Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-24 21:31:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bug 1301547 - remove ancient workaround in client certificate code r=franziskus

Browse Source 
Apparently a prehistoric server implementation would send a
certificate_authorities field that didn't include the outer DER SEQUENCE tag, so
PSM attempted to detect this and work around it. Telemetry indicates this is
unnecessary now: https://mzl.la/2Lbi1Lz

--HG--
extra : rebase_source : 6669586d657efb243070a4ceb231583b40823543
extra : amend_source : e87f7c84c6c1a51637914bde5950268409b70571
This commit is contained in:
David Keeler 2018-07-16 16:30:15 -07:00
parent eb8aaacd2d
commit bb80df018c
2 changed files with 1 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
security/manager/ssl/nsNSSIOLayer.cpp
View File

@ -1967,61 +1967,11 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings,
}
SECItem* dername;
SECStatus rv;
int headerlen;
uint32_t contentlen;
SECItem newitem;
int n;
char* namestring;
for (n = 0; n < caNames->nnames; n++) {
newitem.data = nullptr;
dername = &caNames->names[n];
rv = DER_Lengths(dername, &headerlen, &contentlen);
if (rv != SECSuccess) {
goto loser;
}
if (headerlen + contentlen != dername->len) {
Telemetry::ScalarAdd(Telemetry::ScalarID::SECURITY_CLIENT_CERT,
NS_LITERAL_STRING("compat"), 1);
// This must be from an enterprise 2.x server, which sent
// incorrectly formatted der without the outer wrapper of type and
// length. Fix it up by adding the top level header.
if (dername->len <= 127) {
newitem.data = (unsigned char*) malloc(dername->len + 2);
if (!newitem.data) {
goto loser;
}
newitem.data[0] = (unsigned char) 0x30;
newitem.data[1] = (unsigned char) dername->len;
(void) memcpy(&newitem.data[2], dername->data, dername->len);
} else if (dername->len <= 255) {
newitem.data = (unsigned char*) malloc(dername->len + 3);
if (!newitem.data) {
goto loser;
}
newitem.data[0] = (unsigned char) 0x30;
newitem.data[1] = (unsigned char) 0x81;
newitem.data[2] = (unsigned char) dername->len;
(void) memcpy(&newitem.data[3], dername->data, dername->len);
} else {
// greater than 256, better be less than 64k
newitem.data = (unsigned char*) malloc(dername->len + 4);
if (!newitem.data) {
goto loser;
}
newitem.data[0] = (unsigned char) 0x30;
newitem.data[1] = (unsigned char) 0x82;
newitem.data[2] = (unsigned char) ((dername->len >> 8) & 0xff);
newitem.data[3] = (unsigned char) (dername->len & 0xff);
memcpy(&newitem.data[4], dername->data, dername->len);
}
dername = &newitem;
}
namestring = CERT_DerNameToAscii(dername);
if (!namestring) {
// XXX - keep going until we fail to convert the name
@ -2030,21 +1980,12 @@ nsConvertCANamesToStrings(const UniquePLArenaPool& arena, char** caNameStrings,
caNameStrings[n] = PORT_ArenaStrdup(arena.get(), namestring);
PR_Free(namestring); // CERT_DerNameToAscii() uses PR_Malloc().
if (!caNameStrings[n]) {
goto loser;
return SECFailure;
}
}
if (newitem.data) {
free(newitem.data);
}
}
return SECSuccess;
loser:
if (newitem.data) {
free(newitem.data);
}
return SECFailure;
}
// Possible behaviors for choosing a cert for client auth.

1
security/nss.symbols
View File

@ -163,7 +163,6 @@ DER_GeneralizedTimeToTime
DER_GeneralizedTimeToTime_Util
DER_GetInteger
DER_GetInteger_Util
DER_Lengths
DER_SetUInteger
DER_UTCTimeToTime_Util
DSAU_DecodeDerSigToLen