Closed Bug 362404 Opened 19 years ago Closed 19 years ago

the browser's security component could not be initialized

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.11.4
Platform:
x86
Windows 95
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: benoit, Assigned: wtc)

Details

(Keywords: regression, Whiteboard: [cst: blocking-seamonkey1.1-])

Attachments

(6 files, 4 obsolete files)

Test program capi.exe
40.00 KB, application/octet-stream
Details
Test program source code capi.c
3.65 KB, text/plain
Details
New capi.c test program and its output
10.18 KB, text/plain
Details
Test program capi2.c and its output
5.27 KB, text/plain
Details
Incomplete patch
1.74 KB, patch
Details | Diff | Splinter Review
Response statement v3
3.75 KB, text/plain
Details
When starting up SeaMonkey, you get a "The browser's security component could not be initialized." error. Consequently, SSL connections can't be made, and installing extensions will crash the browser. Regression range: 2006112001 OK 2006112113 broken The regression range shows only one check-in for the NSS module, which is the branch patch for bug 357333. It's possible other Win9x flavours are affected as well.
Benoit says he has Win95 OSR2.5 People on winXP don't seem to have this problem.
Assignee: dveditz → wtchang
The fix for bug 355297 is the most likely culprit. In that fix, NSS initialization fails if we can't get any random bytes from the Windows system random number generator. We know some Win95 machines don't have the CryptoAPI and try to handle those, but it's possible that our code isn't working as expected. Benoît, I will write a test program for you to run on your Win95 computer. Dan, does Mozilla Corp. have any Win95 or Win98 computers?
Attached file Test program capi.exe
Benoît, please run this test program capi.exe in a Command Prompt on your Win95 computer and post the output of the program. I emailed you this test program earlier. I am also attaching it here just in case your mail server rejects .exe attachments.
If you have a compiler, you may want to compile the test program yourself.
Thanks, Wan-Teh, I received the attachment, and ran it in a command prompt window. The output follows: loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA failed: -2146893801 RNG_SystemRNG returned 0 loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA failed: -2146893801 RNG_SystemRNG returned 0
The error code -2146893801 (0x80090017) is "Provider type not defined." BOOL WINAPI CryptAcquireContext( HCRYPTPROV* phProv, LPCTSTR pszContainer, LPCTSTR pszProvider, DWORD dwProvType, DWORD dwFlags ); NTE_PROV_TYPE_NOT_DEF( 0x80090017L ) No entry exists for the provider type specified by dwProvType. Our test program passes PROV_RSA_FULL as the dwProvType to CryptAcquireContext. This failure is enough to cause NSS initialization to fail, so I confirm this is an NSS bug.
Status: NEW → ASSIGNED
Component: Security → Libraries
Product: Mozilla Application Suite → NSS
Target Milestone: seamonkey1.1final → 3.12
Version: 1.8 Branch → 3.11.4
This is what I get when I run "capi.exe" on a Win98 (4.10.1998) machine that is not attached to a network: loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 1024 loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 128
Attached patch Initial patch (obsolete) — Splinter Review
Benoît, can you confirm you're using Windows 95 OSR 2? What version of IE does that computer have? I applied this patch in the freebl3.dll and freebl3.chk that I emailed to you. Do they make SeaMonkey work on your Windows 95 computer?
Yes, I'm running Windows 95 OSR 2. OSR 2.5, to be exact, also known as Win95 C. I don't have any version of IE on this system. Yes, the patched freebl3.dll and freebl3.chk files allow the security component to be initialised. Posting from a tinderbox ZIP build with them right now. :)
According to Wan-Teh, I have no cryptography implementation. I did some research, and found that CryptAcquireContextA looks at the registry to get a value. Since I already had found out before that advapi32.dll ships with IE, I looked in ohare.inf on how to install cryptography. I copied the necessary files, made the necessary registry entries, but capi.exe still yields an error. I used Regmon, and it's querying some strange hexadecimal value that I don't understand the location of. I'm asking for help on this over at MSFN on this right now.
The strange hexadecimal value referred to the list of Known DLLs. It didn't have RSABASE. I still saw the same keys after that not being found, though. I should have looked better. Even if the DLL is not added to the list of Known DLLs, the capi test program gives one successful attempt at the top, where I did not notice it: Provider type = PROV_RSA_FULL loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 1024 So, I cryptography installed successfully in the first place. I tested an older ZIP build I still had with the bug, and indeed, SeaMonkey loaded fine. I guess this bug is useful to older Windows 95 users regardless. :)
