Closed
Bug 1117022
Opened 9 years ago
Closed 9 years ago
Implement draft-ietf-tls-session-hash
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.21
People
(Reporter: ekr, Assigned: ekr)
References
Details
Attachments
(5 files, 7 obsolete files)
1.74 KB,
application/x-gzip
|
Details | |
14.30 KB,
patch
|
rbarnes
:
review+
|
Details | Diff | Splinter Review |
848 bytes,
patch
|
rbarnes
:
review+
mt
:
review+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
4.73 KB,
patch
|
rbarnes
:
review+
mt
:
review+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
1.60 KB,
patch
|
ekr
:
review+
mt
:
superreview+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
We should implement: https://tools.ietf.org/html/draft-ietf-tls-session-hash-03
Assignee | ||
Comment 1•9 years ago
|
||
I'm starting to look at this. Wan-Teh, I don't see an implementation of this in the Chrome patches, but I wanted to double check and see if this is something anyone at Google had done before I started the work
Flags: needinfo?(wtc)
Comment 2•9 years ago
|
||
Eric, Nobody at Google has implemented the TLS Session Hash Extension in NSS. What has been implemented in Chromium is a fix specific to TLS Channel ID, not the more general Session Hash. The TLS Channel ID-specific fix is in src/net/third_party/nss/patches/channelid.patch in the Chromium source tree. Search for "originalHandshakeHash" in that patch.
Flags: needinfo?(wtc)
Assignee | ||
Comment 3•9 years ago
|
||
Wan-Teh, I have started implementing this and am trying to decide how much to expose to the programmer. 1. Do you think we should expose the ability to require session hash? 2. Do you think we should expose whether session hash was used?
Flags: needinfo?(wtc)
Comment 4•9 years ago
|
||
The latter seems essential if Mozilla is going to gather metrics on its adoption, particularly if they hope to adopt the former.
Comment 5•9 years ago
|
||
This patch implements a general mechanism to derive a TLS master secret using the TLS PRF. This mechanism still assumes that it is deriving a TLS master secret, but it allows the caller to directly specify the non-secret inputs to the PRF (label and seed), rather than relying on the PKCS#11 implementation to fill them in based on the mechanism chosen. This should let the session-hash implementation pass in the new label ("extended master secret") and the session hash as the seed value. The implementation is pretty brute force, copying code from the older uses of the PRF below and making simplifications based on the fact that it's TLS-only.
Attachment #8551475 -
Flags: review?(rrelyea)
Assignee | ||
Comment 6•9 years ago
|
||
Thanks Richard. I note that this doesn't necessarily cover the "bypass" case. Bob, Wan-Teh, how important is it to retain that in the face of session hash or can we just use the non-bypass code path?
Flags: needinfo?(rrelyea)
Assignee | ||
Comment 7•9 years ago
|
||
Richard, unfortunately I mislead you: you need to do hashes other than SHA-256 to support TLS 1.0 and 1.1.
Comment 8•9 years ago
|
||
I don't compile with bypass on, so I don't think it's a problem. Richard, PKCS #11 2.40 is (almost) out, It's an approved committee spec and in it's final 60 day review. Ideally we should implement the new TLS mechanisms specified by 2.40: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html specifically: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408227088
Flags: needinfo?(rrelyea)
Comment 9•9 years ago
|
||
Bob, thanks for the pointers to PCKS#11. It looks like CKM_TLS_KDF is roughly what we want, but there's a fairly major ambiguity in the spec. The parameter struct for CKM_TLS_KDF is as follows: > typedef struct CK_TLS_KDF_PARAMS { > CK_MECHANISM_TYPE prfMechanism; > CK_BYTE_PTR pLabel; > CK_ULONG ulLabelLength; > CK_SSL3_RANDOM_DATA RandomInfo; > CK_BYTE_PTR pContextData; > CK_ULONG ulContextDataLength; > } CK_TLS_KDF_PARAMS; The prfMechanism, label, and randomInfo parts seem self-explanatory. However, it's not clear at all what the "context data" elements are supposed to contain. There does not appear to be a definition in the PKCS#11 spec or any of the relevant RFCs (5246, 4346, 2246, or 6101) In order to be usable for this bug, it would have to be the case that the "context data" is the same as the "seed" field used in the TLS specifications (PRF(secret, label, seed)). In which case, the implication would be: > if (params.pContextData) > /* seed = params.pContextData */ > else > /* seed = ClientRandom + ServerRandom */ Does that match your understanding? What do we need to do to get the spec clarified? If "context data" means something else, then we may need a new mechanism.
Flags: needinfo?(rrelyea)
Comment 10•9 years ago
|
||
We discussed this on the NSS call. The context data question turns out to be explained by RFC 5705, which says that if context data is provided, the output is as follows:
> PRF(SecurityParameters.master_secret, label,
> SecurityParameters.client_random +
> SecurityParameters.server_random +
> context_value_length + context_value
> )[length]
That is not a construct that we can use for this bug, since the session-hash spec requires that the session hash be input directly to the PRF.
It does look like the mechanism CKM_TLS_PRF from PKCS#11 v2.20 does what we want, so we will proceed with implementing that mechanism. This is a little bit of a spec compliance problem, since that mechanism has been deprecated in the latest version of PKCS#11. So we should follow up with PKCS#11 to see what we need to do to get some flavor of this back in the spec (possibly with additional constraints).
Flags: needinfo?(rrelyea)
Comment 11•9 years ago
|
||
This patch updates the previous patch in two important ways: * It re-uses the mechanism CKM_TLS_PRF_GENERAL that is already used for verifying finish messages. This mechanism is proprietary, but general enough to cover our needs. * It adds support for all hash algorithms, and pre-TLS1.2 versions of the PRF.
Attachment #8551475 -
Attachment is obsolete: true
Attachment #8551475 -
Flags: review?(rrelyea)
Attachment #8556651 -
Flags: review?(rrelyea)
Comment 12•9 years ago
|
||
Adds support for reflecting the version number from the PMS, when the input is a PMS and the requestor asks for a version number.
Bob: It looks to me like this line is a NOOP (as is the corresponding one below in the current code):
> ((sessKey == NULL) || sessKey->wasDerived)
... since sessKey is never null (key is not a token object) and sessKey->wasDerived is never true (since it was just created, with default value PR_FALSE).
Does that seem right to you?
Attachment #8556651 -
Attachment is obsolete: true
Attachment #8556651 -
Flags: review?(rrelyea)
Attachment #8559282 -
Flags: feedback?(rrelyea)
Comment 13•9 years ago
|
||
Comment on attachment 8559282 [details] [diff] [review] bug-1117022.pkcs11.2.patch feedback+. Re the test. Hmmm It looks like you are right. I the test should have been on the source key rather than the target key.
Attachment #8559282 -
Flags: feedback?(rrelyea) → feedback+
Assignee | ||
Comment 14•9 years ago
|
||
Bob, WTC, are you OK with making this option on by default?
Flags: needinfo?(rrelyea)
Assignee | ||
Comment 15•9 years ago
|
||
Bob, Wan-Teh, ping? Barnes, do you want to have two master_derive mechanisms to PKCS#11, one for RSA and one for non-RSA, or do you just want to make it contingent on whether we pass a nonzero outparam?
Flags: needinfo?(rlb)
Comment 16•9 years ago
|
||
I think it's cleaner to have one mechanism. Even though externally there are separate mechanisms for the others right now, internally, they all use the same code and branch on whether there's a nonzero outparam. Might as well have the external reflect the internal. https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/softoken/pkcs11c.c#5926 https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/softoken/pkcs11c.c#5977 Bob, do you think this patch looks ready to land?
