Closed
Bug 417664
Opened 17 years ago
Closed 17 years ago
false positive crl revocation test on ppc/ppc64 NSS_ENABLE_PKIX_VERIFY=1
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: KaiE, Assigned: nelson)
References
Details
(Whiteboard: PKIX NSS312B2)
Attachments
(1 file, 3 obsolete files)
3.14 KB,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
This bug is seen with both NSS 3.12 beta 1
and a snapshot of the tip that is about 2-3 days old.
For the very first time I ran the NSS test suite on Linux machines with ppc and pcc64 processors. Fedora ships for those. Example hardware is Mac or PS3.
With both ppc and ppc64 I ran into the same test failures, CRL revocation tests as part of a SSL client auth handshake.
Number of failures: 130
All failures say: "produced a returncode of 0, expected is {1 or 254}"
All failures were during CRL tests.
Tests failures during all stages of tests, with cache or without, etc.
Sample lines:
ssl.sh: #1195: TLS Request don't require client auth (client auth) (cert TestUser40 - revoked) produced a returncode of 0, expected is 254 - FAILED
ssl.sh: #1197: TLS Request don't require client auth (client auth) (cert TestUser42 - revoked) produced a returncode of 0, expected is 254 - FAILED
ssl.sh: #1204: TLS Require client auth (client auth) (cert TestUser40 - revoked) produced a returncode of 0, expected is 254 - FAILED
ssl.sh: #1206: TLS Require client auth (client auth) (cert TestUser42 - revoked) produced a returncode of 0, expected is 254 - FAILED
ssl.sh: #1213: SSL3 Request don't require client auth (client auth) (cert TestUser40 - revoked) produced a returncode of 0, expected is 254 - FAILED
...
ssl.sh: #1502: SSL3 Require client auth on 2nd hs (client auth)(cert TestUser48 - revoked) produced a returncode of 0, expected is 1 - FAILED
ssl.sh: #1503: SSL3 Require client auth on 2nd hs (client auth)(cert TestUser49 - revoked) produced a returncode of 0, expected is 1 - FAILED
ssl.sh: #1504: SSL3 Require client auth on 2nd hs (client auth)(cert TestUser50 - revoked) produced a returncode of 0, expected is 1 - FAILED
ssl.sh: #1506: SSL3 Require client auth on 2nd hs (client auth)(cert TestUser52 - revoked) produced a returncode of 0, expected is 1 - FAILED
I found that all.sh is executing the tests in 4 "rounds".
All failures happen in the 2nd round which enables NSS_ENABLE_PKIX_VERIFY=1
After the test suite completed, I was able to run the following commands to reproduce the false positive:
mkdir test
cd test
NSS_ENABLE_PKIX_VERIFY="1" selfserv -D -p 8555 -d ../pkix/server -n localhost.localdomain -w nss -r -i ./spid &
tstclnt -p 8555 -h localhost.localdomain -f -d ../pkix/client -w nss -n TestUser40 < /home/kaie/nss/head/mozilla/security/nss/tests/ssl/sslreq.dat
echo $?
this returns 0 instead of the expected 254.
It does not matter whether I specify env variable for tstclnt.
When I start selfserv without NSS_ENABLE_PKIX_VERIFY="1",
then the above sequence gives the expected return code 0.
Reporter | ||
Comment 1•17 years ago
|
||
I have an isolated test case that can be used without running the test suite.
I made use of the test suite files.
I copied the "client" database directory.
I imported the CRL from the server directory that revokes TestUser40.
On PS3 / ppc64:
# correct:
[kaie@kaieps3 cc2]$ certutil -d . -V -n TestUser40 -u C
certutil: certificate is invalid: Peer's Certificate has been revoked.
# false positive:
[kaie@kaieps3 cc2]$ NSS_ENABLE_PKIX_VERIFY="1" certutil -d . -V -n TestUser40 -u C
certutil: certificate is valid
I compiled the same NSS snapshot on a i386 machine.
I copied the very same db directory to the i386 machine, and I'm excuting the same commands. Here are the results:
# i386
# correct
[kaie@r61fast:~/moz/nss/head/cc2]$ certutil -d . -V -n TestUser40 -u C
certutil: certificate is invalid: Peer's Certificate has been revoked.
# different wording, but at least it indicates the verification failure
[kaie@r61fast:~/moz/nss/head/cc2]$ NSS_ENABLE_PKIX_VERIFY="1" certutil -d . -V -n TestUser40 -u C
certutil: certificate is invalid: This certificate is not valid.
I hope this reduced test case allows us to debug the failure more easily.
Alexei, Julien, do you have ideas where I could set breakpoints to find the difference in behavior?
Reporter | ||
Comment 2•17 years ago
|
||
Or is there any logging functionality in libpkix that I could switch on and that would actually provide us with some helpful output?
Reporter | ||
Comment 3•17 years ago
|
||
I just tested this on a Mac OS X 10.4 machine with a ppc processor.
I tested the reduced test case (not the full test suite).
It shows the same false positive.
Linux PS3 PPC64 and Mac OS X PPC behave the same.
