Graham Leggett wrote, On 2008-09-02 14:59: > I just added the bug here: > > https://bugzilla.mozilla.org/show_bug.cgi?id=453364
Thanks. > Changing the encryption mode from MODE_ECB to MODE_CBC, causes the > PK11_CreateContextBySymKey function to succeed. That's a big clue. I can think of two issues: 1) Your code asks NSS to find a slot that supports CBC, then imports the key into that slot, specifying that it is to be used with some crypto mechanism that you didn't show (might have been CBC or ECB), but then when you actually use the key, you use it with ECB, which is a different mechanism than the one you specified when you asked for a slot. 2) Since ECB is never used in any of the standardized (IETF) protocols implemented in NSS, I wouldn't be shocked to find that there's a problem with 3DES ECB. But before concluding that, I'd want to see the test be sure to use the same mechanism in all calls, as mentioned above. BTW, please add a comment to the bug specifying which mechanism your code passed to PK11_ImportSymKey. That will aid in reproducing what you saw. > The next function PK11_CipherOp then fails, with the error code "-8192". > > This error code isn't recognised by PR_ErrorToName(), and so again, no > action can be taken. That's right, not with PR_ErrorToName. > Should I log this as a separate bug, No, because it's not a bug. NSS's shared libraries have never offered any functions that translate error numbers into strings. The reason is that no two operating systems or applications use the same technique for localizing strings. Any method that NSS chose to use would be wrong for all (or perhaps all but one) applications. PR_ErrorToName is a great idea IMO, but no Mozilla applications (not even Firefox) use it. There is an RFE, asking NSS to supply strings to PR_ErrorToName, but because of the localization issue, it's not a high priority. > or does this error code -8192 have some meaning to NSS? You will find a web page describing the error strings for many error codes at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html There are 3 header files that contain macro invocations that can be used, together with your own macro definitions, to put error string into your program. Find those 3 header files at <http://mxr.mozilla.org/security/find?text=&kind=text&string=nss%2Fcmd%2Flib%2F.*errs.h> Find an example of a function that uses those header files with its own macro at <http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/cmd/lib/secerror.c&rev=1.3&mark=54-56#38> _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