Flags: needinfo?(rlb)
Updated•9 years ago
|
Attachment #8559282 -
Flags: review?(rrelyea)
Comment 17•9 years ago
|
||
Comment on attachment 8559282 [details] [diff] [review] bug-1117022.pkcs11.2.patch Review of attachment 8559282 [details] [diff] [review]: ----------------------------------------------------------------- Three things I'd like to have fixed before check in. 1) since we didn't use one of the standard params, we should go ahead and make our own mechanism. 2) There's a already a function that maps mechanism to hashalg's for us. 3) We shouldn't implicitly set these attributes. Normally PKCS #11 will get these from the supplied template. ::: lib/softoken/pkcs11c.c @@ +5923,5 @@ > /* > * generate the master secret > */ > + case CKM_TLS_PRF_GENERAL: > + { Since we are creating our own parameters, we should probably create an NSS specific mechanism for this. We should also propose this mechanism to the PKCS #11 working group to get a real mechanism value for this. If you could put together a right up on how this is used and why as well as why the existing 3.40 mechanisms don't quite match what you want, I can bring that to the working group. @@ +5976,5 @@ > + case CKM_SHA_1: hash = HASH_AlgSHA1; break; > + case CKM_SHA256: hash = HASH_AlgSHA256; break; > + case CKM_SHA384: hash = HASH_AlgSHA384; break; > + case CKM_SHA512: hash = HASH_AlgSHA512; break; > + } You can use GetHashTypeFromMachanism() here, instead @@ +6017,5 @@ > + crv = sftk_forceAttribute(key,CKA_VERIFY, &cktrue,sizeof(CK_BBOOL)); > + if (crv != CKR_OK) break; > + crv = sftk_forceAttribute(key,CKA_DERIVE, &cktrue,sizeof(CK_BBOOL)); > + if (crv != CKR_OK) break; > + break; These should probably be set explicitly by the user's template, rather than setting everything to true implicitly. NSC_DeriveKey already does this. validateSecretKey will guarrentee that these values are set to something, if you want to override those default use sftk_defaultAttribute(). NOTE: validateSecretKey will not default CKA_KEY_TYPE, but will fail if it's not supplied, so defaulting it would have a different semantic than for other cases where keytype isn't implicitly set. (like other derive operations. My recommendation is just to remove these and set the desired attributes in the template. NOTE: In case it isn't clear this comment applies to everything from skft_forceAttribute(key, CKA_KEY_TYPE, ...) to sftk_forceAttribute(key, CKA_DERIVE, ...)
Attachment #8559282 -
Flags: review?(rrelyea) → review-
Comment 18•9 years ago
|
||
Eric, I'm OK with this as default as long as it can be easily reverted if we have to.
Updated•9 years ago
|
Assignee: nobody → ekr
Target Milestone: --- → 3.20
Assignee | ||
Comment 20•9 years ago
|
||
