CERT_CompareRDN uses incorrect algorithm

RESOLVED FIXED in 3.12

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

A Distinguished Directory Name (DN) is a SEQUENCE of Relative Distinguished 
Names (RDNs).  Their order is important, and when comparing two DNs, one must 
compare the first RDN in both DNs, then the second RDN in both DNs, then the 
third, and so on.  The code in NSS function CERT_CompareName correctly 
compares two DNs' RDNs in the proper order.

An RDN is a SET of Attribute Value Assertions (AVAs, also known as Attribute
Type And Value, ATAV).  Being a SET, the order of the AVAs in the RDNs is 
NOT important.  Two RDNs are the same if they have the same number of AVAs
and for every AVA in the first RDN there is an exactly matching AVA in the 
second RDN.  It is not necessary for the AVAs to be in the same order in 
the two RDNs for those RDNs to be considered equal.  

NSS function CERT_CompareRDN compares two RDNs by comparing the first AVA
in each RDN, then the second AVA in each RDN, then the third, and so on.
That is wrong.  It will cause RDNs that are equal, but have their AVAs in
different order, to be considered not equal.  

Before tackling this, we should look and see how much (if at all) function
CERT_CompareName is ever used in NSS.  If it's effectively dead code, then
it may not be worth fixing.  Otherwise, we should fix it.

This bug is lower priority than bug 329067 or bug 372241.
(Assignee)

Updated

10 years ago
Priority: -- → P2
(Assignee)

Comment 1

10 years ago
Created attachment 274579 [details] [diff] [review]
patch v1 (untested)

I think this should do the job.
Assignee: neil.williams → nelson
Status: NEW → ASSIGNED
Attachment #274579 - Flags: review?(neil.williams)
(Assignee)

Comment 2

10 years ago
Comment on attachment 274579 [details] [diff] [review]
patch v1 (untested)

Two review requests, but only need one review
Attachment #274579 - Flags: review?(alexei.volkov.bugs)

Updated

10 years ago
Attachment #274579 - Flags: review?(alexei.volkov.bugs) → review+
(Assignee)

Updated

10 years ago
Attachment #274579 - Flags: review?(neil.williams)
(Assignee)

Comment 3

10 years ago
This was checked in to secname.c rev 1.21 on 08-27-2007
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

10 years ago
This patch was flawed.  It introduced a regression.  See Bug 413010.
You need to log in before you can comment on or make changes to this bug.