wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1097622 - Return ERROR_INVALID_TIME when decoding invalid time values. r=dkeeler

Browse Source
This commit is contained in:
Cykesiopka 2015-02-18 15:56:00 -05:00
parent 64a8ea21dd
commit 1d7d83f71b
4 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
security/manager/ssl/src/NSSErrorsService.cpp
View File

@ -146,16 +146,17 @@ ErrorIsOverridable(PRErrorCode code)
switch (code)
{
// Overridable errors.
case SEC_ERROR_UNKNOWN_ISSUER:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SSL_ERROR_BAD_CERT_DOMAIN:
case SEC_ERROR_EXPIRED_CERTIFICATE:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
case SEC_ERROR_EXPIRED_CERTIFICATE:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SEC_ERROR_INVALID_TIME:
case SEC_ERROR_UNKNOWN_ISSUER:
case SSL_ERROR_BAD_CERT_DOMAIN:
return true;
// Non-overridable errors.
default:

2
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -313,6 +313,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE: return 14;
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
return 15;
case SEC_ERROR_INVALID_TIME: return 16;
}
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
"handle everything in DetermineCertOverrideErrors?");
@ -368,6 +369,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
break;
}
case SEC_ERROR_INVALID_TIME:
case SEC_ERROR_EXPIRED_CERTIFICATE:
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
collectedErrors = nsICertOverrideService::ERROR_TIME;

22
security/pkix/lib/pkixcheck.cpp
View File

@ -37,21 +37,31 @@ CheckValidity(Input encodedValidity, Time time)
Reader validity(encodedValidity);
Time notBefore(Time::uninitialized);
if (der::TimeChoice(validity, notBefore) != Success) {
return Result::ERROR_EXPIRED_CERTIFICATE;
}
if (time < notBefore) {
return Result::ERROR_NOT_YET_VALID_CERTIFICATE;
return Result::ERROR_INVALID_DER_TIME;
}
Time notAfter(Time::uninitialized);
if (der::TimeChoice(validity, notAfter) != Success) {
return Result::ERROR_EXPIRED_CERTIFICATE;
return Result::ERROR_INVALID_DER_TIME;
}
if (der::End(validity) != Success) {
return Result::ERROR_INVALID_DER_TIME;
}
if (notBefore > notAfter) {
return Result::ERROR_INVALID_DER_TIME;
}
if (time < notBefore) {
return Result::ERROR_NOT_YET_VALID_CERTIFICATE;
}
if (time > notAfter) {
return Result::ERROR_EXPIRED_CERTIFICATE;
}
return der::End(validity);
return Success;
}
// 4.1.2.7 Subject Public Key Info

10
security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
View File

@ -70,7 +70,7 @@ TEST_F(pkixcheck_CheckValidity, BothEmptyNull)
0x17/*UTCTime*/, 0/*length*/,
};
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, CheckValidity(validity, NOW));
}
TEST_F(pkixcheck_CheckValidity, NotBeforeEmptyNull)
@ -80,7 +80,7 @@ TEST_F(pkixcheck_CheckValidity, NotBeforeEmptyNull)
NEWER_UTCTIME
};
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, CheckValidity(validity, NOW));
}
TEST_F(pkixcheck_CheckValidity, NotAfterEmptyNull)
@ -90,8 +90,7 @@ TEST_F(pkixcheck_CheckValidity, NotAfterEmptyNull)
0x17/*UTCTime*/, 0x00/*length*/,
};
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE,
CheckValidity(validity, NOW));
ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, CheckValidity(validity, NOW));
}
static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
@ -155,6 +154,5 @@ TEST_F(pkixcheck_CheckValidity, InvalidNotAfterBeforeNotBefore)
OLDER_UTCTIME,
};
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE,
CheckValidity(validity, NOW));
ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, CheckValidity(validity, NOW));
}