diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-11-02 11:39:21 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-11-02 11:39:21 +0100 |
commit | f42d6c39fea309aefe8a1646980b880516fe2562 (patch) | |
tree | 6d59ba9108f4837155a9ab46652001cd28605783 | |
parent | 617eb648307fd5bc8edb58605dde5d1e74b89d5a (diff) | |
download | UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.gz UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.lz UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.xz UXP-f42d6c39fea309aefe8a1646980b880516fe2562.zip |
Remove ancient workaround in client certificate code
Apparently a prehistoric server implementation would send a certificate_authorities field
that didn't include the outer DER SEQUENCE tag, so PSM attempted to detect this and
work around it.
This prehistoric server implementation isn't in use anywhere anymore, so this 18-yo
server bug workaround can be removed.
-rw-r--r-- | config/external/nss/nss.symbols | 1 | ||||
-rw-r--r-- | security/manager/ssl/nsNSSIOLayer.cpp | 58 |
2 files changed, 1 insertions, 58 deletions
diff --git a/config/external/nss/nss.symbols b/config/external/nss/nss.symbols index 3239d3119..7a968b6c8 100644 --- a/config/external/nss/nss.symbols +++ b/config/external/nss/nss.symbols @@ -165,7 +165,6 @@ DER_GeneralizedTimeToTime DER_GeneralizedTimeToTime_Util DER_GetInteger DER_GetInteger_Util -DER_Lengths DER_SetUInteger DER_UTCTimeToTime_Util DSAU_DecodeDerSigToLen diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 93fca396b..d2549c52d 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -1916,59 +1916,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings, } SECItem* dername; - SECStatus rv; - int headerlen; - uint32_t contentlen; - SECItem newitem; int n; char* namestring; for (n = 0; n < caNames->nnames; n++) { - newitem.data = nullptr; dername = &caNames->names[n]; - rv = DER_Lengths(dername, &headerlen, &contentlen); - - if (rv != SECSuccess) { - goto loser; - } - - if (headerlen + contentlen != dername->len) { - // This must be from an enterprise 2.x server, which sent - // incorrectly formatted der without the outer wrapper of type and - // length. Fix it up by adding the top level header. - if (dername->len <= 127) { - newitem.data = (unsigned char*) PR_Malloc(dername->len + 2); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) dername->len; - (void) memcpy(&newitem.data[2], dername->data, dername->len); - } else if (dername->len <= 255) { - newitem.data = (unsigned char*) PR_Malloc(dername->len + 3); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) 0x81; - newitem.data[2] = (unsigned char) dername->len; - (void) memcpy(&newitem.data[3], dername->data, dername->len); - } else { - // greater than 256, better be less than 64k - newitem.data = (unsigned char*) PR_Malloc(dername->len + 4); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) 0x82; - newitem.data[2] = (unsigned char) ((dername->len >> 8) & 0xff); - newitem.data[3] = (unsigned char) (dername->len & 0xff); - memcpy(&newitem.data[4], dername->data, dername->len); - } - dername = &newitem; - } - namestring = CERT_DerNameToAscii(dername); if (!namestring) { // XXX - keep going until we fail to convert the name @@ -1977,21 +1930,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings, caNameStrings[n] = PORT_ArenaStrdup(arena.get(), namestring); PR_Free(namestring); if (!caNameStrings[n]) { - goto loser; + return SECFailure; } } - - if (newitem.data) { - PR_Free(newitem.data); - } } return SECSuccess; -loser: - if (newitem.data) { - PR_Free(newitem.data); - } - return SECFailure; } // Possible behaviors for choosing a cert for client auth. |