is a regular expression, try to match the shexp */
+ int match = PORT_RegExpCaseSearch(hn, cn);
- /* compare entire hn with cert name */
+ if ( match == 0 ) {
+ rv = SECSuccess;
+ } else {
+ PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+ rv = SECFailure;
+ }
+ return rv;
+ }
+ } else {
+ /* New approach conforms to RFC 2818. */
+ char *wildcard = PORT_Strchr(cn, '*');
+ char *firstcndot = PORT_Strchr(cn, '.');
+ char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
+ char *firsthndot = PORT_Strchr(hn, '.');
+
+ /* For a cn pattern to be considered valid, the wildcard character...
+ * - may occur only in a DNS name with at least 3 components, and
+ * - may occur only as last character in the first component, and
+ * - may be preceded by additional characters
+ */
+ if (wildcard && secondcndot && secondcndot[1] && firsthndot
+ && firstcndot - wildcard == 1
+ && secondcndot - firstcndot > 1
+ && PORT_Strrchr(cn, '*') == wildcard
+ && !PORT_Strncasecmp(cn, hn, wildcard - cn)
+ && !PORT_Strcasecmp(firstcndot, firsthndot)) {
+ /* valid wildcard pattern match */
+ return SECSuccess;
+ }
+ }
+ /* CN has no wildcard or shell expression.
+ * Compare entire hn with cert name.
+ */
if (PORT_Strcasecmp(hn, cn) == 0) {
return SECSuccess;
}
-
+
PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
return SECFailure;
}