Closed Bug 230951 Opened 21 years ago Closed 21 years ago

incorrect template renders some valid cert extensions invalid

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: nelson)

Details

Attachments

(3 files)

patch v1
718 bytes, patch
julien.pierre
: review+
Details | Diff | Splinter Review
patch part 2 - v1
1.13 KB, patch
kinmoz
: review+
Details | Diff | Splinter Review
patch part 3 - v1
643 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
According to RFC 3280, page 32, the policyQualifiers sequence in a PolicyInformation is OPTIONAL, but in NSS's template for this CERT_PolicyInfoTemplate[] in nss/lib/certdb/polcyxtn.c this component is not optional. Consequently, policy extensions that are properly constructed without this sequence are reported as having invalid policy extensions. Patch is forthcoming.
Attached patch patch v1Splinter Review
Comment on attachment 139084 [details] [diff] [review] patch v1 Julien, is there any reason to believe that SEQUENCE_OF is mutually exclusive with OPTIONAL ?
Attachment #139084 - Flags: review?(jpierre)
No, there is no reason why that should not work.
Julien, May I interpret your last comment as r=jpierre?
Attachment #139084 - Flags: review?(jpierre) → review+
/cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v <-- polcyxtn.c new revision: 1.4; previous revision: 1.3
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Priority: -- → P1
Target Milestone: --- → 3.9.1
Kin Blas reports: When I tried linking to a debug build of the NSS trunk, the decode call would crash instead of just returning NULL, because it was dereferencing policyQualifiers without checking if it was NULL:: while ( *policyQualifiers != NULL ) The following NSS patch to polcytxn.c fixes things for me: Index: security/nss/lib/certdb/polcyxtn.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v retrieving revision 1.4 diff -u -r1.4 polcyxtn.c --- security/nss/lib/certdb/polcyxtn.c 16 Jan 2004 05:36:08 -0000 1.4 +++ security/nss/lib/certdb/polcyxtn.c 23 Jan 2004 19:30:07 -0000 @@ -178,7 +178,7 @@ policyInfo = *policyInfos; policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID); policyQualifiers = policyInfo->policyQualifiers; - while ( *policyQualifiers != NULL ) { + while ( policyQualifiers && *policyQualifiers != NULL ) { policyQualifier = *policyQualifiers; policyQualifier->oid = SECOID_FindOIDTag(&policyQualifier->qualifierID); I will also look for other places that might be affected.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I found two places that had this same error. Patch forthcoming.
Status: REOPENED → ASSIGNED
This is Kin's patch applied in two places.
Comment on attachment 139750 [details] [diff] [review] patch part 2 - v1 Kin, please review. :)
Attachment #139750 - Flags: review?(kinmoz)
Comment on attachment 139750 [details] [diff] [review] patch part 2 - v1 r=kinmoz@netscape.net
Attachment #139750 - Flags: review?(kinmoz) → review+
/cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v <-- polcyxtn.c new revision: 1.4.2.1; previous revision: 1.4 Fixed (again)
Status: ASSIGNED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
Also fixed on trunk. /cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v <-- polcyxtn.c new revision: 1.5; previous revision: 1.4
Comment on attachment 139750 [details] [diff] [review] patch part 2 - v1 By searching for CERT_DecodeCertificatePoliciesExtension in the NSS source tree, I found that the secu_PrintPolicyInfo function in cmd/lib/secutil.c has the same problem. I guess we (the reviewers) need guidance on how to look for similar bugs. I am searching for CERT_DecodeCertificatePoliciesExtension and checking how its return value is used. Is that the right way? What about code outside NSS? If they copied our code they will crash when they upgrade to NSS 3.9.1. Is there a way to avoid that?
My patch to bug 132942 fixes this problem, which is why I didn't see the problem in secutil.c in my own search. Perhaps we should take that patch for NSS 3.9.1 as I had originally intended. To find all vulnerabile places, it suffices to search all code for the string policyQualifiers
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
To clarify: My patch named "patch part 1 = v1" to bug to bug 132942, which I had originally intended for NSS 3.9.1, fixes the vulnerabilities (there was more than 1) to absent optional policy extension pieces in nss/cmd/lib/secutil.c. That patch is awaiting review.
Fixes the same problem in cmd/lib/secutil.c. Nelson, your patch (attachment 139547 [details] [diff] [review]) is huge. Do we really need all of that to fix this bug?
That patch implements a substantian enhancement. Clearly not all of it is necessary to fix this bug. However, that patch does rewrite the code that parses and displays policy extensions (the area that is having these crashes), and I would suggest taking the entire portion of the patch that accomplishes that.
Comment on attachment 139770 [details] [diff] [review] patch part 3 - v1 Nelson, taking that portion of your patch is not that simple because the patch moves the relevant functions to the new file pppolicy.c. Can we just take this patch and be done with this bug?
Comment on attachment 139770 [details] [diff] [review] patch part 3 - v1 done. Checked in on 3.9 branch. /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v <-- secutil.c new revision: 1.60.2.1; previous revision: 1.60 On the trunk, I plan to fix it with my other patch... :)
Attachment #139770 - Flags: review+
Fixed, yet another time.
Status: REOPENED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: