Closed
Bug 156770
Opened 23 years ago
Closed 21 years ago
When we do a file import and give a bad password we get wrong errors back
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9
People
(Reporter: saileshd, Assigned: rrelyea)
References
Details
Attachments
(2 files, 1 obsolete file)
|
5.95 KB,
patch
|
julien.pierre
:
review+
wtc
:
superreview+
|
Details | Diff | Splinter Review |
|
6.36 KB,
patch
|
Details | Diff | Splinter Review |
When I import a .p12 file and give a bad file password, I get an error
SEC_ERROR_BAD_PASSWORD from the call to SEC_PKCS12DecoderVerify(). But when I do
the same for a .pfx file I get a different error code.
|
Reporter | |
Comment 1•23 years ago
|
||
I think the error numbers were -8177 for a .p12 file and -8190 for a .pfx file.
|
||
Comment 2•23 years ago
|
||
Bob, please take a look at this file. Note the
behavior depends on whether the file's extension
is .p12 or .pfx.
Priority: -- → P2
Target Milestone: --- → 3.6
|
Assignee | |
Updated•22 years ago
|
Target Milestone: 3.6 → 3.7
|
|
||
Comment 3•22 years ago
|
||
Moved to target milestone 3.8 because the original
NSS 3.7 release has been renamed 3.8.
Target Milestone: 3.7 → 3.8
|
||
Comment 4•22 years ago
|
||
Remove target milestone of 3.8, since these bugs didn't get into that release.
Target Milestone: 3.8 → ---
|
|
Assignee | |
Comment 6•21 years ago
|
||
This problem may require a rewrite of the pk12 subsystem. I took an initial look
at this before, and it's non-trivial. We can do it in NSS 3.9, I just want to
set the proper expectation about what the cost is.
bob
|
|
Assignee | |
Comment 7•21 years ago
|
||
So once we've tried failed to decode a ANS.1 stream, don't continue collecting
more data.
On microsoft.pfx files, we would wind up decoding to the end of the encrypted
stream, then fail in the padding in PKCS #7. This code bypasses this problem by
making sure we don't continue to try to decode data once we've hit a bad
password failure.
A smaller fix would be to check to see if the SEC_Error has already been set to
BAD_PASSWORD in SEC_PKCS7Decode() when we detect a bad padding, and not
resetting the PORT_Error(). This fix would not handle any cases where there are
only places where we may be failing the decode and resetting the error code.
|
|
Assignee | |
Updated•21 years ago
|
Attachment #133233 -
Flags: superreview?(jpierre)
Attachment #133233 -
Flags: review?(wchang0222)
|
||
Comment 8•21 years ago
|
||
Comment on attachment 133233 [details] [diff] [review]
When we fail to decode based on a bad password, don't continue.
This looks like an unrelated modutil patch.
Attachment #133233 -
Flags: superreview?(jpierre) → superreview-
|
|
Assignee | |
Comment 9•21 years ago
|
||
This should be the right one.
Attachment #133233 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•21 years ago
|
Attachment #133453 -
Flags: superreview?(wchang0222)
Attachment #133453 -
Flags: review?(jpierre)
|
|
Assignee | |
Updated•21 years ago
|
Attachment #133233 -
Flags: review?(wchang0222)
|
|
||
Comment 10•21 years ago
|
||
Comment on attachment 133453 [details] [diff] [review]
Attach the real patch, not a stall old patch
Looks good, except you should check for NULL context pointers in your abort
functions.
Attachment #133453 -
Flags: review?(jpierre) → review+
|
|
Assignee | |
Comment 11•21 years ago
|
||
|
|
Assignee | |
Comment 12•21 years ago
|
||
Checking in nss/nss.def;
/cvsroot/mozilla/security/nss/lib/nss/nss.def,v <-- nss.def
new revision: 1.115; previous revision: 1.114
done
Checking in pkcs12/p12d.c;
/cvsroot/mozilla/security/nss/lib/pkcs12/p12d.c,v <-- p12d.c
new revision: 1.20; previous revision: 1.19
done
Checking in pkcs7/p7decode.c;
/cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v <-- p7decode.c
new revision: 1.12; previous revision: 1.11
done
Checking in pkcs7/p7encode.c;
/cvsroot/mozilla/security/nss/lib/pkcs7/p7encode.c,v <-- p7encode.c
new revision: 1.7; previous revision: 1.6
done
Checking in pkcs7/secpkcs7.h;
/cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v <-- secpkcs7.h
new revision: 1.4; previous revision: 1.3
done
Checking in smime/smime.def;
/cvsroot/mozilla/security/nss/lib/smime/smime.def,v <-- smime.def
new revision: 1.29; previous revision: 1.28
done
Checking in util/secasn1.h;
/cvsroot/mozilla/security/nss/lib/util/secasn1.h,v <-- secasn1.h
new revision: 1.10; previous revision: 1.9
done
Checking in util/secasn1d.c;
/cvsroot/mozilla/security/nss/lib/util/secasn1d.c,v <-- secasn1d.c
new revision: 1.28; previous revision: 1.27
done
Checking in util/secasn1e.c;
/cvsroot/mozilla/security/nss/lib/util/secasn1e.c,v <-- secasn1e.c
new revision: 1.12; previous revision: 1.11
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
||
Comment 13•21 years ago
|
||
Comment on attachment 133453 [details] [diff] [review]
Attach the real patch, not a stall old patch
r=wtc.
This patch is basically good. It has some minor problems
that I'd like you to fix. I left my comments on a copy of
this patch (rather the next patch) in your cube.
Attachment #133453 -
Flags: superreview?(wchang0222) → superreview+
|
|
||
Comment 14•21 years ago
|
||
Bob, please reclose this bug after you have made
the changes I suggested. Thanks!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 15•21 years ago
|
||
wtc changes have been checked in.
Julien, the check for ->cx == NULL isn't necessary since the underlying call was
doing the check. The whole thing is mute since wtc's changes was to remove the
null checks since they are really programming errors and should crash.
|
|
Assignee | |
Comment 16•21 years ago
|
||
marking fixed
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•