Open Bug 1342434 Opened 8 years ago Updated 3 years ago

PK11_Derive*() doesn't set the failure reason

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: andrew.cagney, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170126153126 Steps to reproduce: Call PK11_Derive() with bad arguments. (I'm guessing that hg's "default" means "trunk") Actual results: As expected PK11_Derive() returns NULL. Unfortunately, PORT_GetError() returns 0 so there's no hint as to why the arguments are bad. Expected results: PK11_Derive() and co should be calling: PORT_SetError(PK11_MapError(crv)); so that the underlying error reason is saved.
PK11_Derive calls PORT_SetError (sometimes). Do you have an example that doesn't set the error?
Flags: needinfo?(andrew.cagney)
Anything that causes the underlying ->C_DeriveKey() call to fail should have this problem (the status isn't set after an error return). The case I encountered was: --- Subject: PK11_Derive CKM_CONCATENATE_BASE_AND_KEY fails when KEY is from from CKM_ECDH1_DERIVE I'm trying to understand why the PK11_Derive call: CK_OBJECT_HANDLE key_handle = PK11_GetSymKeyHandle(key); SECItem key_param = { .data = (unsigned char*)&key_handle, .len = sizeof(key_handle) }; CK_ATTRIBUTE_TYPE operation = CKA_DERIVE; int key_size = 0; PK11SymKey *result = PK11_Derive(base_key, CKM_CONCATENATE_BASE_AND_KEY, &key_param, CKM_MD5_KEY_DERIVATION, operation, key_size); works when "key" came from CKM_DH_PKCS_DERIVE but fails when the key came from (CKM_ECDH1_DERIVE,CKD_NULL). Debugging suggests that the operation is rejected in lib/softoken/pkcs11c.c by the code: att2 = sftk_FindAttribute(newKey, CKA_VALUE); if (att2 == NULL) { sftk_FreeObject(newKey); crv = CKR_KEY_HANDLE_INVALID; break; } I've found a work-around is to first CKM_EXTRACT_KEY_FROM_KEY and then use that :-/ Is this expected? And is there a clean way to detect a key like ECDH that will cause problems.
Flags: needinfo?(andrew.cagney)
Blocks: 1399364
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.