Closed Bug 74343 Opened 24 years ago Closed 23 years ago

PSM fails to handle very large CRLs

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.0

People

(Reporter: lord, Assigned: ddrinan0264)

References

(
URL
)

Details

(Whiteboard: PDT+; verified.)

Attachments

(2 files)

patch to mozilla/security/nss/lib/certdb/pcertdb.c
842 bytes, patch
Details | Diff | Splinter Review
Updated patch with wtc's comments.
944 bytes, patch
Details | Diff | Splinter Review
From a user: I found that two large CRLs (114 KB and 38 KB) would not load, while smaller ones (under 17 KB) loaded without a problem.
Target -> 2.0
Target Milestone: --- → 2.0
-> p1
Priority: -- → P1
version -> 2.0 Need to keep this on the radar. RTM bugs query we ran used version 2.0.
Version: 1.01 → 2.0
Adding relyea to cc-list. I've traced the problem into NSS. The import of the crl is successful, it's the retrieval that fails. Here is the stack trace: DecodeDBCrlEntry(_certDBEntryRevocation * 0x0012716c, SECItemStr * 0x00127194) line 876 CollectCrls(SECItemStr * 0x001271ec, SECItemStr * 0x001271d4, int 4, void * 0x0500e2f8) line 6677 + 13 bytes SEC_TraverseDBEntries(CERTCertDBHandleStr * 0x02c09c58, int 4, int (SECItemStr *, SECItemStr *, int, void *)* 0x0255e681 CollectCrls(SECItemStr *, SECItemStr *, int, void *), void * 0x0500e2f8) line 4546 + 19 bytes SEC_LookupCrls(CERTCertDBHandleStr * 0x02c09c58, CERTCrlHeadNodeStr * * 0x001274ec, int -1) line 6749 + 20 bytes In DecodeDBCrlEntry, there is a check on the db entry length that fails: /* is database entry correct length? */ entry->derCrl.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] ); nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] ); if ( ( entry->derCrl.len + nnlen + DB_CRL_ENTRY_HEADER_LEN ) != dbentry->len) {PORT_SetError(SEC_ERROR_BAD_DATABASE); goto loser; } When I try to retrieve the RSASecureServer.crl (size of 814K), entry->derCrl.len is 47682, nnlen is 42 and dbentry->len is 834160. The above length check fails and the crl cannot be retrieved.
Ah ha! Our current database format cannot handle any object greater then 64k-1 because it only has a 2 byte length! The good news is I can easily see what is broken. The bad news is it will require a database change to make this work. I may be able to hack something where we used the stored length to determine the real length of the CRL, but I'm not sure what the risk is if you move this database to an older application. bob
David, Try the above patch and see if the large CRL still fails now.... bob
That works. I'm able to view the 850K CRL!
r=ddrinan for the patch proposed by relyea. Javi, please review this patch also.
I don't understand Bob's patch but I did spot a typo. "64 M" should be "64 K". Ian, could you please review Bob's patch?
looks fine to me.
Ian, Please give it an r=mcgreer. Thanks.
r=mcgreer
David, remember to fix the "64 M" in the comments. :)
Adding blizzard to cc-list. Chris, Please super review. Thanks, David.
Blocks: 83989
a=dbaron for trunk (or whatever NSS branch that the mozilla trunk uses) checkin (on behalf of drivers)
PDT for PSM.
Whiteboard: PDT
sr=blizzard
PDT+ as per Steve Elmeer 6/20/2001
Whiteboard: PDT → PDT+
Whiteboard: PDT+ → PDT+; ready for checkin
Checked into the NSS 3.2 branch and updated the NSS_CLIENT_TAG. I will close this bug when I check into the NSS trunk.
Checked in to thge trunk of NSS. Marking FIXED.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
I'll need a testcase in order to verify this.
To get large crls go to crl.verisign.com. You will have to host the crl on a web server which has the mime type application/x-pkcs7-crl set for .crl files. I believe that all iPlanet/Netscape webservers have this mime type enabled by default. Then point your mozilla/N6.1 browser to the crl (or a link to it), click and the crl should be downloaded. To verify that is has downloaded successfully, go to edit|preferences|privacy and security|validation and click on "Manage CRLs..." button. A dialog will appear with a list of the crls in your database.
updated whiteboard: needs verification
Whiteboard: PDT+; ready for checkin → PDT+; checked in needs verification.
Verified with a 497K CRL at http://junruh.mcom.com/crl/497k.crl
URL: http://junruh.mcom.com/crl/497k.crl
Status: RESOLVED → VERIFIED
Whiteboard: PDT+; checked in needs verification. → PDT+
whiteboard->verified
Whiteboard: PDT+ → PDT+; verified.
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: