Graham Leggett wrote, On 2008-09-02 12:49:
> Graham Leggett wrote:
>
>> I am trying to call PK11_CreateContextBySymKey and it is returning NULL.
>
> Using PORT_GetError, the error code returned is zero.
Please file a bug in bugzilla.mozilla.org about that.
Product: NSS
Component: Libraries
Version: whatever version you're using
> Reverse engineering the PK11_CreateContextBySymKey function, I have
> found that the function returns NULL in a number of locations, many
> without any attempt to set an error code, which effectively means it is
> impossible to distinguish one error from another.
Well, NSS's rule is that the lowest level function (the first function)
called that finds a problem and returns a failure result (NULL, or
SECFailure) MUST set the error code. Higher level functions (callers of
the function that first finds the problem) may leave the error code alone
(leave it set to the value set by the first function to find the problem).
So, if you see code in an NSS function that calls another ("inner") NSS
function, and detects that that inner function has returned a failure
indicator, and then returns without setting an error code, that's expected.
For example, NSS's "PORT" allocation functions all set error codes on
failure so callers of those PORT allocation functions seldom set error
codes when they detect an allocation failure.
On the other hand, if you see code that detects a problem itself, e.g.
by finding a null argument, or finding a null pointer in a structure,
and returns a failure result without setting an error code, that's a bug.
I take all those bugs seriously and make fixing them a pretty high priority.
As a reviewer, I try not to allow a patch to be committed that makes that
mistake. But I'm not the only NSS reviewer, and mistakes happen.
> From the debugger trace below, is there any obvious reason why the
> above function should return null?
Not immediately obvious.
Here are some questions that may help identify the cause.
What was the value of keyItem.len ?
Are you using any PKCS#11 modules besides NSS's own modules?
Do you possibly have a module marked as preferred ("default") for 3DES
that doesn't actually do 3DES?
If you were using only NSS's PKCS#11 modules, did you have the Softoken
module in "FIPS mode" ?
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
