Closed Bug 51436 Opened 24 years ago Closed 24 years ago

SSL Server code failing on tip PK11_ImportSymKey fails

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: rrelyea)

References

Details

In correspondence about bugzilla bug 48657, John Myers reported
that he couldn't get SSL Server code to work on the tip.
So I tried it and found numerous strange phenomena.  John was
right, SSL server code wasn't able to complete a handshake.

One of the sequences I saw was this:

pk11_CopyToSlot calls PK11_ExtractKeyValue() which succeeds,
then calls  PK11_ImportSymKey(), which calls 
pk11_ImportSymKeyWithTempl(), which calls PK11_CreateNewObject(),
which calls NSC_CreateObject(), which calls pk11_SessionFromHandle()
which returns null.

So, then pk11_CopyToSlot calls pk11_KeyExchange(), which is VERY 
costly.  

(As an aside, I think that there ought to be some way for 
pk11_CopyToSlot to distinguish among the different types of 
failures from PK11_ImportSymKey().  Some of those failures
are because the key cannot be copied in an unwrapped fashion.
Other failures are just failures, and wrapping won't help.
IMO pk11_CopyToSlot should not call pk11_KeyExchange() after
the latter type of failure.  Today it always does. :-(
Blocks: 48657, 51425
Up the priority to P1
Priority: P3 → P1
target == NSS 3.0
Target Milestone: --- → 3.0
OK, This bug *IS* present in both 3.0 and 3.1. To trigger the bug you need to do 
several full SSL handshakes on the server. PSM would also have the problem in 
some cases where it was using keys other than SSL keys (SDR may start failing 
after several SSL handshakes).

The test suites succeed because none of the test suites do more than one full 
SSL handshake (including the stress test suites).
Status: NEW → ASSIGNED
Changing target fix version to 3.0.1

Bob, I confirm that your recent checkin fixed this.
Target Milestone: 3.0 → 3.0.1
I'm taking the liberty of marking this bug fixed.
I have confirmed that SSL is working in NSS 3.0.1.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.