Issue #1338 - Part 2: Update NSS to 3.48-RTM

3 files changed, 38 insertions, 14 deletions

diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
index 7c9430d3c..28f21a6c2 100755
--- a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -168,6 +168,9 @@ pkix_NameConstraintsChecker_Check(
         PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
         PKIX_Boolean selfIssued = PKIX_FALSE;
         PKIX_Boolean lastCert = PKIX_FALSE;
+        PKIX_Boolean treatCommonNameAsDNSName = PKIX_FALSE;
+        PKIX_List *extKeyUsageList = NULL;
+        PKIX_PL_OID *serverAuthOID = NULL;
 
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
         PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
@@ -185,11 +188,38 @@ pkix_NameConstraintsChecker_Check(
         PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
                     PKIX_ISCERTSELFISSUEDFAILED);
 
+        if (lastCert) {
+            /* For the last cert, treat the CN as a DNS name for name
+             * constraint check.  But only if EKU has id-kp-serverAuth
+             * or EKU is absent.  It does not make sense to treat CN
+             * as a DNS name for an OCSP signing certificate, for example.
+             */
+            PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
+                       (cert, &extKeyUsageList, plContext),
+                       PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
+            if (extKeyUsageList == NULL) {
+                treatCommonNameAsDNSName = PKIX_TRUE;
+            } else {
+                PKIX_CHECK(PKIX_PL_OID_Create
+                        (PKIX_KEY_USAGE_SERVER_AUTH_OID,
+                        &serverAuthOID,
+                        plContext),
+                        PKIX_OIDCREATEFAILED);
+
+                PKIX_CHECK(pkix_List_Contains
+                           (extKeyUsageList,
+                            (PKIX_PL_Object *) serverAuthOID,
+                            &treatCommonNameAsDNSName,
+                            plContext),
+                           PKIX_LISTCONTAINSFAILED);
+            }
+        }
+
         /* Check on non self-issued and if so only for last cert */
         if (selfIssued == PKIX_FALSE ||
             (selfIssued == PKIX_TRUE && lastCert)) {
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, state->nameConstraints, lastCert,
+                    (cert, state->nameConstraints, treatCommonNameAsDNSName,
                       plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
@@ -241,6 +271,8 @@ pkix_NameConstraintsChecker_Check(
 cleanup:
 
         PKIX_DECREF(state);
+        PKIX_DECREF(extKeyUsageList);
+        PKIX_DECREF(serverAuthOID);
 
         PKIX_RETURN(CERTCHAINCHECKER);
 }
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
index 3dc06be9a..9b6f8d688 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
@@ -352,7 +352,9 @@ pkix_pl_LdapDefaultClient_VerifyBindResponse(
         SECItem decode = {siBuffer, NULL, 0};
         SECStatus rv = SECFailure;
         LDAPMessage msg;
-        LDAPBindResponse *ldapBindResponse = NULL;
+        LDAPBindResponse *ldapBindResponse = &msg.protocolOp.op.bindResponseMsg;
+
+        ldapBindResponse->resultCode.data = NULL;
 
         PKIX_ENTER
                 (LDAPDEFAULTCLIENT,
@@ -367,7 +369,6 @@ pkix_pl_LdapDefaultClient_VerifyBindResponse(
                 PKIX_LDAPDEFAULTCLIENTDECODEBINDRESPONSEFAILED);
 
         if (rv == SECSuccess) {
-                ldapBindResponse = &msg.protocolOp.op.bindResponseMsg;
                 if (*(ldapBindResponse->resultCode.data) == SUCCESS) {
                         client->connectStatus = BOUND;
                 } else {
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index 145dcff9a..25a1170a5 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3002,17 +3002,8 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
     if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
         PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
     }
-    if (certUsage != certUsageIPsec) {
-        if (!(certType & requiredCertType)) {
-            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
-        }
-    } else {
-        PRBool isCritical;
-        PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
-        /* If the extension isn't critical, we allow any EKU value. */
-        if (isCritical && !allowed) {
-            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
-        }
+    if (!(certType & requiredCertType)) {
+        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
     }
 cleanup:
     PKIX_DECREF(basicConstraints);