Bug 1001188: Set the error code when the max cert chain length limit is exceeded, r=cviecco a=sledru
authorBrian Smith <brian@briansmith.org>
Sat, 31 May 2014 16:03:08 -0700
changeset 199432 2415441c3620198a198775997e312e4f2f53c79f
parent 199431 d9edba5338ffcbdc114fddf2f5be479e03960315
child 199433 a5967705754e1441060acd7b7d73de1ee4f1e9d2
push id3624
push userasasaki@mozilla.com
push dateMon, 09 Jun 2014 21:49:01 +0000
treeherdermozilla-beta@b1a5da15899a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco, sledru
bugs1001188
milestone31.0a2
Bug 1001188: Set the error code when the max cert chain length limit is exceeded, r=cviecco a=sledru
security/pkix/lib/pkixbuild.cpp
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -195,17 +195,17 @@ BuildForward(TrustDomain& trustDomain,
              /*optional*/ const SECItem* stapledOCSPResponse,
              unsigned int subCACount,
              /*out*/ ScopedCERTCertList& results)
 {
   // Avoid stack overflows and poor performance by limiting cert length.
   // XXX: 6 is not enough for chains.sh anypolicywithlevel.cfg tests
   static const size_t MAX_DEPTH = 8;
   if (subCACount >= MAX_DEPTH - 1) {
-    return RecoverableError;
+    return Fail(RecoverableError, SEC_ERROR_UNKNOWN_ISSUER);
   }
 
   Result rv;
 
   TrustDomain::TrustLevel trustLevel;
   // If this is an end-entity and not a trust anchor, we defer reporting
   // any error found here until after attempting to find a valid chain.
   // See the explanation of error prioritization in pkix.h.