Closed
Bug 349632
Opened 19 years ago
Closed 19 years ago
C_VerifyUpdate fails for hmac
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.3
People
(Reporter: glenbeasley, Assigned: glenbeasley)
Details
Attachments
(1 file, 2 obsolete files)
|
2.09 KB,
patch
|
glenbeasley
:
review+
rrelyea
:
superreview+
|
Details | Diff | Splinter Review |
See bug 342582 for test program pk11mode.c method PKM_Hmac
C_VerifyInit and C_Verify works, but
C_VerifyInit, C_VerifyUpdate, and C_VerifyFinal does not work.
|
||
Comment 1•19 years ago
|
||
Looking at the source code, I think it's actually the opposite:
it is C_Verify that fails for HMAC. If context->hashInfo is
not NULL, I think C_Verify needs to call context->hashUpdate
and context->end and then pass the output to context->verify.
I believe NSS only calls C_VerifyUpdate and C_VerifyFinal for
HMAC, so C_Verify has never been used with HMAC.
|
|
||
Comment 2•19 years ago
|
||
This should make NSC_Verify behave the same as
NSC_VerifyUpdate and NSC_VerifyFinal for HMAC.
Attachment #235019 -
Flags: review?(glen.beasley)
|
|
||
Comment 3•19 years ago
|
||
Comment on attachment 235019 [details] [diff] [review]
Support HMAC in NSC_Verify
I verified that this patch is necessary to make
C_Verify work with CKM_DSA_SHA1. I didn't have
the setup to test C_Verify with HMAC.
|
Assignee | |
Comment 4•19 years ago
|
||
Comment on attachment 235019 [details] [diff] [review]
Support HMAC in NSC_Verify
C_Verify still needs some
work, this patch did show
that sftk_HMACCmp also needs a fix.
sftk_HMACCmp(CK_ULONG *copyLen,unsigned char *sig,unsigned int sigLen,
unsigned char *hash, unsigned int hashLen)
{
- return PORT_Memcmp(sig,hash,*copyLen) ? SECSuccess : SECFailure ;
+ return (PORT_Memcmp(sig,hash,*copyLen) == 0) ? SECSuccess : SECFailure ;
}
Attachment #235019 -
Flags: review?(glen.beasley) → review-
|
|
Assignee | |
Comment 5•19 years ago
|
||
verified this patch works for both C_Verify and C_VerifyUpdate/C_VerifyFinal
for CKM_SHA_1_HMAC, CKM_SHA256_HMAC, CKM_SHA384_HMAC, and CKM_SHA512_HMAC.
Attachment #235019 -
Attachment is obsolete: true
Attachment #235052 -
Flags: review?(wtchang)
|
|
||
Comment 6•19 years ago
|
||
Comment on attachment 235052 [details] [diff] [review]
added to wan-teh fix
r=wtc. Good catch, Glen. I also verified that all
the other PORT_Memcmp calls in this file are correct.
Attachment #235052 -
Flags: superreview?(rrelyea)
Attachment #235052 -
Flags: review?(wtchang)
Attachment #235052 -
Flags: review+
|
||
Comment 7•19 years ago
|
||
Comment on attachment 235052 [details] [diff] [review]
added to wan-teh fix
r+, Because this is an improvement, but the patch is incomplete. Encrypted Mac will still fail.
Instead of context->hashInfo, we should check for context->multi and call
sftk_MACUpdate
Followed by
NSC_VerifyFinal
return the results of verify Final after cleaning up.
Attachment #235052 -
Flags: superreview?(rrelyea) → superreview+
|
|
Assignee | |
Comment 8•19 years ago
|
||
Today I check in the fix for sftk_HMACCmp only to 3_11 branch and the trunk. I will implement bob suggestion, and request another review for NSC_Verify.
/cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c
new revision: 1.68.2.17; previous revision: 1.68.2.16
done
/cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c
new revision: 1.87; previous revision: 1.86
done
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → glen.beasley
Status: ASSIGNED → NEW
|
|
||
Comment 9•19 years ago
|
||
I implemented Bob's suggestion. I emulated how NSC_Sign
handles multi-part signing.
Bob, why don't we need to call sftk_FreeContext(context)
inside the if (context->multi) block?
Attachment #235052 -
Attachment is obsolete: true
Attachment #235309 -
Flags: superreview?(rrelyea)
Attachment #235309 -
Flags: review?(glen.beasley)
|
|
||
Comment 10•19 years ago
|
||
Comment on attachment 235309 [details] [diff] [review]
Implement Bob's suggestion
I forgot to mention that I tested this patch with both
CKM_DSA and CKM_DSA_SHA1.
|
|
Assignee | |
Comment 11•19 years ago
|
||
Comment on attachment 235309 [details] [diff] [review]
Implement Bob's suggestion
tested successfully.
Attachment #235309 -
Flags: review?(glen.beasley) → review+
|
|
||
Comment 12•19 years ago
|
||
Comment on attachment 235309 [details] [diff] [review]
Implement Bob's suggestion
r= relyea
Answer to why you need to free the sesssion: Because you are holding a reference to it.
(see comment on sft_GetContext()).
Attachment #235309 -
Flags: superreview?(rrelyea) → superreview+
|
|
||
Comment 13•19 years ago
|
||
Comment on attachment 235309 [details] [diff] [review]
Implement Bob's suggestion
r= relyea
Answer to why you need to free the sesssion: Because you are holding a reference to it.
(see comment on sft_GetContext()).
|
|
||
Comment 14•19 years ago
|
||
I checked in the patch on the NSS trunk (3.12) and the
NSS_3_11_BRANCH (3.11.3).
Checking in pkcs11c.c;
/cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c
new revision: 1.88; previous revision: 1.87
done
Checking in pkcs11c.c;
/cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c
new revision: 1.68.2.18; previous revision: 1.68.2.17
Status: NEW → RESOLVED
Closed: 19 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → 3.11.3
Version: trunk → 3.11
You need to log in
before you can comment on or make changes to this bug.
Description
•