nss: CVE-2014-1492

Upstream-Status: Backport

the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
https://bugzilla.mozilla.org/show_bug.cgi?id=903885

changeset:   11063:709d4e597979
user:        Kai Engert <kaie@kuix.de>
date:        Wed Mar 05 18:38:55 2014 +0100
summary:     Bug 903885, address requests to clarify comments from wtc

changeset:   11046:2ffa40a3ff55
tag:         tip
user:        Wan-Teh Chang <wtc@google.com>
date:        Tue Feb 25 18:17:08 2014 +0100
summary:     Bug 903885, fix IDNA wildcard handling v4, r=kaie

changeset:   11045:15ea62260c21
user:        Christian Heimes <sites@cheimes.de>
date:        Mon Feb 24 17:50:25 2014 +0100
summary:     Bug 903885, fix IDNA wildcard handling, r=kaie

Signed-off-by: Li Wang <li.wang@windriver.com>
---
 nss/lib/certdb/certdb.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c
index b7d22bd..91877b7 100644
--- a/nss/lib/certdb/certdb.c
+++ b/nss/lib/certdb/certdb.c
@@ -1381,7 +1381,7 @@ cert_TestHostName(char * cn, const char * hn)
 	    return rv;
 	}
     } else {
-	/* New approach conforms to RFC 2818. */
+	/* New approach conforms to RFC 6125. */
 	char *wildcard    = PORT_Strchr(cn, '*');
 	char *firstcndot  = PORT_Strchr(cn, '.');
 	char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
@@ -1390,14 +1390,17 @@ cert_TestHostName(char * cn, const char * hn)
 	/* For a cn pattern to be considered valid, the wildcard character...
 	 * - may occur only in a DNS name with at least 3 components, and
 	 * - may occur only as last character in the first component, and
-	 * - may be preceded by additional characters
+         * - may be preceded by additional characters, and
+         * - must not be preceded by an IDNA ACE prefix (xn--)
 	 */
 	if (wildcard && secondcndot && secondcndot[1] && firsthndot 
-	    && firstcndot  - wildcard  == 1
-	    && secondcndot - firstcndot > 1
-	    && PORT_Strrchr(cn, '*') == wildcard
+            && firstcndot  - wildcard  == 1 /* wildcard is last char in first component */
+            && secondcndot - firstcndot > 1 /* second component is non-empty */
+            && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
 	    && !PORT_Strncasecmp(cn, hn, wildcard - cn)
-	    && !PORT_Strcasecmp(firstcndot, firsthndot)) {
+            && !PORT_Strcasecmp(firstcndot, firsthndot)
+               /* If hn starts with xn--, then cn must start with wildcard */
+            && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
 	    /* valid wildcard pattern match */
 	    return SECSuccess;
 	}
-- 
1.7.9.5