Description: fix incorrect IDNA wildcard handling Origin: upstream, https://hg.mozilla.org/projects/nss/rev/15ea62260c21 Origin: upstream, https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55 Origin: upstream, https://hg.mozilla.org/projects/nss/rev/709d4e597979 Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=903885 Index: nss-3.15.4/nss/lib/certdb/certdb.c =================================================================== --- nss-3.15.4.orig/nss/lib/certdb/certdb.c 2014-01-03 14:59:10.000000000 -0500 +++ nss-3.15.4/nss/lib/certdb/certdb.c 2014-04-02 10:13:42.488039726 -0400 @@ -1381,7 +1381,7 @@ return rv; } } else { - /* New approach conforms to RFC 2818. */ + /* New approach conforms to RFC 6125. */ char *wildcard = PORT_Strchr(cn, '*'); char *firstcndot = PORT_Strchr(cn, '.'); char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; @@ -1390,14 +1390,17 @@ /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and - * - may be preceded by additional characters + * - may be preceded by additional characters, and + * - must not be preceded by an IDNA ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot - && firstcndot - wildcard == 1 - && secondcndot - firstcndot > 1 - && PORT_Strrchr(cn, '*') == wildcard + && firstcndot - wildcard == 1 /* wildcard is last char in first component */ + && secondcndot - firstcndot > 1 /* second component is non-empty */ + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ && !PORT_Strncasecmp(cn, hn, wildcard - cn) - && !PORT_Strcasecmp(firstcndot, firsthndot)) { + && !PORT_Strcasecmp(firstcndot, firsthndot) + /* If hn starts with xn--, then cn must start with wildcard */ + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { /* valid wildcard pattern match */ return SECSuccess; }