Wan-Teh's comments on the PKCS#11 mechanism follow below: wtc@google.com 5:18 PM (2 minutes ago) to ekr-webrtc, martin.thomson, rbarnes, reply Comments on patch set 4: the new PKCS #11 mechanism Please forward these comments to Richard Barnes and Bob Relyea. I took a closer look at the PKCS #11 mechanism. I describe my proposal below. If you like the proposal, we should also submit it to the PKCS #11 Working Group for review. I went for a less general design that's consistent with the current TLS master key derivation mechanisms. An alternative is to generalize and extend the CKM_TLS_KDF mechanism (recently added in PKCS #11 v2.40 for RFC 5705). That design would closer to what Richard designed. Eric: do we need to update RFC 5705 to use session_hash instead of SecurityParameters.client_random + SecurityParameters.server_random? https://codereview.appspot.com/248480044/diff/60001/lib/util/pkcs11n.h File lib/util/pkcs11n.h (right): https://codereview.appspot.com/248480044/diff/60001/lib/util/pkcs11n.h#newcode327 lib/util/pkcs11n.h:327: * For the TLS 1.2 PRF, the hashAlg parameter determines the hash function used. hashAlg => prfHashMechanism https://codereview.appspot.com/248480044/diff/60001/lib/util/pkcs11n.h#newcode333 lib/util/pkcs11n.h:333: CK_MECHANISM_TYPE prfMechanism; Please name this member "prfHashMechanism". https://codereview.appspot.com/248480044/diff/60001/lib/util/pkcs11n.h#newcode339 lib/util/pkcs11n.h:339: } CK_NSS_TLSPRFParams; The corresponding struct for TLS <= 1.2 master key derivation is: typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS { CK_SSL3_RANDOM_DATA RandomInfo; CK_VERSION_PTR pVersion; CK_MECHANISM_TYPE prfHashMechanism; } CK_TLS12_MASTER_KEY_DERIVE_PARAMS; The prfHashMechanism field was put at the end so that this struct can be viewed as an extension of the CK_SSL3_MASTER_KEY_DERIVE_PARAMS struct: typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { CK_SSL3_RANDOM_DATA RandomInfo; CK_VERSION_PTR pVersion; } CK_SSL3_MASTER_KEY_DERIVE_PARAMS; That kind of struct layout compatibility is not useful here, so we can put the the prfHashMechanism field first. I suggest the following struct name and fields: typedef struct CK_NSS_TLS12_EXTENDED_MASTER_KEY_DERIVE_PARAMS { CK_MECHANISM_TYPE prfHashMechanism; CK_BYTE_PTR pSessionHash; CK_ULONG ulSessionHashLen; CK_VERSION_PTR pVersion; } CK_NSS_TLS12_EXTENDED_MASTER_KEY_DERIVE_PARAMS; Notes: 1. I omitted pLabel and ulLabelLen. The mechanisms should be hardcoded to use the "extended master secret" label. 2. I suggest we add two mechanisms: CKM_NSS_TLS12_EXTENDED_MASTER_KEY_DERIVE CKM_NSS_TLS12_EXTENDED_MASTER_KEY_DERIVE_DH 3. The mechanisms should verify ulSessionHashLen is consistent with the hash algorithm specified in prfHashMechanism. 4. Key derivation in TLS 1.3 looks very different, so I don't try to make these mechanisms work for TLS 1.3 as well. This means we can probably remove the "12" from the mechanism and struct names.
Assignee | ||
Comment 21•9 years ago
|
||
Wan-Teh, WRT RFC 5705, my understanding is that because the master_secret derives from the session hash, no update to RFC 5705's mechanisms is needed, but it would be wise to recommend using it with the session hash.
Comment 22•9 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #21) > Wan-Teh, > > WRT RFC 5705, my understanding is that because the master_secret derives > from the session hash, no update to RFC 5705's mechanisms is needed, ... Ah, you're right. I'm sorry I missed that.
