Bug 1736763 - correctly delimit ipv6 hostnames for keying certificate overrides r=keeler

R. Martinho Fernandes · R. Martinho Fernandes · commit 9c6150db68a7 · 2022-01-24T13:07:15.000Z
Differential Revision: https://phabricator.services.mozilla.com/D136499
diff --git a/security/manager/ssl/nsCertOverrideService.cpp b/security/manager/ssl/nsCertOverrideService.cpp
@@ -324,12 +324,10 @@ nsresult nsCertOverrideService::Read(const MutexAutoLock& aProofOfLock) {
     Tokenizer parser(buffer);
     nsDependentCSubstring host;
     if (parser.CheckChar('[')) {  // this is a IPv6 address
-      parser.Record(Tokenizer::INCLUDE_LAST);
       if (!parser.ReadUntil(Tokenizer::Token::Char(']'), host) ||
           host.Length() == 0 || !parser.CheckChar(':')) {
         continue;
       }
-      parser.Claim(host);
     } else if (!parser.ReadUntil(Tokenizer::Token::Char(':'), host) ||
                host.Length() == 0) {
       continue;
@@ -818,7 +816,16 @@ nsCertOverrideService::GetOverrides(
 void nsCertOverrideService::GetHostWithPort(const nsACString& aHostName,
                                             int32_t aPort,
                                             nsACString& aRetval) {
-  nsAutoCString hostPort(aHostName);
+  nsAutoCString hostPort;
+  if (aHostName.Contains(':')) {
+    // if aHostName is an IPv6 address, add brackets to match the internal
+    // representation, which always stores IPv6 addresses with brackets
+    hostPort.Append('[');
+    hostPort.Append(aHostName);
+    hostPort.Append(']');
+  } else {
+    hostPort.Append(aHostName);
+  }
   if (aPort == -1) {
     aPort = 443;
   }
diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js
@@ -134,7 +134,7 @@ function run_test() {
       attributes: {},
     },
     {
-      host: "[::1]",
+      host: "::1",
       port: 443,
       cert: cert2,
       bits: Ci.nsICertOverrideService.ERROR_MISMATCH,
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -566,6 +566,14 @@ function add_simple_tests() {
       expectedBits,
       false
     );
+    certOverrideService.rememberValidityOverride(
+      "::1",
+      80,
+      {},
+      cert,
+      expectedBits,
+      false
+    );
     Assert.ok(
       certOverrideService.hasMatchingOverride(
         "example.com",
@@ -596,6 +604,10 @@ function add_simple_tests() {
       ),
       "Should have added override for example.org:443"
     );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}, {}),
+      "Should have added override for [::1]:80"
+    );
     Assert.ok(
       !certOverrideService.hasMatchingOverride(
         "example.org",

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ function run_test() {`
`134`	`134`	`attributes: {},`
`135`	`135`	`},`
`136`	`136`	`{`
`137`		`- host: "[::1]",`
	`137`	`+ host: "::1",`
`138`	`138`	`port: 443,`
`139`	`139`	`cert: cert2,`
`140`	`140`	`bits: Ci.nsICertOverrideService.ERROR_MISMATCH,`