Port Bug #234058 --> Certificate name matching for non-FQDNs is insecure AVIARY_1_0_20040515_BRANCH
authorscott%scott-macgregor.org
Mon, 07 Jun 2004 17:22:48 +0000
branchAVIARY_1_0_20040515_BRANCH
changeset 5224 70f165a26c81d849f1d2113f2e76736234a2eba9
parent 5200 7313c3510a25726b60d37d291d8fdfbf4729d8e8
child 5225 414c0a7abed3467347b47af148f500e5ab4b0c79
push idunknown
push userunknown
push dateunknown
bugs234058
Port Bug #234058 --> Certificate name matching for non-FQDNs is insecure
security/nss/lib/certdb/certdb.c
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1331,30 +1331,17 @@ CERT_AddOKDomainName(CERTCertificate *ce
 ** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
 ** returns SECFailure with some other error code if another error occurs.
 **
 ** may modify cn, so caller must pass a modifiable copy.
 */
 static SECStatus
 cert_TestHostName(char * cn, const char * hn)
 {
-    char * hndomain;
-    int    regvalid;
-
-    if ((hndomain = PORT_Strchr(hn, '.')) == NULL) {
-	/* No domain in URI host name */
-	char * cndomain;
-	if ((cndomain = PORT_Strchr(cn, '.')) != NULL &&
-	    (cndomain - cn) > 0) {
-	    /* there is a domain in the cn string, so chop it off */
-	    *cndomain = '\0';
-	}
-    }
-
-    regvalid = PORT_RegExpValid(cn);
+    int regvalid = PORT_RegExpValid(cn);
     if (regvalid != NON_SXP) {
 	SECStatus rv;
 	/* cn is a regular expression, try to match the shexp */
 	int match = PORT_RegExpCaseSearch(hn, cn);
 
 	if ( match == 0 ) {
 	    rv = SECSuccess;
 	} else {
@@ -1365,23 +1352,16 @@ cert_TestHostName(char * cn, const char 
     } 
     /* cn is not a regular expression */
 
     /* compare entire hn with cert name */
     if (PORT_Strcasecmp(hn, cn) == 0) {
 	return SECSuccess;
     }
 	    
-    if ( hndomain ) {
-	/* compare just domain name with cert name */
-	if ( PORT_Strcasecmp(hndomain+1, cn) == 0 ) {
-	    return SECSuccess;
-	}
-    }
-
     PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     return SECFailure;
 }
 
 
 SECStatus
 cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn)
 {