Bug 165835

Summary:

Handle key generation with empty challenge string

Product:

WebKit

Reporter:

John Wilander <wilander>

Component:

WebCore Misc.

Assignee:

John Wilander <wilander>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

andersca, conrad_shultz, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	andersca: review+

John Wilander

Reported 2016-12-13 18:48:24 PST

https://bugs.webkit.org/show_bug.cgi?id=160945 introduced an ASSERT(challenge.data()) that didn't catch empty challenge strings. Also, empty challenge strings are allowed: "If the element has a challenge attribute, then let challenge be that attribute's value. Otherwise, let challenge be the empty string." https://www.w3.org/TR/html5/forms.html#the-keygen-element Email certificate generation at https://www.comodo.com/home/email-security/free-email-certificate.php broke because of https://bugs.webkit.org/show_bug.cgi?id=160945.

Attachments
Patch (3.32 KB, patch) 2016-12-13 18:57 PST, John Wilander	no flags	Details Formatted Diff Diff
Patch (2.86 KB, patch) 2016-12-14 11:20 PST, John Wilander	no flags	Details Formatted Diff Diff
Patch (2.67 KB, patch) 2016-12-14 12:18 PST, John Wilander	andersca: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

John Wilander

Comment 1 2016-12-13 18:49:21 PST

rdar://problem/29128710

John Wilander

Comment 2 2016-12-13 18:57:28 PST

Created attachment 297057 [details] Patch

Conrad Shultz

Comment 3 2016-12-14 09:29:26 PST

Comment on attachment 297057 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297057&action=review > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:180 > + signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Data = (uint8 *)strdup("\0"); Does this need to be freed at some point?

John Wilander

Comment 4 2016-12-14 11:20:47 PST

Created attachment 297104 [details] Patch

John Wilander

Comment 5 2016-12-14 11:23:09 PST

(In reply to comment #3) > Comment on attachment 297057 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297057&action=review > > > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:180 > > + signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Data = (uint8 *)strdup("\0"); > > Does this need to be freed at some point? Thanks! You're right. The old deallocation strategy was very different and covered this part too. But after a conversation with Anders Carlsson I found a simpler fix that doesn't require string duplication. See new patch.

Anders Carlsson

Comment 6 2016-12-14 12:03:59 PST

Comment on attachment 297104 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297104&action=review > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:184 > + if (!challenge.length()) { > + // Needed to account for the null terminator > + signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Length = 1; > + } else > + signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Length = challenge.length(); I'm wondering whether this can just be signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Length = challenge.length() + 1; always?

John Wilander

Comment 7 2016-12-14 12:18:33 PST

Created attachment 297109 [details] Patch

John Wilander

Comment 8 2016-12-14 12:21:38 PST

(In reply to comment #6) > Comment on attachment 297104 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297104&action=review > > > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:184 > > + if (!challenge.length()) { > > + // Needed to account for the null terminator > > + signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Length = 1; > > + } else > > + signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Length = challenge.length(); > > I'm wondering whether this can just be > > signedPublicKeyAndChallenge.publicKeyAndChallenge.challenge.Length = > challenge.length() + 1; > > always? Seems to work. And it is aligned with the other place where we set the Length in a CSSM_DATA struct: uint8 encodeNull[2] { SEC_ASN1_NULL, 0 }; ... signedPublicKeyAndChallenge.algorithmIdentifier.parameters.Data = (uint8 *)encodeNull; signedPublicKeyAndChallenge.algorithmIdentifier.parameters.Length = 2; See new patch.

Anders Carlsson

Comment 9 2016-12-14 12:26:12 PST

Comment on attachment 297109 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297109&action=review > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:180 > + // Length needs to account for the null terminator Add a period to make this a proper sentence.

John Wilander

Comment 10 2016-12-14 12:31:26 PST

Committed r209822: <http://trac.webkit.org/changeset/209822>

Note You need to log in before you can comment on or make changes to this bug.