Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/9.0-staging] Fix shimmed implementation of TryGetHashAndReset to handle HMAC. #112015

Merged
merged 3 commits into from
Feb 6, 2025
Merged

[release/9.0-staging] Fix shimmed implementation of TryGetHashAndReset to handle HMAC. #112015

merged 3 commits into from
Feb 6, 2025

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Jan 30, 2025
edited by vcsjones
Loading

Backport of #111929 to release/9.0-staging

/cc @vcsjones

Customer Impact

  • Customer reported
  • Found internally

Reported by a customer in https://stackoverflow.com/questions/79392501/whats-so-dangerous-about-pkcs12loaderlimits-dangerousnolimits (tracked at #111926). Customers that use X509CertificateLoader.LoadPkcs12 from the Microsoft.Bcl.Cryptography package will be unable to use it with the default limits if the platform selects netstandard2.0 assets, and will receive a CryptographicException. This may occur for platforms such as UWP.

This occurred because the validator incorrectly handled the name of HMAC algorithms.

Regression

  • Yes
  • No

Testing

The fix was manually verified by building the changes locally and observing that the exception no long occurred.

Risk

Low. The code that was identified as problematic was removed, as it was determined that checking the algorithm names in that location was not needed.

@vcsjones
Fix shimmed implementation of TryGetHashAndReset to handle HMAC.
6e6f8d0 
The TryGetHashAndReset in switches on the algorithm name of IncrementalHash. IncrementalHash prepends "HMAC" in front of the algorithm name, so the shim did not correctly handle the HMAC-prepended algorithm names.
@vcsjones
Simplify TryGetHashAndReset in NetStandardShims
c4af28a
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@vcsjones vcsjones requested a review from bartonjs January 30, 2025 23:05
This was referenced Jan 31, 2025
Open
Open
@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Feb 4, 2025
@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Feb 4, 2025
@rbhanda rbhanda added this to the 9.0.3 milestone Feb 4, 2025
@bartonjs
Copy link
Member

bartonjs commented Feb 6, 2025

/ba-g The modified code is not reachable on the leg that timed out.

@bartonjs bartonjs merged commit e50cf90 into release/9.0-staging Feb 6, 2025
88 of 92 checks passed
@bartonjs bartonjs deleted the backport/pr-111929-to-release/9.0-staging branch February 6, 2025 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees
No one assigned
Labels
area-System.Security Servicing-approved Approved for servicing release
Projects
None yet
Milestone
9.0.3
Development

Successfully merging this pull request may close these issues.
4 participants
@bartonjs @rbhanda @vcsjones @lewing