Closed Bug 349609 Opened 19 years ago Closed 19 years ago

C_SignUpdate does not work for DSA key

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.3

People

(Reporter: glenbeasley, Assigned: glenbeasley)

References

Details

Attachments

(1 file)

Fix the crash in sftk_MACUpdate
882 bytes, patch
glenbeasley
: review+
rrelyea
: superreview+
Details | Diff | Splinter Review
See bug 342582 test program pk11mode.c method PKM_PublicKey if you create a DSA key, C_SignInit and C_Sign works, but C_SignInit, C_SignUpdate, and C_SignFinal does not with the same DSA key and data. The code first crashes in sftk_MACUpdate on context->padDataLength = ulPartLen % context->blockSize; because context->blockSize is set to 0. Fixing blockSize does not fix the problem, the code will then crash in C_SignFinal. Code to reproduce in PKM_PublicKey /* Sign with DSA (works) crv = pFunctionList->C_SignInit(hRwSession, &dsaMech, hDsaPrivKey); if (crv != CKR_OK) { PKM_Error( "C_SignInit failed with 0x%08lX\n", crv); return crv; } dsaSigLen = sizeof(dsaSig); crv = pFunctionList->C_Sign(hRwSession, sha1Digest, sha1DigestLen, dsaSig, &dsaSigLen); if (crv != CKR_OK) { PKM_Error( "C_Sign failed with 0x%08lX\n", crv); return crv; } */ /* SignUpdate with DSA does not work */ crv = pFunctionList->C_SignInit(hRwSession, &dsaMech, hDsaPrivKey); if (crv != CKR_OK) { PKM_Error( "C_SignInit failed with 0x%08lX\n", crv); return crv; } dsaSigLen = sizeof(dsaSig); crv = pFunctionList->C_SignUpdate(hRwSession, sha1Digest, sha1DigestLen); if (crv != CKR_OK) { PKM_Error( "C_Sign failed with 0x%08lX\n", crv); return crv; } crv = pFunctionList->C_SignFinal(hRwSession, (CK_BYTE_PTR)dsaSig, &dsaSigLen); if (crv == CKR_OK) { PKM_LogIt("C_SignFinal succeeded\n"); } else { PKM_Error( "C_SignFinal failed with 0x%08lX\n", crv); return crv; }
Blocks: 349613
I found that CKM_DSA is single-part operations only. So C_SignUpdate shouldn't be used with CKM_DSA. The only thing we can do is to make C_SignUpdate return an error code rather than crash. It may be as simple as passing needMulti=PR_TRUE instead of PR_FALSE to sftk_GetContext in sftk_MACUpdate. I'm not sure if CKR_OPERATION_NOT_INITIALIZED is the right error code but I can't find a better error code. Glen, you can use CKM_DSA_SHA1 with C_SignUpdate + C_SignFinal. You can look at how I used CKM_DSA_SHA1 with C_VerifyUpdate + C_SignFinal.
The last paragraph in my previous comment should read: Glen, you can use CKM_DSA_SHA1 with C_SignUpdate + C_SignFinal. You can look at how I used CKM_DSA_SHA1 with C_VerifyUpdate + C_VerifyFinal.
Glen, does this patch fix the crash in sftk_MACUpdate?
Attachment #235013 - Flags: review?(glen.beasley)
Status: NEW → ASSIGNED
Comment on attachment 235013 [details] [diff] [review] Fix the crash in sftk_MACUpdate I verified that this patch allows C_SignUpdate and C_SignFinal with the CKM_DSA mechanism to fail with CKR_OPERATION_NOT_INITIALIZED rather than crashing. I found that C_SignFinal doesn't terminate an active CKM_DSA single-part operation. C_SignFinal fails with CKR_OPERATION_NOT_INITIALIZED, and the CKM_DSA operation is still active. Is this the correct behavior, Bob?
Attachment #235013 - Flags: superreview?(rrelyea)
Comment on attachment 235013 [details] [diff] [review] Fix the crash in sftk_MACUpdate verified C_SignUpdate and C_SignFinal with the CKM_DSA mechanism fails with CKR_OPERATION_NOT_INITIALIZED rather than crashing.
Attachment #235013 - Flags: review?(glen.beasley) → review+
Glen, you marked this bug "assigned". I think you meant to assign it to yourself. So I'm reassigning it to you.
Assignee: nobody → glen.beasley
Status: ASSIGNED → NEW
Comment on attachment 235013 [details] [diff] [review] Fix the crash in sftk_MACUpdate r=relyea
Attachment #235013 - Flags: superreview?(rrelyea) → superreview+
I checked in the fix on the NSS trunk (3.12) and NSS_3_11_BRANCH (3.11.3). Checking in pkcs11c.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c new revision: 1.89; previous revision: 1.88 done Checking in pkcs11c.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c new revision: 1.68.2.19; previous revision: 1.68.2.18 done
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.11.3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: