Closed Bug 1001188 Opened 9 years ago Closed 9 years ago

mozilla::pkix's BuildForward function returns RecoverableError without calling PR_SetError

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
firefox31 --- fixed
firefox32 --- fixed

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

Attachments

(2 files)

max-cert-chain-length-fix.patch
1.23 KB, patch
cviecco
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
max-cert-chain-length-tests.patch
15.81 KB, patch
cviecco
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
if (subCACount >= MAX_DEPTH - 1) {
-    return RecoverableError;
+    return Fail(Result::RecoverableError, SEC_ERROR_UNKNOWN_ISSUER);
  }
WHen I run this test without the fix, I get a test failure indicating that the error code was not set. With the fix applied, the tests pass.
Attachment #8432151 - Flags: review?(cviecco)
Attachment #8432149 - Flags: review?(cviecco) → review+
Comment on attachment 8432151 [details] [diff] [review]
max-cert-chain-length-tests.patch

Review of attachment 8432151 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me. The only reason why I am giving the r- instead of an r+ is that I dont know how these tests are plugged into our automation suite. Please give me a link or document that they are not run automatically for the r+.
Attachment #8432151 - Flags: review?(cviecco) → review-
Comment on attachment 8432151 [details] [diff] [review]
max-cert-chain-length-tests.patch

Review of attachment 8432151 [details] [diff] [review]:
-----------------------------------------------------------------

Does `./mach gtest` not run this?
Comment on attachment 8432151 [details] [diff] [review]
max-cert-chain-length-tests.patch

Review of attachment 8432151 [details] [diff] [review]:
-----------------------------------------------------------------

From https://developer.mozilla.org/en-US/docs/GTest
"... Gtests currently run as part of 'make -C testing/gtest check' in the B section of tbpl ..."
Attachment #8432151 - Flags: review- → review+
Folded both patches together and checked in. Thanks for the quick reviews!

https://hg.mozilla.org/integration/mozilla-inbound/rev/a24472ea29d4
Status: NEW → ASSIGNED
Target Milestone: mozilla31 → mozilla32
Comment on attachment 8432149 [details] [diff] [review]
max-cert-chain-length-fix.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 915930 (one of the bugs it depends on)
User impact if declined: The error message reported for a certificate check failure may not match the actual error and/or the user may not be able to override an error that is supposed to be overridable.
Testing completed (on m-c, etc.): Just landed. There are automated tests.
Risk to taking this patch (and alternatives if risky): Very low. This is a one line patch to call the PR_SetError function, plus a few hundred lines of testing.

String or IDL/UUID changes made by this patch: Never!
Attachment #8432149 - Flags: approval-mozilla-aurora?
Comment on attachment 8432151 [details] [diff] [review]
max-cert-chain-length-tests.patch

Review of attachment 8432151 [details] [diff] [review]:
-----------------------------------------------------------------

See the approval request for the previous patch.
Attachment #8432151 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/a24472ea29d4
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Attachment #8432149 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8432151 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Needs a branch patch for Fx31. Note that the uplift is on Monday, so this needs to be landed on Aurora ASAP.
status-firefox32: affectedfixed
Flags: needinfo?(cviecco)
Flags: needinfo?(brian)
Keywords: branch-patch-needed
The fix for the issue I have a patch, for the tests, the storty is different I need to collapse and remove several changesets. so far I know I need:
1 A 2a5624d51bd3
2 A 7a515c1d5a21
3 A 7176ac3db029
4 A 64ce640f432e
5 A dfc04fd0a41f
6 A 69d7eaad0a50
7 A d03cc4b6832c

as soon as I have a miminal change I will ask you for aproval of the tests. I this seems too much change now we can leave the tests out, but lets be hpefull and see what we really need.
(In reply to Camilo Viecco (:cviecco) from comment #11)
> The fix for the issue I have a patch, for the tests, the storty is different
> I need to collapse and remove several changesets. so far I know I need:
> 
> As soon as I have a miminal change I will ask you for aproval of the tests.
> I this seems too much change now we can leave the tests out, but lets be
> hpefull and see what we really need.

It looks like Camilo is taking care of it. Thanks Camilo! (FWIW, I think it is OK to uplift the fix without the test, since the fix is trivial.)
Flags: needinfo?(brian)
The test patch is big and messy. Lets land the fix only.
 https://tbpl.mozilla.org/?tree=Try&rev=99a4dc45cea9
Flags: needinfo?(cviecco)
try build looks green(of the patch wihout tests) I will push to aurora as soon as the final xpchell tests on windows finish unless you ping me not to.
Flags: needinfo?(ryanvm)
Aurora's green, go for it. Please do set status-firefox31 to fixed when you do, though :)
Flags: needinfo?(ryanvm)
Keywords: branch-patch-needed
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.