51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
diff --git a/dom/media/webrtc/transport/nricectx.cpp b/dom/media/webrtc/transport/nricectx.cpp
|
|
--- a/dom/media/webrtc/transport/nricectx.cpp
|
|
+++ b/dom/media/webrtc/transport/nricectx.cpp
|
|
@@ -124,23 +124,30 @@
|
|
static int nr_crypto_nss_hmac(UCHAR* key, size_t keyl, UCHAR* buf, size_t bufl,
|
|
UCHAR* result) {
|
|
CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
|
|
PK11SlotInfo* slot = nullptr;
|
|
MOZ_ASSERT(keyl > 0);
|
|
- SECItem keyi = {siBuffer, key, static_cast<unsigned int>(keyl)};
|
|
+ CK_KEY_DERIVATION_STRING_DATA idkey = {key, keyl};
|
|
+ SECItem keyi = {siBuffer, (unsigned char*)&idkey, sizeof(idkey)};
|
|
+ PK11SymKey* tmpKey = nullptr;
|
|
PK11SymKey* skey = nullptr;
|
|
PK11Context* hmac_ctx = nullptr;
|
|
SECStatus status;
|
|
unsigned int hmac_len;
|
|
SECItem param = {siBuffer, nullptr, 0};
|
|
int err = R_INTERNAL;
|
|
|
|
slot = PK11_GetInternalKeySlot();
|
|
if (!slot) goto abort;
|
|
|
|
- skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, &keyi,
|
|
- nullptr);
|
|
+ // HMAC is used for hash calculation only so use derive instead of import
|
|
+ // to be FIPS compliant.
|
|
+ tmpKey = PK11_KeyGen(slot, mech, NULL, keyl, nullptr);
|
|
+ if (!tmpKey) goto abort;
|
|
+
|
|
+ skey = PK11_Derive(tmpKey, CKM_CONCATENATE_DATA_AND_BASE, &keyi, mech,
|
|
+ CKA_SIGN, keyl);
|
|
if (!skey) goto abort;
|
|
|
|
hmac_ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, skey, ¶m);
|
|
if (!hmac_ctx) goto abort;
|
|
|
|
@@ -157,10 +164,11 @@
|
|
|
|
err = 0;
|
|
|
|
abort:
|
|
if (hmac_ctx) PK11_DestroyContext(hmac_ctx, PR_TRUE);
|
|
+ if (tmpKey) PK11_FreeSymKey(tmpKey);
|
|
if (skey) PK11_FreeSymKey(skey);
|
|
if (slot) PK11_FreeSlot(slot);
|
|
|
|
return err;
|
|
}
|
|
|