Closed Bug 1611209 Opened 3 years ago Closed 3 years ago

Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.48
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alexander.m.scheel, Assigned: alexander.m.scheel)

Details

Attachments

(1 file)

Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped r=rrelyea
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

I messed up (again).

Attempted to use new AES-CMAC code via PKCS#11 with nCipher HSM.

Actual results:

Failed -- token reported CKM_AES_CMAC wasn't supported.

This is because I swapped the value of CKM_AES_CMAC from what is in the spec:

/* AES-CMAC values copied from v2.40 errata 1 header file */
#define CKM_AES_CMAC_GENERAL 0x0000108A
#define CKM_AES_CMAC 0x0000108B

What PKCS#11's spec actually says:

published/2-40-errata-1/pkcs11t.h:#define CKM_AES_CMAC 0x0000108AUL
published/2-40-errata-1/pkcs11t.h:#define CKM_AES_CMAC_GENERAL 0x0000108BUL
working/3-00-current/pkcs11t.h:#define CKM_AES_CMAC 0x0000108AUL
working/3-00-current/pkcs11t.h:#define CKM_AES_CMAC_GENERAL 0x0000108BUL
working/3-00-wd-01/pkcs11t.h:#define CKM_AES_CMAC 0x0000108AUL
working/3-00-wd-01/pkcs11t.h:#define CKM_AES_CMAC_GENERAL 0x0000108BUL

This was introduced in the following revision and shipped in v3.48 onwards:

changeset:   15284:cf0df88aa807
user:        Alexander Scheel <ascheel@redhat.com>
date:        Fri Aug 30 12:16:11 2019 +1000
summary:     Bug 1570501 - Expose AES-CMAC in PKCS #11 API, r=mt

Expected results:

CKM_AES_CMAC should've been supported and understood by the HSM

This is because of a bug I made when introducing this code. What's the procedure for fixing this? Will I need to add fallback detection for when CKM_AES_CMAC_GENERAL is utilized (with a parameter spec) but the value CKM_AES_CMAC is used?

I swore that I checked this, but I guess that I was fooled by the ordering. r+ (though I'll let Bob double-check this time)

Assignee: nobody → alexander.m.scheel
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1

https://hg.mozilla.org/projects/nss/rev/df142975f4f695f84a662abdd27219c21c87c8d1

Martin, I was fooled by the same thing.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.51
You need to log in before you can comment on or make changes to this bug.