| author | Brian Smith <brian@briansmith.org> |
| Sat, 13 Dec 2014 22:29:58 -0800 | |
| changeset 220767 | 5e53f5ad4e5de9619e9e2b2476998f1eb88601e2 |
| parent 220766 | 6820a4e8be01e9a2ebd944cb30c4cc9c9f5a9538 |
| child 220768 | 4ef8135861e45d8e50be3aa228f82c31c3119e41 |
| push id | 28000 |
| push user | cbook@mozilla.com |
| push date | Mon, 22 Dec 2014 12:13:57 +0000 |
| treeherder | mozilla-central@c82d5fcdc416 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 1111398 |
| milestone | 37.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/pkix/lib/pkixnames.cpp +++ b/security/pkix/lib/pkixnames.cpp @@ -150,45 +150,44 @@ Result MatchPresentedIDWithReferenceID(G /*in/out*/ MatchResult& matchResult); Result CheckPresentedIDConformsToConstraints(GeneralNameType referenceIDType, Input presentedID, Input nameConstraints); uint8_t LocaleInsensitveToLower(uint8_t a); bool StartsWithIDNALabel(Input id); -MOZILLA_PKIX_ENUM_CLASS ValidDNSIDMatchType +MOZILLA_PKIX_ENUM_CLASS IDRole { ReferenceID = 0, PresentedID = 1, NameConstraint = 2, }; -bool IsValidDNSID(Input hostname, ValidDNSIDMatchType matchType); +bool IsValidDNSID(Input hostname, IDRole idRole); Result MatchPresentedDNSIDWithReferenceDNSID( - Input presentedDNSID, ValidDNSIDMatchType referenceDNSIDType, + Input presentedDNSID, IDRole referenceDNSIDRole, Input referenceDNSID, /*out*/ bool& matches); } // unnamed namespace bool IsValidReferenceDNSID(Input hostname); bool IsValidPresentedDNSID(Input hostname); bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]); bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]); // This is used by the pkixnames_tests.cpp tests. Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID, Input referenceDNSID, /*out*/ bool& matches) { return MatchPresentedDNSIDWithReferenceDNSID( - presentedDNSID, ValidDNSIDMatchType::ReferenceID, - referenceDNSID, matches); + presentedDNSID, IDRole::ReferenceID, referenceDNSID, matches); } // Verify that the given end-entity cert, which is assumed to have been already // validated with BuildCertChain, is valid for the given hostname. hostname is // assumed to be a string representation of an IPv4 address, an IPv6 addresss, // or a normalized ASCII (possibly punycode) DNS name. Result CheckCertHostname(Input endEntityCertDER, Input hostname) @@ -614,18 +613,17 @@ MatchPresentedIDWithReferenceID(GeneralN } Result rv; bool foundMatch; switch (referenceIDType) { case GeneralNameType::dNSName: rv = MatchPresentedDNSIDWithReferenceDNSID( - presentedID, ValidDNSIDMatchType::ReferenceID, - referenceID, foundMatch); + presentedID, IDRole::ReferenceID, referenceID, foundMatch); break; case GeneralNameType::iPAddress: foundMatch = InputsAreEqual(presentedID, referenceID); rv = Success; break; case GeneralNameType::rfc822Name: // fall through @@ -766,18 +764,17 @@ CheckPresentedIDConformsToNameConstraint } if (presentedIDType == nameConstraintType) { bool matches; switch (presentedIDType) { case GeneralNameType::dNSName: rv = MatchPresentedDNSIDWithReferenceDNSID( - presentedID, ValidDNSIDMatchType::NameConstraint, - base, matches); + presentedID, IDRole::NameConstraint, base, matches); if (rv != Success) { return rv; } break; case GeneralNameType::iPAddress: rv = MatchPresentedIPAddressWithConstraint(presentedID, base, matches); @@ -968,37 +965,37 @@ CheckPresentedIDConformsToNameConstraint // [3] Proposal to add such support to OpenSSL: // http://www.mail-archive.com/openssl-dev%40openssl.org/msg36204.html // https://rt.openssl.org/Ticket/Display.html?id=3562 // [4] Feedback on the lack of clarify in the definition that never got // incorporated into the spec: // https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID, - ValidDNSIDMatchType referenceDNSIDType, + IDRole referenceDNSIDRole, Input referenceDNSID, /*out*/ bool& matches) { if (!IsValidPresentedDNSID(presentedDNSID)) { return Result::ERROR_BAD_DER; } - if (!IsValidDNSID(referenceDNSID, referenceDNSIDType)) { + if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole)) { return Result::ERROR_BAD_DER; } Reader presented(presentedDNSID); Reader reference(referenceDNSID); - switch (referenceDNSIDType) + switch (referenceDNSIDRole) { - case ValidDNSIDMatchType::ReferenceID: + case IDRole::ReferenceID: break; - case ValidDNSIDMatchType::NameConstraint: + case IDRole::NameConstraint: { if (presentedDNSID.GetLength() > referenceDNSID.GetLength()) { if (referenceDNSID.GetLength() == 0) { // An empty constraint matches everything. matches = true; return Success; } // If the reference ID starts with a dot then skip the prefix of @@ -1047,19 +1044,19 @@ MatchPresentedDNSIDWithReferenceDNSID(In matches = false; return Success; } } } break; } - case ValidDNSIDMatchType::PresentedID: // fall through + case IDRole::PresentedID: // fall through default: - return NotReached("invalid or unknown referenceDNSIDType", + return NotReached("invalid or unknown referenceDNSIDRole", Result::FATAL_ERROR_INVALID_ARGS); } // We only allow wildcard labels that consist only of '*'. if (presented.Peek('*')) { if (presented.Skip(1) != Success) { return NotReached("Skipping '*' failed", Result::FATAL_ERROR_LIBRARY_FAILURE); @@ -1096,17 +1093,17 @@ MatchPresentedDNSIDWithReferenceDNSID(In } break; } } // Allow a relative presented DNS ID to match an absolute reference DNS ID, // unless we're matching a name constraint. if (!reference.AtEnd()) { - if (referenceDNSIDType != ValidDNSIDMatchType::NameConstraint) { + if (referenceDNSIDRole != IDRole::NameConstraint) { uint8_t referenceByte; if (reference.Read(referenceByte) != Success) { return NotReached("read failed but not at end", Result::FATAL_ERROR_LIBRARY_FAILURE); } if (referenceByte != '.') { matches = false; return Success; @@ -1557,50 +1554,49 @@ ParseIPv6Address(Input hostname, /*out*/ } } } } bool IsValidReferenceDNSID(Input hostname) { - return IsValidDNSID(hostname, ValidDNSIDMatchType::ReferenceID); + return IsValidDNSID(hostname, IDRole::ReferenceID); } bool IsValidPresentedDNSID(Input hostname) { - return IsValidDNSID(hostname, ValidDNSIDMatchType::PresentedID); + return IsValidDNSID(hostname, IDRole::PresentedID); } namespace { bool -IsValidDNSID(Input hostname, ValidDNSIDMatchType matchType) +IsValidDNSID(Input hostname, IDRole idRole) { if (hostname.GetLength() > 253) { return false; } Reader input(hostname); - if (matchType == ValidDNSIDMatchType::NameConstraint && input.AtEnd()) { + if (idRole == IDRole::NameConstraint && input.AtEnd()) { return true; } size_t dotCount = 0; size_t labelLength = 0; bool labelIsAllNumeric = false; bool labelEndsWithHyphen = false; // Only presented IDs are allowed to have wildcard labels. And, like // Chromium, be stricter than RFC 6125 requires by insisting that a // wildcard label consist only of '*'. - bool isWildcard = matchType == ValidDNSIDMatchType::PresentedID && - input.Peek('*'); + bool isWildcard = idRole == IDRole::PresentedID && input.Peek('*'); bool isFirstByte = !isWildcard; if (isWildcard) { Result rv = input.Skip(1); if (rv != Success) { assert(false); return false; } @@ -1674,35 +1670,34 @@ IsValidDNSID(Input hostname, ValidDNSIDM if (labelLength > MAX_LABEL_LENGTH) { return false; } break; case '.': ++dotCount; if (labelLength == 0 && - (matchType != ValidDNSIDMatchType::NameConstraint || - !isFirstByte)) { + (idRole != IDRole::NameConstraint || !isFirstByte)) { return false; } if (labelEndsWithHyphen) { return false; // Labels must not end with a hyphen. } labelLength = 0; break; default: return false; // Invalid character. } isFirstByte = false; } while (!input.AtEnd()); // Only reference IDs, not presented IDs or name constraints, may be // absolute. - if (labelLength == 0 && matchType != ValidDNSIDMatchType::ReferenceID) { + if (labelLength == 0 && idRole != IDRole::ReferenceID) { return false; } if (labelEndsWithHyphen) { return false; // Labels must not end with a hyphen. } if (labelIsAllNumeric) {