Benoît, glad to know you successfully installed a cryptographic service provider (CSP) on your Win95 computer. Could you write down what you did to install it? According to Microsoft documentation, one may need to install IE 3.02 to get the CSP: Requirements Client Requires Windows Vista, Windows XP, Windows 2000 Professional, Windows NT Workstation 4.0, Windows Me, Windows 98, or Windows 95 OSR2 and later. ... Redistributable Requires Internet Explorer 3.02 or later on Windows 95. I guess that "Redistributable" means the CSP. Does your computer have rsabase.dll or rsaenh.dll? Perhaps the easiest way to get the CSP is to install IE 3.02?
This is the source code of a new version of the capi.c test program and its output on Benoît's Win95 computer (before he changed the computer). The output showed that his computer didn't have any type of CSP.
This is the source code of the capi2.c test program and its output on Benoît's Win95 computer (before he changed the computer). I experimented with specifying the provider name (MS_DEF_PROV) and 0 as the dwFlags argument. Neither of these worked.
Comment on attachment 247226 [details] [diff] [review] Initial patch I should point out that the code in question is new code we wrote in NSS 3.11.4, and we did consider the lack of CSP on Windows 95. This is why the code loads advapi32.dll and looks up the CryptXXX functions dynamically. We thought that on old Windows 95 computers, the way the code will fail is that the CryptXXX functions don't exist (i.e., the GetProcAddress calls will fail). We didn't realize that the CryptXXX functions may exist but fail when called.
It's easy to install. This thread's opening post tells you what to do: http://www.msfn.org/board/index.php?showtopic=87940 I have rsabase.dll
Thanks. Those instructions are hard to understand for someone like me who's unfamiliar with Windows 95. What is ohare.inf? Where do I get these files? DIGSIG.DLL IMAGEHLP.DLL RSABASE.DLL SIGRES.EXE WINTRUST.DLL Based on my (limited) understanding of CAPI, rsabase.dll should be all we need, and the command regsrv32 rsabase.dll should create the necessary CAPI registry entries.
Whiteboard: [cst: blocking-seamonkey1.1-]
ohare.inf is the file containing the installation instructions to install IE 3.02. You can get those files by extracting them from the WIN95 .cab archives from the WIN95 directory on the CD-ROM. If "regsvr32 rsabase.dll" was all that was needed, I don't think ohare.inf would create registry entries for CAPI itself, that "regsvr32 rsabase.dll" adds to.
Since the patch works, can it get reviewed, please?
Attached patch Incomplete patchSplinter Review
This incomplete patch (intentionally broken) summarizes everything I know about this bug. The remaining work is to call GetVersionEx to determine if we are on Windows 95.
Attachment #247226 - Attachment is obsolete: true
Attached file Response statement (obsolete) —
Benoît, I'm sorry that I don't have time to move further on this bug. I would need to write and test the code that calls GetVersionEx, for little benefit to the majority of the NSS users. Someone else can still do this work, but the value of this work will decresse as the number of Windows 95 computers decreases. The "initial patch" isn't appropriate because we want to fail hard on the recent versions of Windows if CryptAcquireContext fails. This is why I proposed to only allow CryptAcquireContext to fail on Windows 95 the "incomplete patch". Because of the FIPS validation, I can't fix this bug in NSS 3.11.x (used by Firefox 2.0). I can only fix this bug in NSS 3.12, which will be used by Firefox 3.0. But I don't have time to work on the patch. I think our time is better spent on improving the "response statement", to help Windows 95 users install CryptoAPI on their computers. Thank you very much for your help with this bug.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
I guess it's sort of understandable, because it is quite weird to have a system that has CryptAcquireContextA, but no registered cryptography. A side effect of not having IE3 installed. M$ assumed there wouldn't be a problem getting advapi32.dll in the base install, since IE3 would normally be installed too anyway. The fellow Windows 95 user I talked about in my last e-mail rightly asked back why this NSS change was introducted so late in the game. Firefox 2.0 is already out, and SeaMonkey 1.1b is only allowing fixes, so why?
I will respond to that question in the statement. Could you ask that Windows 95 user to run capi.exe (either the old or the new one) on his Windows 95 computer and send me the output? I did some more research on CryptoAPI and Windows 95, and I am confused as to why your Windows 95 computer had CryptAcquireContextA but no registered cryptographic provider. Microsoft documentation says that CryptAcquireContext can be used on "Windows 95 OSR2" or "Windows 95 with IE 3.02 or later". Since your computer is Windows 95 OSR2.5, it seems that CryptAcquireContext should work without IE installed. Or is IE part of Windows 95 OSR2? Did you uninstall IE after a standard install, or was IE never installed?
