On 08/13/2010 05:37 AM, Konstantin Andreev wrote: > On 08/13/10 04:44, Robert Relyea wrote: >>> On Wed, Aug 11, 2010 at 1:18 PM, Matej Kurpel<mkur...@gmail.com> >>> wrote: >>> >>>> [ ... skip ... ] Later, thunderbird asks for its attributes >>>> CKA_TOKEN and CKA_LABEL but gives zero-sized buffers for both >>>> values. ... According to the specification (if I understood >>>> correctly), I should return CKR_BUFFER_TOO_SMALL and fill the >>>> ulValueLen properties to the length of the two attribute values, >>>> which makes perfect sense. >>>> >>> >> No, you need to return CKR_OK. You only return CKR_BUFFER_TOO_SMALL >> if a buffer was supplied and it didn't fit (in which case you set the >> offending attribute length to -1). See the PKCS #11 spec for >> C_GetAttributeValue. >> >> By returning CKR_BUFFER_TOO_SMALL to NSS, you are telling it that the >> requested operation failed (That operation was to get the lengths of >> the attributes it wanted to read). >> > > Hello, Robert. > > Matej told us that buffers were supplied, but zero-size. He didn't > tell that buffers were NULL. Ah, that case CKR_BUFFER_TOO_SMALL would be appriopriate. I'm pretty sure that that was not the case. I suspect he didn't check for NULL since I know of no where in NSS that would do such a thing, but I know exactly where we are asking for CKA_TOKEN and CKA_LABEL with a NULL buffer. > >> see >> http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11obj.c#210 >> >> > > I am not sure, whether this applies to Matej issue, but > PK11_GetAttributes is defective. It doesn't care about nullifying > CK_ATTRIBUTE::pValue before 1st call to C_GetAttributeValue. The > caller of PK11_GetAttributes should care about. Yes, it does require the caller to set things to NULL first..
bob > > -- > Konstantin.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
