Closed
Bug 53126
Opened 24 years ago
Closed 23 years ago
CRL v2 should not crash NSS.
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.3
People
(Reporter: wtc, Assigned: rrelyea)
References
Details
Attachments
(2 files)
461 bytes,
application/x-pkcs7-crl
|
Details | |
880 bytes,
patch
|
Details | Diff | Splinter Review |
Right now if we receive CRL v2, NSS crashes. NSS should not crash when CRL v2 is received.
Reporter | ||
Updated•24 years ago
|
Target Milestone: --- → 3.3
Reporter | ||
Comment 2•24 years ago
|
||
Here is javi's description of this bug: DoD has requested that PSM be able to parse v2 CRLs. The client does not have to know how to process the advanced features of v2 CRLs, but the client should not crash. Currently PSM crashes because NSS can't parse v2 CRLs.
Reporter | ||
Comment 3•23 years ago
|
||
I am raising the priority of this bug to P1. We need to get this fixed on the version of NSS in PSM 1.4, as well as the NSS 3.2 branch and the trunk. Bob, is this easy to fix? We just need to make NSS not to crash when a v2 CRL is received.
Priority: P3 → P1
Assignee | ||
Comment 4•23 years ago
|
||
It should be relatively easy if we have a V2 CRL with its associated CA we can test with. bob
Assignee | ||
Comment 5•23 years ago
|
||
OK, I got a CRL from Michael Brown. and PSM 2.0 has no problem parsing it. I went back and looked at the code, and the v2 parsing support for NSS seems to be in since March 2000, maybe even earlier. So I guess what I need is a sample of a V2 CRL that does crash PSM2.0. I'll attach the CRL that seems to be working. bob
Assignee | ||
Comment 6•23 years ago
|
||
Assignee | ||
Comment 7•23 years ago
|
||
OK, I spoke too soon. The v2 CRL does indeed crash PSM 2.0 on load. I had my helper apps messed up and IE was parsing the V2 CRL (sigh). If you click on the attachment under Communicator, the V2 CRL won't load. If you click under PSM 2.0, it crashes. I can run pp -i crl v22.crl just fine from the latest version of NSS. I'll try running some of the other tools on this as well. bob
Status: NEW → ASSIGNED
Reporter | ||
Comment 8•23 years ago
|
||
Bob, is this fixed?
Reporter | ||
Updated•23 years ago
|
Severity: normal → major
Target Milestone: 3.3 → 3.2.2
Assignee | ||
Comment 9•23 years ago
|
||
Hmmm... Well the mysterious crash has now disappeared. My guess is it was crashing in some higher level code in mozilla. NOTE: just like communicator, the CRL does not load because it has extensions we don't understand, which is currently expected behaviour. bob
Comment 10•23 years ago
|
||
When you click on the CRL url, Mozilla will download the CRL. Questions: What happens with the most recent builds during this download? What happens when the client tries to reference this CRL (e.g. when visiting an SSL site)? and most importantly... Does that differ from the customer's expected behavior? If so, how?
Assignee | ||
Comment 11•23 years ago
|
||
In Communicator: the load fails with an error. In Netscape 6: the load silently fails. The CRL is never loaded, so there is no viewing issues. The bug is that attempting to load the CRL actually crashed mozilla. If we want the load to succeed then that's a separate bug, which I can start working on if we think the client will pick up the change and it's higher priority then my 3.4 work (both of these seems probably but not given). The biggest difference here is the silent failure. We verified that NSS is returning an error, and it looks like PSM is returning an error to the next level up, but no one puts up an error dialog.
Assignee | ||
Comment 12•23 years ago
|
||
OK, I do have a fix for actually loading this v2 CRL. This v2 CRL claims to be V2 but has not critical extensions. Unfortunately we check to see if the CRL is a v2 CRL, and if it is, we try to enforce the rule that v2 CRL's must have at least one critical extension. This rule is a source of heavy debate in the standards committe, and I don't think we should be enforcing it on accepting CRL's.... especially since we don't understand any critical extentions. I have a fix checked into the NSS tip, mozilla/security/nss/lib/certdb/crl.c rev 1.3. Should we try to get this into the PSM branch? bob
Reporter | ||
Comment 13•23 years ago
|
||
Bob, could you attach your v2 CRL loading patch to this bug report? This is required for code review, for both Mozilla and NSS 3.3. This fix needs to go into Mozilla.
Assignee | ||
Comment 14•23 years ago
|
||
Assignee | ||
Comment 15•23 years ago
|
||
PSM no longer crashes with V2 certificates.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 16•23 years ago
|
||
This fix is not in 3.2.2. It is in 3.3 and on the 3.2 branch. Since we are not planning to make any new 3.2.x releases, I am setting the target milestone to 3.3.
Target Milestone: 3.2.2 → 3.3
You need to log in
before you can comment on or make changes to this bug.
Description
•