Flags: needinfo?(wtc)
Comment 23•9 years ago
|
||
This patch implements Wan-Teh's suggested structure, making a mechanism specific to the TLS extended master secret derivation, rather than a way to derive keys with arbitrary labels. (In reply to Robert Relyea from comment #17) > Comment on attachment 8559282 [details] [diff] [review] > bug-1117022.pkcs11.2.patch > > Review of attachment 8559282 [details] [diff] [review]: > ----------------------------------------------------------------- > > Three things I'd like to have fixed before check in. > > 1) since we didn't use one of the standard params, we should go ahead and > make our own mechanism. > 2) There's a already a function that maps mechanism to hashalg's for us. > 3) We shouldn't implicitly set these attributes. Normally PKCS #11 will get > these from the supplied template. > > ::: lib/softoken/pkcs11c.c > @@ +5923,5 @@ > > /* > > * generate the master secret > > */ > > + case CKM_TLS_PRF_GENERAL: > > + { > > Since we are creating our own parameters, we should probably create an NSS > specific mechanism for this. We should also propose this mechanism to the > PKCS #11 working group to get a real mechanism value for this. As above, I have implemented WTC's suggestion and added two mechanisms: * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH These follow the more narrow course of defining a derivation specific to the TLS extended master secret computation. If we were going to imagine proposing something to the PKCS#11 WG, I might consider doing it as a more general thing, in case we need to be able to derive with other labels in the future. But then again, it might be enough to just factor out the common parts of the derivation inside of softoken, i.e., use the same code to satisfy multiple mechanisms. That way the application isn't trusted to get the label right. > If you could put together a right up on how this is used and why as well as > why the existing 3.40 mechanisms don't quite match what you want, I can > bring that to the working group. There's obviously not a mechanism for extended master secret derivation in particular. I'm not seeing any general TLS PRF mechanism at all in the current PKCS#11 mechanisms spec (v2.40) -- not even CKM_TLS_PRF_GENERAL: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html Maybe CKM_TLS_PRF_GENERAL is actually NSS specific? That's what Google searches tell me, anyway. The closest thing I see in v2.4 is CKM_WTLS_PRF (WTLS? whoa, blast from the past!). As far as I can tell from the only WTLS spec I could find, the WTLS PRF is the same as the TLS 1.2 PRF, so maybe this would be OK. See section 11.3.2 of this document: http://technical.openmobilealliance.org/tech/affiliates/wap/wap-261-wtls-20010406-a.pdf But there's still some issues. This mechanism lacks the version output that we need, and it has an output parameter that's not necessary for these applications. And honestly, referring to WTLS is kind of a downer. > @@ +5976,5 @@ > > + case CKM_SHA_1: hash = HASH_AlgSHA1; break; > > + case CKM_SHA256: hash = HASH_AlgSHA256; break; > > + case CKM_SHA384: hash = HASH_AlgSHA384; break; > > + case CKM_SHA512: hash = HASH_AlgSHA512; break; > > + } > > You can use GetHashTypeFromMachanism() here, instead Done. Also, in order to address WTC's comment about checking the length of the input session hash, I added a call to HASH_GetRawHashObject. > @@ +6017,5 @@ > > + crv = sftk_forceAttribute(key,CKA_VERIFY, &cktrue,sizeof(CK_BBOOL)); > > + if (crv != CKR_OK) break; > > + crv = sftk_forceAttribute(key,CKA_DERIVE, &cktrue,sizeof(CK_BBOOL)); > > + if (crv != CKR_OK) break; > > + break; > > These should probably be set explicitly by the user's template, rather than > setting everything to true implicitly. NSC_DeriveKey already does this. > validateSecretKey will guarrentee that these values are set to something, if > you want to override those default use sftk_defaultAttribute(). > > NOTE: validateSecretKey will not default CKA_KEY_TYPE, but will fail if it's > not supplied, so defaulting it would have a different semantic than for > other cases where keytype isn't implicitly set. (like other derive > operations. > > My recommendation is just to remove these and set the desired attributes in > the template. > > NOTE: In case it isn't clear this comment applies to everything from > skft_forceAttribute(key, CKA_KEY_TYPE, ...) to sftk_forceAttribute(key, > CKA_DERIVE, ...) Done.
Attachment #8559282 -
Attachment is obsolete: true
Attachment #8645873 -
Flags: review?(rrelyea)
Comment 24•9 years ago
|
||
(In reply to Richard Barnes [:rbarnes] from comment #23) > > (In reply to Robert Relyea from comment #17) > > Comment on attachment 8559282 [details] [diff] [review] > > bug-1117022.pkcs11.2.patch > > > > If you could put together a right up on how this is used and why as well as > > why the existing [2.40] mechanisms don't quite match what you want, I can > > bring that to the working group. > > There's obviously not a mechanism for extended master secret derivation in > particular. I'm not seeing any general TLS PRF mechanism at all in the > current PKCS#11 mechanisms spec (v2.40) -- not even CKM_TLS_PRF_GENERAL: > > http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html > > Maybe CKM_TLS_PRF_GENERAL is actually NSS specific? That's what Google > searches tell me, anyway. I can confirm both. None of the new TLS 1.2 mechanisms added in PKCS #11 v2.40 can be used for extended master secret derivation. Those mechanisms were all designed to be just general enough to produce the intended output, so that an attacker can't abuse the API to extract useful information about the base secret key (the pre-master secret or the master secret) or the TLS/SSL session keys. CKM_TLS_PRF_GENERAL is NSS specific.
Comment 25•9 years ago
|
||
Comment on attachment 8645873 [details] [diff] [review] bug-1117022.pkcs11.3.patch Review of attachment 8645873 [details] [diff] [review]: ----------------------------------------------------------------- Looks like you covered all my comments. r+
Attachment #8645873 -
Flags: review?(rrelyea) → review+
Comment 26•9 years ago
|
||
Comment on attachment 8645873 [details] [diff] [review] bug-1117022.pkcs11.3.patch Review of attachment 8645873 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/softoken/pkcs11c.c @@ +6150,5 @@ > + att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE); > + if ((att2 == NULL) || > + (*(CK_KEY_TYPE *)att2->attrib.pValue != CKK_GENERIC_SECRET)) { > + if (att2) sftk_FreeAttribute(att2); > + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; Please use an indentation level of four spaces in this file.
Comment 27•9 years ago
|
||
Comment on attachment 8645873 [details] [diff] [review] bug-1117022.pkcs11.3.patch Review of attachment 8645873 [details] [diff] [review]: ----------------------------------------------------------------- Richard: The new mechanisms also need to be added to a mechanism info table in lib/softoken/pkcs11.c, and possibly some other files in NSS. For an example, please see CKM_TLS_MASTER_KEY_DERIVE and CKM_TLS12_MASTER_KEY_DERIVE: http://mxr.mozilla.org/nss/ident?i=CKM_TLS_MASTER_KEY_DERIVE http://mxr.mozilla.org/nss/ident?i=CKM_TLS12_MASTER_KEY_DERIVE
Comment 28•9 years ago
|
||
Addressing final comments from wtc. EKR, could you verify that the min/max key sizes are good, and if so, land it?
Attachment #8645873 -
Attachment is obsolete: true
Attachment #8648915 -
Flags: review?(ekr)
Updated•9 years ago
|
Keywords: checkin-needed
Comment 29•9 years ago
|
||
This is a simple, self-contained test of consistency between the new NSS mechanism and a python implementation of the same. To run, adjust the include paths in the Makefile and run `make test`.
Comment 30•9 years ago
|
||
This patch addresses PKCS#11 plumbing issues that EKR discovered and provided fixes for. It passes the attached test case.
Attachment #8648915 -
Attachment is obsolete: true
Attachment #8648915 -
Flags: review?(ekr)
Comment 31•9 years ago
|
||
That test is fine, but what would be good is a test that we could actually land. Are you able to write a gtest for this? The framework is already in place.
Assignee | ||
Comment 32•9 years ago
|
||
Comment on attachment 8649072 [details] [diff] [review] bug-1117022.pkcs11.5.patch r=rrelyea Review of attachment 8649072 [details] [diff] [review]: ----------------------------------------------------------------- As MT says, please do add a gtest for this. ::: lib/pk11wrap/pk11mech.c @@ +379,5 @@ > case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: > case CKM_TLS_KEY_AND_MAC_DERIVE: > case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: > + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: > + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: Are these really the only places you need to indicate this? What about lib/softoken/pkcs11c.c mechanismList?
Comment 33•9 years ago
|
||
Comment on attachment 8649072 [details] [diff] [review] bug-1117022.pkcs11.5.patch r=rrelyea Review of attachment 8649072 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/pk11wrap/pk11mech.c @@ +379,5 @@ > case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: > case CKM_TLS_KEY_AND_MAC_DERIVE: > case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: > + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: > + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: The mechanism list is in pkcs11.c, and it appears to be included in this patch. The implementation is isn pkcs11c.c which is also in this patch. Since these are derive mechanisms, I don't think there's a lot of places to need to tweak in the pk11wrap. This patch doesn't have the ssl changes to use the call.
Comment 34•9 years ago
|
||
Fixing mt's nit from rietveld.
Attachment #8649072 -
Attachment is obsolete: true
Attachment #8650020 -
Flags: review+
Comment 35•9 years ago
|
||
Fixing a few spacing nits that :mt noticed.
Attachment #8650020 -
Attachment is obsolete: true
Attachment #8651755 -
Flags: review+
Assignee | ||
Comment 36•9 years ago
|
||
Richard's patch #1 landed at: https://hg.mozilla.org/projects/nss/rev/ad2c76bdd683
Assignee | ||
Comment 37•9 years ago
|
||
Unit tests landed at: https://hg.mozilla.org/projects/nss/rev/98b0d0acc455 Reviewed at: https://codereview.appspot.com/258340043/
Comment 38•9 years ago
|
||
Without this patch, compilation with -Werror enabled fails on Linux: gcc -o Linux3.13_x86_64_gcc_glibc_PTH_64_DBG.OBJ/pkcs11c.o -c -g -fPIC -DLINUX2_1 -m64 -Wall -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR -Werror -DXP_UNIX -DSHLIB_SUFFIX=\"so\" -DSHLIB_PREFIX=\"lib\" -DSOFTOKEN_LIB_NAME=\"libsoftokn3.so\" -DSHLIB_VERSION=\"3\" -DDEBUG -UNDEBUG -DDEBUG_wtc -D_REENTRANT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I../../../dist/Linux3.13_x86_64_gcc_glibc_PTH_64_DBG.OBJ/include -I../../../dist/public/nss -I../../../dist/private/nss pkcs11c.c pkcs11c.c: In function ‘NSC_DeriveKey’: pkcs11c.c:6145:19: error: variable ‘status’ set but not used [-Werror=unused-but-set-variable] SECStatus status; ^
Attachment #8652055 -
Flags: superreview?(rrelyea)
Attachment #8652055 -
Flags: review?(rlb)
Comment 39•9 years ago
|
||
Regrettably Visual C++ 2010 still doesn't allow C code to declare variables in the middle of a block. There are two such problems. For the second one, I found that the code before the variable declaration is a redundant PMS key length check, so I simply removed that. IMPORTANT: I also moved the PMS key length check earlier, to match the "classic" master secret derivation code. Please let me know if you deliberately put the PMS key length check there.
Attachment #8652066 -
Flags: superreview?(rrelyea)
Attachment #8652066 -
Flags: review?(rlb)
Comment 40•9 years ago
|
||
Comment on attachment 8652066 [details] [diff] [review] Declare variables at the beginning of a block. Fix comment typos. Move code around. Review of attachment 8652066 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/softoken/pkcs11c.c @@ -6146,5 @@ > SECItem pms = { siBuffer, NULL, 0 }; > SECItem seed = { siBuffer, NULL, 0 }; > SECItem master = { siBuffer, NULL, 0 }; > > - ems_params = (CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS*) pMechanism->pParameter; This line is longer than 80 characters.
