From f42d6c39fea309aefe8a1646980b880516fe2562 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 2 Nov 2018 11:39:21 +0100 Subject: Remove ancient workaround in client certificate code Apparently a prehistoric server implementation would send a certificate_authorities field that didn't include the outer DER SEQUENCE tag, so PSM attempted to detect this and work around it. This prehistoric server implementation isn't in use anywhere anymore, so this 18-yo server bug workaround can be removed. --- security/manager/ssl/nsNSSIOLayer.cpp | 58 +---------------------------------- 1 file changed, 1 insertion(+), 57 deletions(-) (limited to 'security') diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 93fca396b..d2549c52d 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -1916,59 +1916,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings, } SECItem* dername; - SECStatus rv; - int headerlen; - uint32_t contentlen; - SECItem newitem; int n; char* namestring; for (n = 0; n < caNames->nnames; n++) { - newitem.data = nullptr; dername = &caNames->names[n]; - rv = DER_Lengths(dername, &headerlen, &contentlen); - - if (rv != SECSuccess) { - goto loser; - } - - if (headerlen + contentlen != dername->len) { - // This must be from an enterprise 2.x server, which sent - // incorrectly formatted der without the outer wrapper of type and - // length. Fix it up by adding the top level header. - if (dername->len <= 127) { - newitem.data = (unsigned char*) PR_Malloc(dername->len + 2); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) dername->len; - (void) memcpy(&newitem.data[2], dername->data, dername->len); - } else if (dername->len <= 255) { - newitem.data = (unsigned char*) PR_Malloc(dername->len + 3); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) 0x81; - newitem.data[2] = (unsigned char) dername->len; - (void) memcpy(&newitem.data[3], dername->data, dername->len); - } else { - // greater than 256, better be less than 64k - newitem.data = (unsigned char*) PR_Malloc(dername->len + 4); - if (!newitem.data) { - goto loser; - } - newitem.data[0] = (unsigned char) 0x30; - newitem.data[1] = (unsigned char) 0x82; - newitem.data[2] = (unsigned char) ((dername->len >> 8) & 0xff); - newitem.data[3] = (unsigned char) (dername->len & 0xff); - memcpy(&newitem.data[4], dername->data, dername->len); - } - dername = &newitem; - } - namestring = CERT_DerNameToAscii(dername); if (!namestring) { // XXX - keep going until we fail to convert the name @@ -1977,21 +1930,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings, caNameStrings[n] = PORT_ArenaStrdup(arena.get(), namestring); PR_Free(namestring); if (!caNameStrings[n]) { - goto loser; + return SECFailure; } } - - if (newitem.data) { - PR_Free(newitem.data); - } } return SECSuccess; -loser: - if (newitem.data) { - PR_Free(newitem.data); - } - return SECFailure; } // Possible behaviors for choosing a cert for client auth. -- cgit v1.2.3