Reporter | ||
Comment 4•17 years ago
|
||
kai-engerts-mac-mini:~/nss/head/cc2 kengert$ certutil -d . -V -n TestUser40 -u C
certutil: certificate is invalid: Peer's Certificate has been revoked.
kai-engerts-mac-mini:~/nss/head/cc2 kengert$ NSS_ENABLE_PKIX_VERIFY="1" certutil -d . -V -n TestUser40 -u C
certutil: certificate is valid
Assignee | ||
Comment 5•17 years ago
|
||
I'm assigning to Alexei, who is out today. Kai, your continued help is
appreciated.
Assignee: nobody → alexei.volkov.bugs
Severity: normal → critical
Priority: -- → P1
Whiteboard: PKIX NSS312B2
Target Milestone: --- → 3.12
Reporter | ||
Comment 6•17 years ago
|
||
I uploaded a tar.gz archive containing that database directory: http://kuix.de/mozilla/bug417664/cc2.tar.gz
Reporter | ||
Comment 7•17 years ago
|
||
The bug is due to some broken code in libpkix.
Nelson is currently looking into the right fix.
FYI, the following minimal code behaves differently on i386 and pcc.
On i386 it prints 2147483648.
On ppc it prints 0.
#include <stdio.h>
int main(int argc, char *argv[])
{
int shifter = 0;
unsigned int target = 0;
target |= (1 << (shifter -1));
printf("%u\n", target);
}
Assignee | ||
Comment 8•17 years ago
|
||
This fixes line 732 to match line 439.
Assignee: alexei.volkov.bugs → nelson
Status: NEW → ASSIGNED
Attachment #303585 -
Flags: review?(kengert)
Assignee | ||
Comment 9•17 years ago
|
||
By stepping through the code on two systems, Kai found that the behavior
of line 732 was different on the two systems.
732 allReasonCodes |= (1 << (reasonCode - 1));
with both variables initially zero, the PPC system set allReasonCodes to zero,
the X86 set it to 0x8000000. The X86 treated the negative value as a circular
right shift, and the PPC apparently treated it as an end-off (non-circular)
right shift. Then the code stores this value in another variable
743 state->reasonCodeMask |= allReasonCodes;
Examining the code, I found that on line 439, the code computes it as
439 state->reasonCodeMask |= 1 << reasonCode;
So, I believe the fix is to change line 732 to match line 439 in this shift
computation.
Assignee | ||
Comment 10•17 years ago
|
||
Attachment #303590 -
Flags: review?
Assignee | ||
Comment 11•17 years ago
|
||
This patch also fixes some other egregious errors in that source file.
Attachment #303585 -
Attachment is obsolete: true
Attachment #303591 -
Flags: review?(kengert)
Attachment #303585 -
Flags: review?(kengert)
Assignee | ||
Comment 12•17 years ago
|
||
Comment on attachment 303590 [details] [diff] [review]
patch v2 - also fix other bugs found by inspection
Don't know how this got submitted twice. I got an error first time, but it looks like the patch was attached anyway.
Attachment #303590 -
Attachment is obsolete: true
Attachment #303590 -
Flags: review?
Reporter | ||
Comment 13•17 years ago
|
||
Nelson, what should happen if PKIX_PL_CRLEntry_GetCRLEntryReasonCode returns a value greater than the number of defined strings? In other words if reasonCode >= numReasonCodes?
With this patch, unknown codes will cause allReasonCodes to remain unchanged (at 0). If allReasonCodes remains at zero, no revocation will be reported.
Would it be wise to fail on any reasonCode >= 0 ?
(Because of the buggy old code, the upper limit for codes treated as "revoked" was much higher.)
Assignee | ||
Comment 14•17 years ago
|
||
Yes. Perhaps this code should say something like this:
if (reasonCode >= 0) {
if (reasonCode >= numReasonCodes)
reasonCode = 0; /* use "unknown" */
...
Assignee | ||
Comment 15•17 years ago
|
||
Kai observes that if we have a reason code, the cert should be considered
revoked, even if that reason code number is out of range.
Attachment #303591 -
Attachment is obsolete: true
Attachment #303613 -
Flags: review?(kengert)
Attachment #303591 -
Flags: review?(kengert)
Assignee | ||
Updated•17 years ago
|
Attachment #303613 -
Flags: review?(alexei.volkov.bugs)
Comment 16•17 years ago
|
||
I think this may be a dupe of bug 400676 , which is about CRL problems on AIX - an OS that's also PPC-based. The bug has been on my plate for a while but I hadn't been able to investigate yet for various reasons. I will try the patch and see if it resolves the issue there too.
Reporter | ||
Comment 17•17 years ago
|
||
Comment on attachment 303591 [details] [diff] [review]
patch v2 - also fix other bugs found by inspection
I ran the test suite on both i386 and ppc64 with this patch and it succeeded!
Reporter | ||
Comment 18•17 years ago
|
||
Comment on attachment 303613 [details] [diff] [review]
patch v3 - address an issue identified by Kai (checked in)
r=kengert
This is an improvement over v2, thanks for addressing my concern.
Attachment #303613 -
Flags: review?(kengert) → review+
Assignee | ||
Comment 19•17 years ago
|
||
Comment on attachment 303613 [details] [diff] [review]
patch v3 - address an issue identified by Kai (checked in)
Checking in pkix/top/pkix_defaultcrlchecker.c;
new revision: 1.7; previous revision: 1.6
Attachment #303613 -
Attachment description: patch v3 - address an issue identified by Kai → patch v3 - address an issue identified by Kai (checked in)
Attachment #303613 -
Flags: review?(alexei.volkov.bugs)
Assignee | ||
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•