Assignee | ||
Comment 41•9 years ago
|
||
Committed as: https://hg.mozilla.org/projects/nss/rev/b858337c4c1b Reviewed at: https://codereview.appspot.com/259430043/
Assignee | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 42•9 years ago
|
||
Comment on attachment 8652055 [details] [diff] [review] Fix a "variable set but not used" compiler warning Review of attachment 8652055 [details] [diff] [review]: ----------------------------------------------------------------- I'm checking in this patch to fix the Linux gcc 4.8 compilation failure because now -Werror is enabled for gcc 4.8. https://hg.mozilla.org/projects/nss/rev/3577e602bf78 ::: lib/softoken/pkcs11c.c @@ +6209,5 @@ > } > + if (status != SECSuccess) { > + crv = CKR_FUNCTION_FAILED; > + break; > + } I copied this |status| check from the code that handles "master secret" derivation. http://mxr.mozilla.org/nss/search?string=TLS_P_hash%28tlsPrfHash%2C%2B%26pms%2C%2B%22master%2Bsecret%22%2C
Attachment #8652055 -
Flags: checked-in+
Updated•9 years ago
|
Severity: normal → enhancement
Keywords: checkin-needed
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: 3.20 → 3.21
Comment 43•9 years ago
|
||
Comment on attachment 8652066 [details] [diff] [review] Declare variables at the beginning of a block. Fix comment typos. Move code around. Review of attachment 8652066 [details] [diff] [review]: ----------------------------------------------------------------- Martin: this patch also fixes related problems in addition to fixing the variable declaration.
Attachment #8652066 -
Flags: review?(martin.thomson)
Updated•9 years ago
|
Attachment #8652066 -
Flags: review?(martin.thomson) → review+
Comment 44•9 years ago
|
||
Comment on attachment 8652066 [details] [diff] [review] Declare variables at the beginning of a block. Fix comment typos. Move code around. https://hg.mozilla.org/projects/nss/rev/3796f6b6077b
Attachment #8652066 -
Flags: checked-in+
Comment 45•9 years ago
|
||
Comment on attachment 8652055 [details] [diff] [review] Fix a "variable set but not used" compiler warning Review of attachment 8652055 [details] [diff] [review]: ----------------------------------------------------------------- Martin: please see comment 42 for a description of this patch. Thanks.
Attachment #8652055 -
Flags: review?(martin.thomson)
Comment 46•9 years ago
|
||
Comment on attachment 8652055 [details] [diff] [review] Fix a "variable set but not used" compiler warning Review of attachment 8652055 [details] [diff] [review]: ----------------------------------------------------------------- I reviewed this previously, but since you had asked others, and checked it in, I figured that you were OK.
Attachment #8652055 -
Flags: review?(martin.thomson) → review+
Comment 47•9 years ago
|
||
This problem was introduced in https://hg.mozilla.org/projects/nss/rev/b858337c4c1b
Attachment #8654631 -
Flags: superreview?(martin.thomson)
Attachment #8654631 -
Flags: review?(ekr)
Assignee | ||
Comment 48•9 years ago
|
||
Comment on attachment 8654631 [details] [diff] [review] Declare variables at the beginning of a block in ssl3con.c Review of attachment 8654631 [details] [diff] [review]: ----------------------------------------------------------------- Thank you for catching this. LGTM.
Attachment #8654631 -
Flags: review?(ekr) → review+
Comment 49•9 years ago
|
||
Comment on attachment 8654631 [details] [diff] [review] Declare variables at the beginning of a block in ssl3con.c Review of attachment 8654631 [details] [diff] [review]: ----------------------------------------------------------------- Thank you for the quick review! It was Kai's buildbots that caught this :-) Patch checked in: https://hg.mozilla.org/projects/nss/rev/5fe63c0b9427
Attachment #8654631 -
Flags: checked-in+
Updated•9 years ago
|
Attachment #8654631 -
Flags: superreview?(martin.thomson) → superreview+
Comment 50•9 years ago
|
||
Comment on attachment 8652055 [details] [diff] [review] Fix a "variable set but not used" compiler warning Review of attachment 8652055 [details] [diff] [review]: ----------------------------------------------------------------- LGTM
Attachment #8652055 -
Flags: review?(rlb) → review+
Updated•9 years ago
|
Attachment #8652066 -
Flags: review?(rlb) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•