Closed Bug 314115 Opened 19 years ago Closed 19 years ago

SEC_QuickDERDecodeItem modifies SECItem.type field during decoding process

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.11
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alvolkov.bgs, Assigned: julien.pierre)

References

Details

Attachments

(1 file)

fix
701 bytes, patch
alvolkov.bgs
: review+
wtc
: superreview+
Details | Diff | Splinter Review 
Found a regression with SEC_ASN1DecodeItem function. SECItem.type field get reset to siBuffer during decoding. 

Adding line fixes the problem for siUsignInteger case.

--- quickder.c  2 Apr 2005 05:33:41 -0000       1.22
+++ quickder.c  28 Oct 2005 00:02:12 -0000
@@ -860,6 +860,7 @@
     if ((SECSuccess == rv) && (PR_TRUE == save))
     {
         SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
+        temp.type = destItem->type;
         if (destItem)
         {
             *(destItem) = temp;
Please also try this fix, which is more generic than the other one as it causes the type field in the destination to always be left untouched, rather than just for SEC_ASN1_INTEGER .

Index: quickder.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/quickder.c,v
retrieving revision 1.22
diff -r1.22 quickder.c
865c865,866
<             *(destItem) = temp;
---
>             destItem->data = temp.data;
>             destItem->len = temp.len;
Assignee: wtchang → julien.pierre.bugs
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → 3.11
Julien, last two lines fix regression as well.
OS: All → Linux
Priority: P2 → --
Hardware: All → PC
Target Milestone: 3.11 → ---
Is this a regression because something worked in an old
NSS release no longer works, or because something that
works in SEC_ASN1DecodeItem doesn't work in SEC_QuickDERDecodeItem?

Should the caller set destItem->type before calling
SEC_QuickDERDecodeItem?

Wan-Teh,

This is a bug in the QuickDER decoder, and a difference in behavior with the classic decoder, not technically a regression, but something we need to fix.
The only time dest->type needs to be set prior to calling the decoder is for the SEC_ASN1_INTEGER case. The decoder removes leading zeroes if the value is siUnsignedInteger . Otherwise, the type field should be ignored. In all cases, the value of type should be left alone accross the call to either decoder, because the type field is only treated as an input parameter (even though it is a subfield in the output argument ...). This is a hack that was introduced in NSS a long-time ago, and unfortunately one that we have to continue to support.
Blocks: 279085
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → 3.11
Julien,

Thanks for the explanation.  I hope you can add some comments
that explain:
1. When does the caller need to set the SECItem's type field
before calling SEC_ASN1DecodeItem or SEC_QuickDERDecodeItem?

2. Does SEC_ASN1DecodeItem or SEC_QuickDERDecodeItem set the
SECItem's type field?
Wan-Teh,

1) There is already a comment in the QuickDER code about siUnsignedInteger :

            case SEC_ASN1_INTEGER:
                {
                    /* remove leading zeroes if the caller requested siUnsignedInteger
                       This is to allow RSA key operations to work */
                    SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
                    if (destItem && (siUnsignedInteger == destItem->type))

The only other place where I think more comments are warranted is in the tech note 1 about the decoders .

2) QuickDER sets the type to 0 (siBuffer) as a result of PORT_ArenaZAlloc . But this only applies to SECItems that QuickDER itself allocated, for POINTER, SET OF and SEQUENCE OF, or subcomponents of these  .
A quick look at secasn1d.c shows the same is true for the classic decoder .
Attached patch fixSplinter Review 

        Attachment #201223 -
        Flags: superreview?(wtchang)

        Attachment #201223 -
        Flags: review?(alexei.volkov.bugs)

    
    

    
  
Comment on attachment 201223 [details] [diff] [review]
fix

r=wtc.  Please generate unified context diffs
(cvs diff -u) in the future.

        Attachment #201223 -
        Flags: superreview?(wtchang) → superreview+

    
    

    
  
Julien:

The comments I requested need to be added to the public
header secasn1.h.  We use comments in our public headers
as a replacement for real documentation.  Most of the NSS
users won't read the .c files in our source tree. 

    
  

        Attachment #201223 -
        Flags: review?(alexei.volkov.bugs) → review+

    
    

    
  
Checking in quickder.c;
/cvsroot/mozilla/security/nss/lib/util/quickder.c,v  <--  quickder.c
new revision: 1.23; previous revision: 1.22
done

Checking in secasn1.h;
/cvsroot/mozilla/security/nss/lib/util/secasn1.h,v  <--  secasn1.h
new revision: 1.14; previous revision: 1.13
done

I added the following to secasn1.h :

/* Both classic ASN.1 and QuickDER have a feature that removes leading zeroes
   out of SEC_ASN1_INTEGER if the caller sets siUnsignedInteger in the type
   field of the target SECItem prior to calling the decoder. Otherwise, the
   type field is ignored and untouched. For SECItem that are dynamically
   allocated (from POINTER, SET OF, SEQUENCE OF) the decoder sets the type
   field to siBuffer. */

Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: