diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-11-02 11:39:21 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-11-02 11:39:21 +0100 |
commit | f42d6c39fea309aefe8a1646980b880516fe2562 (patch) | |
tree | 6d59ba9108f4837155a9ab46652001cd28605783 /security | |
parent | 617eb648307fd5bc8edb58605dde5d1e74b89d5a (diff) | |
download | UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.gz UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.lz UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.xz UXP-f42d6c39fea309aefe8a1646980b880516fe2562.zip |
Remove ancient workaround in client certificate code
Apparently a prehistoric server implementation would send a certificate_authorities field
that didn't include the outer DER SEQUENCE tag, so PSM attempted to detect this and
work around it.
This prehistoric server implementation isn't in use anywhere anymore, so this 18-yo
server bug workaround can be removed.
Diffstat (limited to 'security')
-rw-r--r-- | security/manager/ssl/nsNSSIOLayer.cpp | 58 |
1 files changed, 1 insertions, 57 deletions
diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 93fca396b..d2549c52d 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -1916,59 +1916,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings, } SECItem* dername; - SECStatus rv; - int headerlen; - uint32_t contentlen; - SECItem newitem; int n; char* namestring; for (n = 0; n < caNames->nnames; n++) { - newitem.data = nullptr; dername = &caNames->names[n]; - rv = DER_Lengths(dername, &headerlen, &contentlen); - - if (rv != SECSuccess) { - goto loser; - } - - if (headerlen + contentlen != dername->len) { - // This must be from an enterprise 2.x server, which sent - // incorrectly formatted der without the outer wrapper of type and - // length. Fix it up by adding the top level header. - if (dername->len <= 127) { - newitem.data = (unsigned char*) PR_Malloc(dername->len + 2); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) dername->len; - (void) memcpy(&newitem.data[2], dername->data, dername->len); - } else if (dername->len <= 255) { - newitem.data = (unsigned char*) PR_Malloc(dername->len + 3); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) 0x81; - newitem.data[2] = (unsigned char) dername->len; - (void) memcpy(&newitem.data[3], dername->data, dername->len); - } else { - // greater than 256, better be less than 64k - newitem.data = (unsigned char*) PR_Malloc(dername->len + 4); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) 0x82; - newitem.data[2] = (unsigned char) ((dername->len >> 8) & 0xff); - newitem.data[3] = (unsigned char) (dername->len & 0xff); - memcpy(&newitem.data[4], dername->data, dername->len); - } - dername = &newitem; - } - namestring = CERT_DerNameToAscii(dername); if (!namestring) { // XXX - keep going until we fail to convert the name @@ -1977,21 +1930,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings, caNameStrings[n] = PORT_ArenaStrdup(arena.get(), namestring); PR_Free(namestring); if (!caNameStrings[n]) { - goto loser; + return SECFailure; } } - - if (newitem.data) { - PR_Free(newitem.data); - } } return SECSuccess; -loser: - if (newitem.data) { - PR_Free(newitem.data); - } - return SECFailure; } // Possible behaviors for choosing a cert for client auth. |