Last Comment Bug 473365 - Incompatible argument in pkix_validate.c.
: Incompatible argument in pkix_validate.c.
Status: RESOLVED FIXED
PKIX
:
Product: NSS
Classification: Components
Component: Build (show other bugs)
: trunk
: All All
: -- normal (vote)
: 3.12.3
Assigned To: Alexei Volkov
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-13 04:29 PST by Slavomir Katuscak
Modified: 2009-01-29 10:28 PST (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Fix the warning. (690 bytes, patch)
2009-01-13 13:27 PST, Alexei Volkov
no flags Details | Diff | Splinter Review
Patch v2 - fix the warning and properly propagate crl revocation check error codes (9.55 KB, patch)
2009-01-15 14:35 PST, Alexei Volkov
no flags Details | Diff | Splinter Review
Patch v3 - changes to use reason code to pass the acctual revocation reason of the cert (15.17 KB, patch)
2009-01-23 16:26 PST, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review

Description Slavomir Katuscak 2009-01-13 04:29:25 PST
Warning from PKIX code building:

cc -o SunOS5.10_OPT.OBJ/pkix_validate.o -c -xO4 -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT -DSOLARIS2_10 -D_SVID_GETTOD -xarch=v8 -DXP_UNIX -UDEBUG -DNDEBUG -DNSS_ENABLE_ECC -DNSS_ECC_MORE_THAN_SUITE_B -DUSE_UTIL_DIRECTLY -I/usr/dt/include -I/usr/openwin/include -I../../../../../../dist/SunOS5.10_OPT.OBJ/include  -I../../../../../../dist/public/nss -I../../../../../../dist/private/nss -I../../../../../../dist/public/dbm  pkix_validate.c
"pkix_validate.c", line 802: warning: argument #8 is incompatible with prototype:
	prototype: pointer to unsigned int : "../../../../../../dist/private/nss/pkix_revchecker.h", line 236
	argument : pointer to enum  {SEC_ERROR_END_OF_LIST(-8022), SEC_ERROR_PKCS11_DEVICE_ERROR(-8023), SEC_ERROR_PKCS11_FUNCTION_FAILED(-8024), SEC_ERROR_PKCS11_GENERAL_ERROR(-8025), SEC_ERROR_LIBPKIX_INTERNAL(-8026), SEC_ERROR_BAD_INFO_ACCESS_LOCATION(-8027), SEC_ERROR_FAILED_TO_ENCODE_DATA(-8028), SEC_ERROR_BAD_LDAP_RESPONSE(-8029), SEC_ERROR_BAD_HTTP_RESPONSE(-8030), SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE(-8031), SEC_ERROR_POLICY_VALIDATION_FAILED(-8032), SEC_ERROR_INVALID_POLICY_MAPPING(-8033), SEC_ERROR_OUT_OF_SEARCH_LIMITS(-8034), SEC_ERROR_OCSP_BAD_SIGNATURE(-8035), SEC_ERROR_OCSP_RESPONDER_CERT_INVALID(-8036), SEC_ERROR_TOKEN_NOT_LOGGED_IN(-8037), SEC_ERROR_NOT_INITIALIZED(-8038), SEC_ERROR_CRL_ALREADY_EXISTS(-8039), SEC_ERROR_NO_EVENT(-8040), SEC_ERROR_INCOMPATIBLE_PKCS11(-8041), SEC_ERROR_UNKNOWN_OBJECT_TYPE(-8042), SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION(-8043), SEC_ERROR_CRL_V1_CRITICAL_EXTENSION(-8044), SEC_ERROR_CRL_INVALID_VERSION(-8045), SEC_ERROR_REVOKED_CERTIFICAT!
