summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-11-02 11:39:21 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-11-02 11:39:21 +0100
commitf42d6c39fea309aefe8a1646980b880516fe2562 (patch)
tree6d59ba9108f4837155a9ab46652001cd28605783 /security
parent617eb648307fd5bc8edb58605dde5d1e74b89d5a (diff)
downloaduxp-f42d6c39fea309aefe8a1646980b880516fe2562.tar.gz
Remove ancient workaround in client certificate code
Apparently a prehistoric server implementation would send a certificate_authorities field that didn't include the outer DER SEQUENCE tag, so PSM attempted to detect this and work around it. This prehistoric server implementation isn't in use anywhere anymore, so this 18-yo server bug workaround can be removed.
Diffstat (limited to 'security')
-rw-r--r--security/manager/ssl/nsNSSIOLayer.cpp58
1 files changed, 1 insertions, 57 deletions
diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
index 93fca396b1..d2549c52df 100644
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1916,59 +1916,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings,
}
SECItem* dername;
- SECStatus rv;
- int headerlen;
- uint32_t contentlen;
- SECItem newitem;
int n;
char* namestring;
for (n = 0; n < caNames->nnames; n++) {
- newitem.data = nullptr;
dername = &caNames->names[n];
- rv = DER_Lengths(dername, &headerlen, &contentlen);
-
- if (rv != SECSuccess) {
- goto loser;
- }
-
- if (headerlen + contentlen != dername->len) {
- // This must be from an enterprise 2.x server, which sent
- // incorrectly formatted der without the outer wrapper of type and
- // length. Fix it up by adding the top level header.
- if (dername->len <= 127) {
- newitem.data = (unsigned char*) PR_Malloc(dername->len + 2);
- if (!newitem.data) {
- goto loser;
- }
- newitem.data[0] = (unsigned char) 0x30;
- newitem.data[1] = (unsigned char) dername->len;
- (void) memcpy(&newitem.data[2], dername->data, dername->len);
- } else if (dername->len <= 255) {
- newitem.data = (unsigned char*) PR_Malloc(dername->len + 3);
- if (!newitem.data) {
- goto loser;
- }
- newitem.data[0] = (unsigned char) 0x30;
- newitem.data[1] = (unsigned char) 0x81;
- newitem.data[2] = (unsigned char) dername->len;
- (void) memcpy(&newitem.data[3], dername->data, dername->len);
- } else {
- // greater than 256, better be less than 64k
- newitem.data = (unsigned char*) PR_Malloc(dername->len + 4);
- if (!newitem.data) {
- goto loser;
- }
- newitem.data[0] = (unsigned char) 0x30;
- newitem.data[1] = (unsigned char) 0x82;
- newitem.data[2] = (unsigned char) ((dername->len >> 8) & 0xff);
- newitem.data[3] = (unsigned char) (dername->len & 0xff);
- memcpy(&newitem.data[4], dername->data, dername->len);
- }
- dername = &newitem;
- }
-
namestring = CERT_DerNameToAscii(dername);
if (!namestring) {
// XXX - keep going until we fail to convert the name
@@ -1977,21 +1930,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings,
caNameStrings[n] = PORT_ArenaStrdup(arena.get(), namestring);
PR_Free(namestring);
if (!caNameStrings[n]) {
- goto loser;
+ return SECFailure;
}
}
-
- if (newitem.data) {
- PR_Free(newitem.data);
- }
}
return SECSuccess;
-loser:
- if (newitem.data) {
- PR_Free(newitem.data);
- }
- return SECFailure;
}
// Possible behaviors for choosing a cert for client auth.