> Mozilla/5.0 (Windows; U; WinNT3.51; en-US; rv:1.8.1.1pre) Gecko/20061209 SeaMonkey/1.1 C:\users\default>capi loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 failed to look up CryptAcquireContextA: 127 RNG_SystemRNG returned 0 loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 failed to look up CryptAcquireContextA: 127 RNG_SystemRNG returned 0
> Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.1pre) Gecko/20061208 SeaMonkey/1.1 D:\TEMP>capi loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 1024 loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 128
Sure, I'll ask him. Um, didn't I explain everything in my last comment? M$ put advapi32.dll in the base install, and CAPI in the IE3 install. When you install Windows 95 OSR2, it installs IE3 along with everything else. You don't have a choice. This is one example of M$ bundling OS updates with its browser, so that you were forced to become a user of it. IE3 installs advapi32.dll too, so installing IE3 would install the necessary components on an Win95 install too. This other Windows 95 user I'm talking about is Nathan Lineback, whose website has instructions for install Windows 95 without IE3 "Just like Bill says you can't": http://toastytech.com/evil/lab.html#rem95 So yes, IE3 was never installed.
Nathan Lineback says: loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA failed: -2146893801 RNG_SystemRNG returned 0 loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA failed: -2146893801 RNG_SystemRNG returned 0 BTW, this is Windows 95 OSR2 but installed with a slight modification that prevented the installation of IE 3 so no IE is present at all. (See my old mad deintegration lab page on how I did that)
Attached file Response statement v2 (obsolete) —
Answered the question in comment 23. Incorporated new information on the Windows 95 computers on which NSS fails to initialize. Neil emailed me the output of the original capi.exe test program on Windows 95 with IE 3.02: C:\WINDOWS\TEMP>capi.exe loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 1024 loaded advapi32.dll successfully failed to look up RtlGenRandom: 127 looked up CryptAcquireContextA successfully looked up CryptReleaseContext successfully looked up CryptGenRandom successfully CryptAcquireContextA succeeded CryptGenRandom succeeded RNG_SystemRNG returned 128
Attachment #248000 - Attachment is obsolete: true
Attached file Response statement v2 (correct date) (obsolete) —
Fixed the date last updated.
Attachment #248301 - Attachment is obsolete: true
Benoît, I have good news to report. I studied this issue in my spare time and successfully reproduced your environment by following Nathan Lineback's and similar instructions I found on the Web: 2.3. How do I install Windows 95 from... 2.3.5. How do I make Setup NOT install things like MSIE, MSN, etc? http://www.faqs.org/faqs/windows/win95/faq/part02/section-3.html Optimizing Windows for Games, Graphics and Multimedia: Chapter 10 Clean Windows Installation OSR2.x's Excess Baggage http://www.oreilly.com/catalog/win9x/chapter/ch10.html I also studied ohare.inf and figured out only rsabase.dll and sigres.exe are required to fix this problem. rsabase.dll and sigres.exe are in one group -- sigres.exe is required by "regsvr32 rsabase.dll" to open the signature file. "regsvr32 rsabase.dll" creates the three registry entries specified in ohare.inf related to CSP, so we don't need to create those three registry entries manually. digsig.dll, imagehlp.dll, and wintrust.dll are another group -- digsig.dll and imagehlp.dll are required by wintrust.dll. However, "regsvr32 wintrust.dll" does not create the one WinTrust registry key specified in ohare.inf. But to use CryptAcquireContext and CryptGenRandom, we don't need wintrust.dll and its WinTrust registry entry. I will update the response statement with the latest information. As long as you still have the Windows 95 CD, it's quite simple to install and register the Microsoft Base Cryptographic Provider (rsabase.dll) to resolve this issue. If Nathan Lineback is running SeaMonkey or Firefox on his Windows 95 computer, please ask him to try this: rem cd to the directory with the *.cab files extract /A /L C:\WINDOWS\SYSTEM WIN95_02.CAB regsvr32.exe rsabase.dll sigres.exe C: cd \WINDOWS\SYSTEM regsvr32 rsabase.dll
Attached file Response statement v3
Added web pages I found that explain how to install Windows 95 OSR2.x without installing IE. Added instructions for installing only the Microsoft Base Cryptographic Provider.
Attachment #248302 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: