Last Comment Bug 372242 - CERT_CompareRDN uses incorrect algorithm
: CERT_CompareRDN uses incorrect algorithm
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.0
: All All
P2 normal (vote)
: 3.12
Assigned To: Nelson Bolyard (seldom reads bugmail)
Depends on:
  Show dependency treegraph
Reported: 2007-03-01 03:28 PST by Nelson Bolyard (seldom reads bugmail)
Modified: 2008-01-18 14:57 PST (History)
0 users
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

patch v1 (untested) (1.03 KB, patch)
2007-07-30 23:04 PDT, Nelson Bolyard (seldom reads bugmail)
alvolkov.bgs: review+
Details | Diff | Splinter Review

Description User image Nelson Bolyard (seldom reads bugmail) 2007-03-01 03:28:41 PST
A Distinguished Directory Name (DN) is a SEQUENCE of Relative Distinguished 
Names (RDNs).  Their order is important, and when comparing two DNs, one must 
compare the first RDN in both DNs, then the second RDN in both DNs, then the 
third, and so on.  The code in NSS function CERT_CompareName correctly 
compares two DNs' RDNs in the proper order.

An RDN is a SET of Attribute Value Assertions (AVAs, also known as Attribute
Type And Value, ATAV).  Being a SET, the order of the AVAs in the RDNs is 
NOT important.  Two RDNs are the same if they have the same number of AVAs
and for every AVA in the first RDN there is an exactly matching AVA in the 
second RDN.  It is not necessary for the AVAs to be in the same order in 
the two RDNs for those RDNs to be considered equal.  

NSS function CERT_CompareRDN compares two RDNs by comparing the first AVA
in each RDN, then the second AVA in each RDN, then the third, and so on.
That is wrong.  It will cause RDNs that are equal, but have their AVAs in
different order, to be considered not equal.  

Before tackling this, we should look and see how much (if at all) function
CERT_CompareName is ever used in NSS.  If it's effectively dead code, then
it may not be worth fixing.  Otherwise, we should fix it.

This bug is lower priority than bug 329067 or bug 372241.
Comment 1 User image Nelson Bolyard (seldom reads bugmail) 2007-07-30 23:04:51 PDT
Created attachment 274579 [details] [diff] [review]
patch v1 (untested)

I think this should do the job.
Comment 2 User image Nelson Bolyard (seldom reads bugmail) 2007-08-03 15:48:01 PDT
Comment on attachment 274579 [details] [diff] [review]
patch v1 (untested)

Two review requests, but only need one review
Comment 3 User image Nelson Bolyard (seldom reads bugmail) 2007-08-31 16:38:07 PDT
This was checked in to secname.c rev 1.21 on 08-27-2007
Comment 4 User image Nelson Bolyard (seldom reads bugmail) 2008-01-18 14:57:14 PST
This patch was flawed.  It introduced a regression.  See Bug 413010.

Note You need to log in before you can comment on or make changes to this bug.