Last Comment Bug 382078 - pkix default http client returns error when try to get an ocsp response.
: pkix default http client returns error when try to get an ocsp response.
Status: RESOLVED FIXED
PKIX
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.12
: All All
: P1 normal (vote)
: 3.12
Assigned To: Alexei Volkov
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-25 17:47 PDT by Alexei Volkov
Modified: 2007-06-07 11:19 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
switch off pkix default http client registration (1.34 KB, patch)
2007-05-25 17:58 PDT, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review
fix parameter value disagreement (6.17 KB, patch)
2007-06-04 18:27 PDT, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review

Description Alexei Volkov 2007-05-25 17:47:55 PDT
nss(in ocsp.c:fetchOcspHttpClientV1) calls registered http client to get an ocsp server response. LibPKIX default http client start register itself with NSS after final libpkix integration patch had been landed on the truck.

The reason for ocsp failure reported as
           "The OCSP server experienced an internal error."
was disagreement in allowed http client interface function parameter values. 

LibPKIX http client requires caller to pass non-NULL pointer as pPollDesc (PRPollDesc **) that intended to be used to return a blocked io descriptor. OCSP code in NSS, on the other hand, expects that registered http client will handle blocked io by itself in case then interface function is called with pPollDesc == NULL.
Comment 1 Alexei Volkov 2007-05-25 17:58:14 PDT
Created attachment 266154 [details] [diff] [review]
switch off pkix default http client registration

temporary patch to make nss tinderbox green again.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2007-05-25 18:17:47 PDT
Comment on attachment 266154 [details] [diff] [review]
switch off pkix default http client registration

I approve this patch as a temporary workaround until we can fix the larger underlying problem described in this bug.
r=nelson
Comment 3 Alexei Volkov 2007-05-25 18:32:21 PDT
attchment 266154 integrated on the trunk:
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v  <--  pkix_pl_lifecycle.c
new revision: 1.3; previous revision: 1.2
Comment 4 Nelson Bolyard (seldom reads bugmail) 2007-05-25 20:35:38 PDT
Alexei, was this disagreement about the API present on the PKIX branch?
Comment 5 Alexei Volkov 2007-06-04 18:27:31 PDT
Created attachment 267231 [details] [diff] [review]
fix parameter value disagreement

pkix_pl_HttpDefaultClient_TrySendAndReceive requires the pPollDesc parameter value to be non-Null for blocking and non-blocking io. This is too strict. Function fetchOcspHttpClientV1 from ocsp.c creates a socket with non-zero timeout - expecting socket to be blocked on io, and wherefore making non-NULL poll descriptor to be unnecessary requirement.
Patch fixes the problem. All ocsp interoperability tests pass with this fix.
Comment 6 Nelson Bolyard (seldom reads bugmail) 2007-06-05 00:35:26 PDT
Comment on attachment 267231 [details] [diff] [review]
fix parameter value disagreement

>+        if (!pPollDesc && client->timeout == 0) {
>+            PKIX_ERROR_FATAL(PKIX_NULLARGUMENT);
>+        }

Alexei,
Is client->timeout == 0 being used to mean "is a non-blocking socket" ?? (oy!)
Is there any other code in libpkix that uses that test for that purpose?
Comment 7 Alexei Volkov 2007-06-06 17:09:01 PDT
yes, pkix create non-blocking socket if timeout specified by user is eq 0. See pkix_pl_socket.c:pkix_pl_Socket_CreateClient.
Comment 8 Nelson Bolyard (seldom reads bugmail) 2007-06-07 02:15:20 PDT
Comment on attachment 267231 [details] [diff] [review]
fix parameter value disagreement

I'm giving this r+.
If we need to revisit that particular aspect of this API, we can do that later.
Comment 9 Alexei Volkov 2007-06-07 11:19:09 PDT
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c,v  <--  pkix_pl_httpdefaultclient.c
new revision: 1.3; previous revision: 1.2
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v  <--  pkix_pl_lifecycle.c
new revision: 1.4; previous revision: 1.3

Note You need to log in before you can comment on or make changes to this bug.