summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-11-02 11:39:21 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-11-02 11:39:21 +0100
commitf42d6c39fea309aefe8a1646980b880516fe2562 (patch)
tree6d59ba9108f4837155a9ab46652001cd28605783
parent617eb648307fd5bc8edb58605dde5d1e74b89d5a (diff)
downloadUXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar
UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.gz
UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.lz
UXP-f42d6c39fea309aefe8a1646980b880516fe2562.tar.xz
UXP-f42d6c39fea309aefe8a1646980b880516fe2562.zip
Remove ancient workaround in client certificate code
Apparently a prehistoric server implementation would send a certificate_authorities field that didn't include the outer DER SEQUENCE tag, so PSM attempted to detect this and work around it. This prehistoric server implementation isn't in use anywhere anymore, so this 18-yo server bug workaround can be removed.
-rw-r--r--config/external/nss/nss.symbols1
-rw-r--r--security/manager/ssl/nsNSSIOLayer.cpp58
2 files changed, 1 insertions, 58 deletions
diff --git a/config/external/nss/nss.symbols b/config/external/nss/nss.symbols
index 3239d3119..7a968b6c8 100644
--- a/config/external/nss/nss.symbols
+++ b/config/external/nss/nss.symbols
@@ -165,7 +165,6 @@ DER_GeneralizedTimeToTime
DER_GeneralizedTimeToTime_Util
DER_GetInteger
DER_GetInteger_Util
-DER_Lengths
DER_SetUInteger
DER_UTCTimeToTime_Util
DSAU_DecodeDerSigToLen
diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
index 93fca396b..d2549c52d 100644
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1916,59 +1916,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings,
}
SECItem* dername;
- SECStatus rv;
- int headerlen;
- uint32_t contentlen;
- SECItem newitem;
int n;
char* namestring;
for (n = 0; n < caNames->nnames; n++) {
- newitem.data = nullptr;
dername = &caNames->names[n];
- rv = DER_Lengths(dername, &headerlen, &contentlen);
-
- if (rv != SECSuccess) {
- goto loser;
- }
-
- if (headerlen + contentlen != dername->len) {
- // This must be from an enterprise 2.x server, which sent
- // incorrectly formatted der without the outer wrapper of type and
- // length. Fix it up by adding the top level header.
- if (dername->len <= 127) {
- newitem.data = (unsigned char*) PR_Malloc(dername->len + 2);
- if (!newitem.data) {
- goto loser;
- }
- newitem.data[0] = (unsigned char) 0x30;
- newitem.data[1] = (unsigned char) dername->len;
- (void) memcpy(&newitem.data[2], dername->data, dername->len);
- } else if (dername->len <= 255) {
- newitem.data = (unsigned char*) PR_Malloc(dername->len + 3);
- if (!newitem.data) {
- goto loser;
- }
- newitem.data[0] = (unsigned char) 0x30;
- newitem.data[1] = (unsigned char) 0x81;
- newitem.data[2] = (unsigned char) dername->len;
- (void) memcpy(&newitem.data[3], dername->data, dername->len);
- } else {
- // greater than 256, better be less than 64k
- newitem.data = (unsigned char*) PR_Malloc(dername->len + 4);
- if (!newitem.data) {
- goto loser;
- }
- newitem.data[0] = (unsigned char) 0x30;
- newitem.data[1] = (unsigned char) 0x82;
- newitem.data[2] = (unsigned char) ((dername->len >> 8) & 0xff);
- newitem.data[3] = (unsigned char) (dername->len & 0xff);
- memcpy(&newitem.data[4], dername->data, dername->len);
- }
- dername = &newitem;
- }
-
namestring = CERT_DerNameToAscii(dername);
if (!namestring) {
// XXX - keep going until we fail to convert the name
@@ -1977,21 +1930,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings,
caNameStrings[n] = PORT_ArenaStrdup(arena.get(), namestring);
PR_Free(namestring);
if (!caNameStrings[n]) {
- goto loser;
+ return SECFailure;
}
}
-
- if (newitem.data) {
- PR_Free(newitem.data);
- }
}
return SECSuccess;
-loser:
- if (newitem.data) {
- PR_Free(newitem.data);
- }
- return SECFailure;
}
// Possible behaviors for choosing a cert for client auth.