From f4a12fc67689a830e9da1c87fd11afe5bc09deb3 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 2 Jan 2020 21:06:40 +0100 Subject: Issue #1338 - Part 2: Update NSS to 3.48-RTM --- .../pkix/checker/pkix_nameconstraintschecker.c | 34 +++++++++++++++++++++- .../pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c | 5 ++-- .../nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c | 13 ++------- 3 files changed, 38 insertions(+), 14 deletions(-) (limited to 'security/nss/lib/libpkix') diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c index 7c9430d3c..28f21a6c2 100755 --- a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c @@ -168,6 +168,9 @@ pkix_NameConstraintsChecker_Check( PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL; PKIX_Boolean selfIssued = PKIX_FALSE; PKIX_Boolean lastCert = PKIX_FALSE; + PKIX_Boolean treatCommonNameAsDNSName = PKIX_FALSE; + PKIX_List *extKeyUsageList = NULL; + PKIX_PL_OID *serverAuthOID = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); @@ -185,11 +188,38 @@ pkix_NameConstraintsChecker_Check( PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), PKIX_ISCERTSELFISSUEDFAILED); + if (lastCert) { + /* For the last cert, treat the CN as a DNS name for name + * constraint check. But only if EKU has id-kp-serverAuth + * or EKU is absent. It does not make sense to treat CN + * as a DNS name for an OCSP signing certificate, for example. + */ + PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage + (cert, &extKeyUsageList, plContext), + PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); + if (extKeyUsageList == NULL) { + treatCommonNameAsDNSName = PKIX_TRUE; + } else { + PKIX_CHECK(PKIX_PL_OID_Create + (PKIX_KEY_USAGE_SERVER_AUTH_OID, + &serverAuthOID, + plContext), + PKIX_OIDCREATEFAILED); + + PKIX_CHECK(pkix_List_Contains + (extKeyUsageList, + (PKIX_PL_Object *) serverAuthOID, + &treatCommonNameAsDNSName, + plContext), + PKIX_LISTCONTAINSFAILED); + } + } + /* Check on non self-issued and if so only for last cert */ if (selfIssued == PKIX_FALSE || (selfIssued == PKIX_TRUE && lastCert)) { PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints - (cert, state->nameConstraints, lastCert, + (cert, state->nameConstraints, treatCommonNameAsDNSName, plContext), PKIX_CERTCHECKNAMECONSTRAINTSFAILED); } @@ -241,6 +271,8 @@ pkix_NameConstraintsChecker_Check( cleanup: PKIX_DECREF(state); + PKIX_DECREF(extKeyUsageList); + PKIX_DECREF(serverAuthOID); PKIX_RETURN(CERTCHAINCHECKER); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c index 3dc06be9a..9b6f8d688 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c @@ -352,7 +352,9 @@ pkix_pl_LdapDefaultClient_VerifyBindResponse( SECItem decode = {siBuffer, NULL, 0}; SECStatus rv = SECFailure; LDAPMessage msg; - LDAPBindResponse *ldapBindResponse = NULL; + LDAPBindResponse *ldapBindResponse = &msg.protocolOp.op.bindResponseMsg; + + ldapBindResponse->resultCode.data = NULL; PKIX_ENTER (LDAPDEFAULTCLIENT, @@ -367,7 +369,6 @@ pkix_pl_LdapDefaultClient_VerifyBindResponse( PKIX_LDAPDEFAULTCLIENTDECODEBINDRESPONSEFAILED); if (rv == SECSuccess) { - ldapBindResponse = &msg.protocolOp.op.bindResponseMsg; if (*(ldapBindResponse->resultCode.data) == SUCCESS) { client->connectStatus = BOUND; } else { diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index 145dcff9a..25a1170a5 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -3002,17 +3002,8 @@ PKIX_PL_Cert_VerifyCertAndKeyType( if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) { PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED); } - if (certUsage != certUsageIPsec) { - if (!(certType & requiredCertType)) { - PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED); - } - } else { - PRBool isCritical; - PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical); - /* If the extension isn't critical, we allow any EKU value. */ - if (isCritical && !allowed) { - PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED); - } + if (!(certType & requiredCertType)) { + PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED); } cleanup: PKIX_DECREF(basicConstraints); -- cgit v1.2.3