зеркало из https://github.com/mozilla/gecko-dev.git
Fix bugs in the new implementation of URI name constraints.
Bugzilla Bug 221616.
This commit is contained in:
Родитель
f2fe58e2e0
Коммит
069f394fa8
|
@ -1093,20 +1093,59 @@ loser:
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
|
/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
|
||||||
** DNS name constraints. SECFailure otherwise.
|
** URI name constraints. SECFailure otherwise.
|
||||||
** The constraint string must match the right most substring of the same
|
** If the constraint begins with a dot, it is a domain name, otherwise
|
||||||
** length in the name. If the name string is longer, then the leftmost
|
** It is a host name. Examples:
|
||||||
** character of the constraint string cannot be in the middle of a domain
|
** Constraint Name Result
|
||||||
** name component. Examples:
|
** ------------ --------------- --------
|
||||||
|
** foo.bar.com foo.bar.com matches
|
||||||
|
** foo.bar.com FoO.bAr.CoM matches
|
||||||
|
** foo.bar.com www.foo.bar.com no match
|
||||||
|
** foo.bar.com nofoo.bar.com no match
|
||||||
|
** .foo.bar.com www.foo.bar.com matches
|
||||||
|
** .foo.bar.com nofoo.bar.com no match
|
||||||
|
** .foo.bar.com foo.bar.com no match
|
||||||
|
** .foo.bar.com www..foo.bar.com no match
|
||||||
|
*/
|
||||||
|
static SECStatus
|
||||||
|
compareURIN2C(const SECItem *name, const SECItem *constraint)
|
||||||
|
{
|
||||||
|
int offset;
|
||||||
|
/* The spec is silent on intepreting zero-length constraints.
|
||||||
|
** We interpret them as matching no URI names.
|
||||||
|
*/
|
||||||
|
if (!constraint->len)
|
||||||
|
return SECFailure;
|
||||||
|
if (constraint->data[0] != '.') {
|
||||||
|
/* constraint is a host name. */
|
||||||
|
if (name->len != constraint->len ||
|
||||||
|
PL_strncasecmp(name->data, constraint->data, constraint->len))
|
||||||
|
return SECFailure;
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
/* constraint is a domain name. */
|
||||||
|
if (name->len < constraint->len)
|
||||||
|
return SECFailure;
|
||||||
|
offset = name->len - constraint->len;
|
||||||
|
if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len))
|
||||||
|
return SECFailure;
|
||||||
|
if (!offset ||
|
||||||
|
(name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
|
||||||
|
return SECSuccess;
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* for DNSnames, the constraint matches any string to which it matches the
|
||||||
|
** rightmost characters in that string.
|
||||||
** Constraint Name Result
|
** Constraint Name Result
|
||||||
** ------------ --------------- --------
|
** ------------ --------------- --------
|
||||||
** foo.bar.com foo.bar.com matches
|
** foo.bar.com foo.bar.com matches
|
||||||
** foo.bar.com FoO.bAr.CoM matches
|
** foo.bar.com FoO.bAr.CoM matches
|
||||||
** foo.bar.com www.foo.bar.com matches
|
** foo.bar.com www.foo.bar.com matches
|
||||||
** foo.bar.com nofoo.bar.com no match
|
** foo.bar.com nofoo.bar.com MATCHES
|
||||||
** .foo.bar.com www.foo.bar.com matches
|
** .foo.bar.com www.foo.bar.com matches
|
||||||
** .foo.bar.com foo.bar.com no match
|
** .foo.bar.com foo.bar.com no match
|
||||||
** .foo.bar.com www..foo.bar.com no match
|
** .foo.bar.com www..foo.bar.com matches
|
||||||
*/
|
*/
|
||||||
static SECStatus
|
static SECStatus
|
||||||
compareDNSN2C(const SECItem *name, const SECItem *constraint)
|
compareDNSN2C(const SECItem *name, const SECItem *constraint)
|
||||||
|
@ -1122,10 +1161,7 @@ compareDNSN2C(const SECItem *name, const SECItem *constraint)
|
||||||
offset = name->len - constraint->len;
|
offset = name->len - constraint->len;
|
||||||
if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len))
|
if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len))
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
if (!offset ||
|
return SECSuccess;
|
||||||
(name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
|
|
||||||
return SECSuccess;
|
|
||||||
return SECFailure;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
|
/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
|
||||||
|
@ -1288,7 +1324,7 @@ cert_CompareNameWithConstraints(CERTGeneralName *name,
|
||||||
rv = parseUriHostname(&uri);
|
rv = parseUriHostname(&uri);
|
||||||
if (rv == SECSuccess) {
|
if (rv == SECSuccess) {
|
||||||
/* does our hostname meet the constraint? */
|
/* does our hostname meet the constraint? */
|
||||||
matched = compareDNSN2C(&uri, ¤t->name.name.other);
|
matched = compareURIN2C(&uri, ¤t->name.name.other);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
Загрузка…
Ссылка в новой задаче