372242 - CERT_CompareRDN uses incorrect algorithm

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Nelson Bolyard (seldom reads bugmail)]

A Distinguished Directory Name (DN) is a SEQUENCE of Relative Distinguished 
Names (RDNs).  Their order is important, and when comparing two DNs, one must 
compare the first RDN in both DNs, then the second RDN in both DNs, then the 
third, and so on.  The code in NSS function CERT_CompareName correctly 
compares two DNs' RDNs in the proper order.

An RDN is a SET of Attribute Value Assertions (AVAs, also known as Attribute
Type And Value, ATAV).  Being a SET, the order of the AVAs in the RDNs is 
NOT important.  Two RDNs are the same if they have the same number of AVAs
and for every AVA in the first RDN there is an exactly matching AVA in the 
second RDN.  It is not necessary for the AVAs to be in the same order in 
the two RDNs for those RDNs to be considered equal.  

NSS function CERT_CompareRDN compares two RDNs by comparing the first AVA
in each RDN, then the second AVA in each RDN, then the third, and so on.
That is wrong.  It will cause RDNs that are equal, but have their AVAs in
different order, to be considered not equal.  

Before tackling this, we should look and see how much (if at all) function
CERT_CompareName is ever used in NSS.  If it's effectively dead code, then
it may not be worth fixing.  Otherwise, we should fix it.

This bug is lower priority than bug 329067 or bug 372241.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Attachment: patch v1 (untested)

I think this should do the job.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 274579 [details] [diff] [review]
patch v1 (untested)

Two review requests, but only need one review

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

This was checked in to secname.c rev 1.21 on 08-27-2007

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

This patch was flawed.  It introduced a regression.  See Bug 413010.