 E_OCSP(-8046), SEC_ERROR_REVOKED_CERTIFICATE_CRL(-8047), SEC_ERROR_OCSP_INVALID_SIGNING_CERT(-8048), SEC_ERROR_UNRECOGNIZED_OID(-8049), SEC_ERROR_UNSUPPORTED_EC_POINT_FORM(-8050), SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE(-8051), SEC_ERROR_EXTRA_INPUT(-8052), SEC_ERROR_BUSY(-8053), SEC_ERROR_REUSED_ISSUER_AND_SERIAL(-8054), SEC_ERROR_CRL_NOT_FOUND(-8055), SEC_ERROR_BAD_TEMPLATE(-8056), SEC_ERROR_MODULE_STUCK(-8057), SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE(-8058), SEC_ERROR_DIGEST_NOT_FOUND(-8059), SEC_ERROR_OCSP_OLD_RESPONSE(-8060), SEC_ERROR_OCSP_FUTURE_RESPONSE(-8061), SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE(-8062), SEC_ERROR_OCSP_MALFORMED_RESPONSE(-8063), SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER(-8064), SEC_ERROR_OCSP_NOT_ENABLED(-8065), SEC_ERROR_OCSP_UNKNOWN_CERT(-8066), SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS(-8067), SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST(-8068), SEC_ERROR_OCSP_REQUEST_NEEDS_SIG(-8069), SEC_ERROR_OCSP_TRY_SERVER_LATER(-8070), SEC_ERROR_OCSP_SERVER_ERROR(-8071), SEC_ERROR_!
 OCSP_MALFORMED_REQUEST(-8072), SEC_ERROR_OCSP_BAD_HTTP_RESPONS!
 E(-8073)
, SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE(-8074), SEC_ERROR_CERT_BAD_ACCESS_LOCATION(-8075), SEC_ERROR_UNKNOWN_SIGNER(-8076), SEC_ERROR_UNKNOWN_CERT(-8077), SEC_ERROR_CRL_NOT_YET_VALID(-8078), SEC_ERROR_KRL_NOT_YET_VALID(-8079), SEC_ERROR_CERT_NOT_IN_NAME_SPACE(-8080), SEC_ERROR_CKL_CONFLICT(-8081), SEC_ERROR_OLD_KRL(-8082), SEC_ERROR_JS_DEL_MOD_FAILURE(-8083), SEC_ERROR_JS_ADD_MOD_FAILURE(-8084), SEC_ERROR_JS_INVALID_DLL(-8085), SEC_ERROR_JS_INVALID_MODULE_NAME(-8086), SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY(-8087), SEC_ERROR_NOT_FORTEZZA_ISSUER(-8088), SEC_ERROR_BAD_NICKNAME(-8089), SEC_ERROR_RETRY_OLD_PASSWORD(-8090), SEC_ERROR_INVALID_PASSWORD(-8091), SEC_ERROR_KEYGEN_FAIL(-8092), SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED(-8093), SEC_ERROR_PKCS12_UNABLE_TO_READ(-8094), SEC_ERROR_PKCS12_UNABLE_TO_WRITE(-8095), SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY(-8096), SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME(-8097), SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN(-8098), SEC_ERROR_PKCS12_U!
 NABLE_TO_IMPORT_KEY(-8099), SEC_ERROR_CERT_ADDR_MISMATCH(-8100), SEC_ERROR_INADEQUATE_CERT_TYPE(-8101), SEC_ERROR_INADEQUATE_KEY_USAGE(-8102), SEC_ERROR_MESSAGE_SEND_ABORTED(-8103), SEC_ERROR_PKCS12_DUPLICATE_DATA(-8104), SEC_ERROR_USER_CANCELLED(-8105), SEC_ERROR_PKCS12_CERT_COLLISION(-8106), SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT(-8107), SEC_ERROR_PKCS12_UNSUPPORTED_VERSION(-8108), SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM(-8109), SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE(-8110), SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE(-8111), SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM(-8112), SEC_ERROR_PKCS12_INVALID_MAC(-8113), SEC_ERROR_PKCS12_DECODING_PFX(-8114), SEC_ERROR_IMPORTING_CERTIFICATES(-8115), SEC_ERROR_EXPORTING_CERTIFICATES(-8116), SEC_ERROR_BAD_EXPORT_ALGORITHM(-8117), XP_JAVA_CERT_NOT_EXISTS_ERROR(-8118), XP_JAVA_DELETE_PRIVILEGE_ERROR(-8119), XP_JAVA_REMOVE_PRINCIPAL_ERROR(-8120), SEC_ERROR_BAGGAGE_NOT_CREATED(-8121), SEC_ERROR_SAFE_NOT_CREATED(-8122), SEC_ERROR_!
 KEY_NICKNAME_COLLISION(-8123), SEC_ERROR_CERT_NICKNAME_COLLISI!
 ON(-8124
), SEC_ERROR_NO_SLOT_SELECTED(-8125), SEC_ERROR_READ_ONLY(-8126), SEC_ERROR_NO_TOKEN(-8127), SEC_ERROR_NO_MODULE(-8128), SEC_ERROR_NEED_RANDOM(-8129), SEC_ERROR_KRL_INVALID(-8130), SEC_ERROR_REVOKED_KEY(-8131), SEC_ERROR_KRL_BAD_SIGNATURE(-8132), SEC_ERROR_KRL_EXPIRED(-8133), SEC_ERROR_NO_KRL(-8134), XP_SEC_FORTEZZA_PERSON_ERROR(-8135), XP_SEC_FORTEZZA_BAD_PIN(-8136), XP_SEC_FORTEZZA_NO_MORE_INFO(-8137), XP_SEC_FORTEZZA_PERSON_NOT_FOUND(-8138), XP_SEC_FORTEZZA_MORE_INFO(-8139), XP_SEC_FORTEZZA_NONE_SELECTED(-8140), XP_SEC_FORTEZZA_NO_CARD(-8141), XP_SEC_FORTEZZA_BAD_CARD(-8142), SEC_ERROR_DECRYPTION_DISALLOWED(-8143), SEC_ERROR_UNSUPPORTED_KEYALG(-8144), SEC_ERROR_PKCS7_BAD_SIGNATURE(-8145), SEC_ERROR_PKCS7_KEYALG_MISMATCH(-8146), SEC_ERROR_NOT_A_RECIPIENT(-8147), SEC_ERROR_NO_RECIPIENT_CERTS_QUERY(-8148), SEC_ERROR_NO_EMAIL_CERT(-8149), SEC_ERROR_OLD_CRL(-8150), SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION(-8151), SEC_ERROR_INVALID_KEY(-8152), SEC_INTERNAL_ONLY(-8153), SEC_ERROR_CE!
 RT_USAGES_INVALID(-8154), SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID(-8155), SEC_ERROR_CA_CERT_INVALID(-8156), SEC_ERROR_EXTENSION_NOT_FOUND(-8157), SEC_ERROR_EXTENSION_VALUE_INVALID(-8158), SEC_ERROR_CRL_INVALID(-8159), SEC_ERROR_CRL_BAD_SIGNATURE(-8160), SEC_ERROR_CRL_EXPIRED(-8161), SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE(-8162), SEC_ERROR_CERT_NO_RESPONSE(-8163), SEC_ERROR_CERT_NOT_VALID(-8164), SEC_ERROR_CERT_VALID(-8165), SEC_ERROR_NO_KEY(-8166), SEC_ERROR_FILING_KEY(-8167), SEC_ERROR_ADDING_CERT(-8168), SEC_ERROR_DUPLICATE_CERT_NAME(-8169), SEC_ERROR_DUPLICATE_CERT(-8170), SEC_ERROR_UNTRUSTED_CERT(-8171), SEC_ERROR_UNTRUSTED_ISSUER(-8172), SEC_ERROR_NO_MEMORY(-8173), SEC_ERROR_BAD_DATABASE(-8174), SEC_ERROR_NO_NODELOCK(-8175), SEC_ERROR_RETRY_PASSWORD(-8176), SEC_ERROR_BAD_PASSWORD(-8177), SEC_ERROR_BAD_KEY(-8178), SEC_ERROR_UNKNOWN_ISSUER(-8179), SEC_ERROR_REVOKED_CERTIFICATE(-8180), SEC_ERROR_EXPIRED_CERTIFICATE(-8181), SEC_ERROR_BAD_SIGNATURE(-8182), SEC_ERROR_BAD_DER(-81!
 83), SEC_ERROR_INVALID_TIME(-8184),}

One problem is warning itself (something is wrong), second is that this error message contains FAIL substring, which I usually use for searching for failures in Tinderbox logs.
Comment 1 Alexei Volkov 2009-01-13 13:27:44 PST
Created attachment 356812 [details] [diff] [review]
Fix the warning.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2009-01-13 14:05:17 PST
Comment on attachment 356812 [details] [diff] [review]
Fix the warning.

I suppose this does silence the warning, (so would a cast), but changing
the type from SECErrorCodes to PKIX_UInt32 seems like going in the wrong
direction.  Maybe the type of the pointer argument that should change.
Comment 3 Nelson Bolyard (seldom reads bugmail) 2009-01-14 17:04:48 PST
Comment on attachment 356812 [details] [diff] [review]
Fix the warning.

Alexei and I discussed this yesterday, and I learned that the reason this
variable is a type PKIX_UInt32 and not a SECErrorCodes is that the values 
it contains may be either NSS error codes (which are all negative numbers)
or CRL revocation reason codes from the enum typedef named CERTCRLEntryReasonCodeEnum, which are small non-negative numbers.  

So, in effect, this value represents a number for a new space of numbers
which is a superset of the set of NSS/NSPR error codes.  I'm quite sure
that we do NOT want values in this new space to get out to callers of 
NSS.  We do NOT want this new number space to become part of the NSS 
public API for which binary compatibility must be preserved.  

The only question remaining, which I cannot answer, is: is there any 
public NSS API through which values in this new space could get output 
to an external caller of an NSS shared library?  If so, then I want to
expand the scope of this bug to including solving that problem.
Comment 4 Alexei Volkov 2009-01-15 14:35:45 PST
Created attachment 357236 [details] [diff] [review]
Patch v2 - fix the warning and properly propagate crl revocation check error codes
Comment 5 Alexei Volkov 2009-01-15 16:52:29 PST
(In reply to comment #3)
> (From update of attachment 356812 [details] [diff] [review])
> The only question remaining, which I cannot answer, is: is there any 
> public NSS API through which values in this new space could get output 
> to an external caller of an NSS shared library?  If so, then I want to
> expand the scope of this bug to including solving that problem.

No there is no API that can make this values available for outside caller. Never the less, I think merging values from two different spaces and providing a single variable to carry it was a mistake. 

The second patch fixes it by making sure that we return only SEC_ERRRORs(from ocsp or crl checkers) through reasonCode(Uint 32) variable. If we need a revocation reason code for a particular cert, then we will need to add another parameter to pkix revocation API.
Comment 6 Alexei Volkov 2009-01-23 16:26:47 PST
Created attachment 358512 [details] [diff] [review]
Patch v3 - changes to use reason code to pass the acctual revocation reason of the cert

Also fixes propagation of an error received from revocation checker.
Comment 7 Nelson Bolyard (seldom reads bugmail) 2009-01-27 14:51:48 PST
Comment on attachment 358512 [details] [diff] [review]
Patch v3 - changes to use reason code to pass the acctual revocation reason of the cert

r=nelson
Comment 8 Alexei Volkov 2009-01-29 10:28:40 PST
patch is committed.

Note You need to log in before you can comment on or make changes to this bug.