Bug 1125261 - mozilla::pkix: handle comparing single, relative labels with wildcards. r=briansmith, a=lmandel
authorDavid Keeler <dkeeler@mozilla.com>
Fri, 23 Jan 2015 15:56:53 -0800
changeset 249530 fe89439f5acc82bc2bf9c6ba6af34e183c1331f6
parent 249529 e243e73347fd7930ad1a54f241ba91cb1ac73faf
child 249531 f10650c04229504a8dc3e3c2efe525043fd0c3af
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith, lmandel
bugs1125261
milestone37.0a2
Bug 1125261 - mozilla::pkix: handle comparing single, relative labels with wildcards. r=briansmith, a=lmandel e.g. handle comparing "localhost" with "*.example.com"
security/pkix/lib/pkixnames.cpp
security/pkix/test/gtest/pkixnames_tests.cpp
--- a/security/pkix/lib/pkixnames.cpp
+++ b/security/pkix/lib/pkixnames.cpp
@@ -1149,16 +1149,21 @@ MatchPresentedDNSIDWithReferenceDNSID(
 
   // We only allow wildcard labels that consist only of '*'.
   if (presented.Peek('*')) {
     if (presented.Skip(1) != Success) {
       return NotReached("Skipping '*' failed",
                         Result::FATAL_ERROR_LIBRARY_FAILURE);
     }
     do {
+      // This will happen if reference is a single, relative label
+      if (reference.AtEnd()) {
+        matches = false;
+        return Success;
+      }
       uint8_t referenceByte;
       if (reference.Read(referenceByte) != Success) {
         return NotReached("invalid reference ID",
                           Result::FATAL_ERROR_INVALID_ARGS);
       }
     } while (!reference.Peek('.'));
   }
 
--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@@ -281,16 +281,20 @@ static const PresentedMatchesReference D
   DNS_ID_BAD_DER("*.", "foo"),
 
   // The result is different than Chromium because we don't know that co.uk is
   // a TLD.
   DNS_ID_MATCH("*.co.uk", "foo.co.uk"),
   DNS_ID_MATCH("*.co.uk", "foo.co.uk."),
   DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk"),
   DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk."),
+
+  DNS_ID_MISMATCH("*.example.com", "localhost"),
+  DNS_ID_MISMATCH("*.example.com", "localhost."),
+  // Note that we already have the testcase DNS_ID_BAD_DER("*", "foo") above
 };
 
 struct InputValidity
 {
   ByteString input;
   bool isValidReferenceID;
   bool isValidPresentedID;
 };