sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1

RESOLVED FIXED in 3.12.3

Status

NSS
Libraries
P1
major
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Rob Stradling, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Build Identifier: trunk

As reported in bug #483168 comment #43, the current Firefox HEAD + NSS HEAD shows a sec_error_invalid_args error when attempting to navigate to various https sites.

Affected sites include:
https://www.verisign.com
https://secure.comodo.com
https://www.globalsign.com

Unaffected sites include:
https://www.entrust.net
https://www.startssl.com

This problem did not occur 1 month ago when I reported bug #479508 comment #2.

Reproducible: Always
The crucial detail for this bug is that it only occurs when 
NSS_ENABLE_PKIX_VERIFY=1 is set.

So, this bug will be "major" when that condition becomes the default,
but not until then.
Assignee: nobody → alexei.volkov.bugs
Priority: -- → P1
Whiteboard: PKIX
Target Milestone: --- → 3.12.4
(Assignee)

Comment 2

8 years ago
The problem was introduced in the patch for the bug 444404. It happens when pkix_VerifyNode_SetError function sets "unknown issuer" error into verifyNode
 - the variable that suppose to point to the validation error log. 

  pkix_VerifyNode_SetError(verifyNode, verifyError,
                           plContext),

Only in this case it is incorrect to use verifyNode. state->verifyNode should have been used instead of it. pkix_VerifyNode_SetError returns "invalid argument" error since verifyNode is NULL in the context.

(state->verifyNode, verifyError,
                                         plContext),
(Assignee)

Comment 3

8 years ago
Created attachment 368936 [details] [diff] [review]
Patch v1 - use correct pointer to pkix error log structure
Attachment #368936 - Flags: review?(nelson)
Comment on attachment 368936 [details] [diff] [review]
Patch v1 - use correct pointer to pkix error log structure

r=nelson
Attachment #368936 - Flags: review?(nelson) → review+
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Version: unspecified → trunk
(Assignee)

Comment 5

8 years ago
> (From update of attachment 368936 [details] [diff] [review])
committed.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: 3.12.4 → 3.12.3
You need to log in before you can comment on or make changes to this bug.