Closed Bug 417024 Opened 17 years ago Closed 17 years ago

Convert libpkix error code into nss error code

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

Details

(Whiteboard: PKIX NSS312B2)

Attachments

(4 files, 1 obsolete file)

Patch v2(files with interdependent changes)
215.79 KB, patch
nelson
: review+
Details | Diff | Splinter Review
Patch v3(files that required one more review)
7.35 KB, patch
nelson
: review+
Details | Diff | Splinter Review
fix HPUX builds
1.28 KB, patch
alvolkov.bgs
: review+
Details | Diff | Splinter Review
Fix build issue on hp
1.32 KB, patch
nelson
: review+
Details | Diff | Splinter Review
I've not found the bug related to the problem. Creating a new one... Need to have a way to convert libpkix error codes into nss error codes to provide returned code consistency in the future NSS releases. Nss-libpkix wrapper functions(CERT_PKIXVerifyCert and cert_VerifyCertChainPkix) currently return static error codes that does not corresponds to an actual cert chain validation problem.
Whiteboard: PKIX NSS312B2
Version: 3.12 → trunk
Attached patch Patch v1 (obsolete) — Splinter Review
Patch adds a third column into a table of pkix error codes(file pkix_errorstring.h). The third column make association between libpkix and pr error codes. Patch adds additional member (prCode) into PKIX_Error structure. PKIX_Error_Create sets an pr error code associated with pkix error when the function creates a bug. pkix_Throw function can overwrite undefined prCode value(if prCode is eq 0) for the leaf error(when "cause" eq NULL) by using a a value returned by PORT_GetError. cert_PkixErrorToNssCode asserts that every list of errors has at least one element with defined error(undefined nss error is set to SEC_ERROR_LIBPKIX_INTERNAL in optimized build).
Attachment #303430 - Flags: review?(nelson)
Comment on attachment 303430 [details] [diff] [review] Patch v1 Some parts of this patch can be committed now, others cannot. We believe that the changes to the following files are independent of the changes to the other files, and that committing these changes by themselves will not break anything. A test build will prove or disprove that hypothesis. Assuming it is true, then r+ for changes to these files: 1) Adding new NSS error codes cmd/lib/SECerrs.h lib/util/secerr.h 2) Files where the ONLY change is to change some old libPKIX error code to use some other old (already existing) PKIX error, such as PKIX_OUTOFMEMORY instead. lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.c lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.c 3) Others lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.c lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.c We found some definite problems. R- for the following files: a) lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c Don't delete that default case in function pkix_pl_LdapDefaultClient_Destroy( b) lib/libpkix/pkix_pl_nss/system/pkix_pl_common.c Don't report false out of memory errors. c) Don't remove PKIX_ERROR calls in lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.c d) lib/libpkix/pkix/certsel/pkix_certselector.c new PKIX_ERROR in the middle of a basic block code, can't be right because PKIX_ERROR is a goto. e) lib/libpkix/pkix/top/pkix_validate.c cert can be NULL The rest are all interdependent, and need to be reviewed together. Hopefully the next patch will be about half the size of this one.
Attachment #303430 - Flags: review?(nelson) → review-
Attachment #303430 - Attachment is obsolete: true
Attachment #304598 - Flags: review?(nelson)
Attachment #304601 - Flags: review?(nelson)
Comment on attachment 304601 [details] [diff] [review] Patch v3(files that required one more review) this looks good
Attachment #304601 - Flags: review?(nelson) → review+
Comment on attachment 304598 [details] [diff] [review] Patch v2(files with interdependent changes) r+ = nelson, with two changes: 1. This patch makes the following change in 6 places: >- PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */ >+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); >+ PORT_SetError(nssErrorCode); > goto cleanup; It could factor that into one place with one label that does those two lines. 2. in Index: lib/libpkix/pkix/top/pkix_build.c after the label cleanup, we see: > } >+ if (!*pValResult && !verifyError) { >+ if (finalError) { >+ pkixErrorResult = finalError; >+ pkixErrorCode = finalError->errCode; >+ finalError = NULL; >+ goto cleanup; >+ } That goto creates an unintended loop. Please fix it.
Attachment #304598 - Flags: review?(nelson) → review+
both patched have been submitted. Patch v2 was also submitted with additional change(reverse to prior patch to pkix_pl_primhash.c): the function that adds key/value into hash continues to throw errors in case of the collisions. Fix requires more changes that will be made in a patch to bug 417645.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
This checkin caused the builds to fail on HPUX. I see why. There are two lines that are incorrect. Most compiler overlook this error, but not HPUX. I missed them in review. The lines are: pkix_error.c, line 55 -- extern const int const PKIX_PLErrorIndex[]; pkix_pl_error.c, line 50 -- const SECErrorCodes const PKIX_PLErrorIndex[] = There are three problems. 1) These two declarations disagree on the type of the array elements. They must agree. 2) The "extern" declaration in pkix_error.c needs to be in a header file that is included by both pkix_error.c and pkix_pl_error.c. This will detect any future inconsistencies. In fact, all such "extern" declarations that are found in .c files need to be moved into header files for this reason. 3) The double const on those lines is incorrect. remove the second one. Note that nearby is another similar declaration, which reads: const char * const PKIX_ErrorText[] = That declaration is correct. It is the presence of the '*' that makes it correct. That declaration says that the contents of the array are all constant, and that the chars to which they point are also constant. But since the declaration of PKIX_PLErrorIndex doesn't include any '*', both const words apply to the same values, the array members.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch fix HPUX buildsSplinter Review
This patch doesn't address all the issues I raised, but it should get HPUX building again.
Attachment #306205 - Flags: review?(alexei.volkov.bugs)
Priority: -- → P1
Attachment #306205 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 306205 [details] [diff] [review] fix HPUX builds pkix/util/pkix_error.c; new 1.11; previous 1.10 pkix_pl_nss/system/pkix_pl_error.c; new 1.2; previous 1.1 If the HPUX nightly builds succeed again tonight, this bug can be marked fixed, again.
Attachment #306626 - Flags: review?(nelson)
Comment on attachment 306626 [details] [diff] [review] Fix build issue on hp This will also fix it. Going forward, we will only add new members to the end of structures.
Attachment #306626 - Flags: review?(nelson) → review+
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v <-- pkix_pl_lifecycle.c new revision: 1.18; previous revision: 1.17
Build succeeded on HPUX. closing the bug.
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: