Closed
Bug 1559906
Opened 6 years ago
Closed 6 years ago
fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
Categories
(NSS :: Tools, defect, P1)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.45
People
(Reporter: ueno, Assigned: ueno)
Details
Attachments
(1 file)
|
3.62 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
The fipstest command currently only exercises CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256. It should switch to using the standard CKM_TLS12_MASTER_KEY_DERIVE mechanism.
Patch from Tomas Mraz.
Attachment #9072625 -
Flags: review?(rrelyea)
|
||
Comment 1•6 years ago
|
||
Comment on attachment 9072625 [details] [diff] [review]
nss-fipstest-tls12prf.patch
Review of attachment 9072625 [details] [diff] [review]:
-----------------------------------------------------------------
yes, this is a good fix. It also lets us cavs tests more than just SHA256.
::: cmd/fipstest/fipstest.c
@@ +6728,5 @@
> if (buf[7] == '0') {
> master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE;
> key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE;
> + master_mech.ulParameterLen = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
> + key_block_mech.ulParameterLen = sizeof(CK_SSL3_KEY_MAT_PARAMS);
perhaps a comment here that says: :CK_SSL3_MASTER_KEY_DERIVE_PARAMS is a subset of CK_TLS12_MASTER_KEY_DERIVE_PARAMS and CK_SSL3_KEY_MAT_PARAMS is a subset of CK_TLS12_KEY_MAT_PARAMS. The latter params as and extra prfHashMechanism field at the end.
Not required for checking.
Attachment #9072625 -
Flags: review?(rrelyea) → review+
|
||
Updated•6 years ago
|
Assignee: nobody → dueno
Status: NEW → ASSIGNED
Priority: -- → P1
|
Assignee | |
Comment 2•6 years ago
|
||
Pushed after adding the comment:
https://hg.mozilla.org/projects/nss/rev/6ef49fe67d6227a1d290da5537ec0dade379a15a
Thank you for the review!
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.45
You need to log in
before you can comment on or make changes to this bug.
Description
•