diff --git a/gtests/freebl_gtest/rsa_unittest.cc b/gtests/freebl_gtest/rsa_unittest.cc index cac685c7ec..a896a38d46 100644 --- a/gtests/freebl_gtest/rsa_unittest.cc +++ b/gtests/freebl_gtest/rsa_unittest.cc @@ -77,18 +77,18 @@ TEST_F(RSATest, DecryptBlockTestErrors) { EXPECT_EQ(SECFailure, rv); uint8_t in[256] = {0}; - // This should fail because the padding checks will fail. - // however, Bleichenbacher preventions means that failure would be - // a different output. + // This should fail because the padding checks will fail, + // however, mitigations for Bleichenbacher attacks transform failures + // to a different output. rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen, in, sizeof(in)); EXPECT_EQ(SECSuccess, rv); // outputLen should <= 256-11=245. EXPECT_LE(outputLen, 245u); - // This should fail because the padding checks will fail. - // however, Bleichenbacher preventions means that failure would be - // a different output. + // This should fail because the padding checks will fail, + // however, mitigations for Bleichenbacher attacks transform failures + // to a different output. uint8_t out_long[260] = {0}; maxOutputLen = sizeof(out_long); rv = RSA_DecryptBlock(key.get(), out_long, &outputLen, maxOutputLen, in, diff --git a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc index 2e80e6a384..82f3f9fb89 100644 --- a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc +++ b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc @@ -166,14 +166,14 @@ TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) { // This assumes CKM_RSA_PKCS and doesn't understand OAEP. // CKM_RSA_PKCS cannot safely return errors, however, as it can lead - // to Blecheinbaucher-like attacks. To solve this there's a new definition + // to Bleichenbacher-like attacks. To solve this there's a new definition // that generates fake key material based on the message and private key. // This returned key material will not be the key we were expecting, so // make sure that's the case: p_unwrapped_tmp = PK11_PubUnwrapSymKey(priv.get(), wrapped.get(), CKM_AES_CBC, CKA_DECRYPT, 16); - // as long as the wrapped data is legal RSA length of the key - // (which is should be), then CKM_RSA_PKCS should not fail. + // As long as the wrapped data is the same length as the key + // (which it should be), then CKM_RSA_PKCS should not fail. ASSERT_NE(p_unwrapped_tmp, nullptr); ScopedPK11SymKey fakeUnwrapped; fakeUnwrapped.reset(p_unwrapped_tmp); diff --git a/lib/freebl/alghmac.c b/lib/freebl/alghmac.c index e879a2a47a..58bbaa9ec8 100644 --- a/lib/freebl/alghmac.c +++ b/lib/freebl/alghmac.c @@ -37,12 +37,10 @@ HMAC_Destroy(HMACContext *cx, PRBool freeit) PORT_Free(cx); } -/* just setup the hmac key */ static SECStatus hmac_initKey(HMACContext *cx, const unsigned char *secret, unsigned int secret_len, PRBool isFIPS) { - unsigned int i; unsigned char hashed_secret[HASH_LENGTH_MAX]; diff --git a/lib/freebl/rsapkcs.c b/lib/freebl/rsapkcs.c index 58ff6eca57..0bf1f97cb1 100644 --- a/lib/freebl/rsapkcs.c +++ b/lib/freebl/rsapkcs.c @@ -1035,7 +1035,7 @@ rsa_HMACPrf(HMACContext *hmac, const char *label, int labelLen, return rv; } -/* This function takes an input number and +/* This function takes a 16-bit input number and * creates the smallest mask which covers * the whole number. Examples: * 0x81 -> 0xff @@ -1082,8 +1082,9 @@ rsa_GetErrorLength(HMACContext *hmac, int hashLen, int maxLegalLen) /* * This function can only fail in environmental cases: Programming errors * and out of memory situations. It can't fail if the keys are valid and - * the inputs are the proper size. If the actual RSA decryption fails, then - * and generated return value is returned based on the key and input. + * the inputs are the proper size. If the actual RSA decryption fails, a + * fake value and a fake length, both of which have already been generated + * based on the key and input, are returned. * Applications are expected to detect decryption failures based on the fact * that the decrypted value (usually a key) doesn't validate. The prevents * Blecheinbaucher style attacks against the key. */ @@ -1184,7 +1185,7 @@ RSA_DecryptBlock(RSAPrivateKey *key, ep = errorBuffer + modulusLen - outLen; /* at this point, outLen returns no information about decryption failures, - * no need to hide it's value. maxOutputLen is how much data the + * no need to hide its value. maxOutputLen is how much data the * application is expecting, which is also not sensitive. */ if (outLen > maxOutputLen) { outLen = maxOutputLen;