Skip to content

[release/9.0-staging] Fix shimmed implementation of TryGetHashAndReset to handle HMAC.#112015

Merged
bartonjs merged 3 commits intorelease/9.0-stagingfrom
backport/pr-111929-to-release/9.0-staging
Feb 6, 2025
Merged

[release/9.0-staging] Fix shimmed implementation of TryGetHashAndReset to handle HMAC.#112015
bartonjs merged 3 commits intorelease/9.0-stagingfrom
backport/pr-111929-to-release/9.0-staging

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 30, 2025
edited by vcsjones
Loading

Backport of #111929 to release/9.0-staging

/cc @vcsjones

Customer Impact

  • Customer reported
  • Found internally

Reported by a customer in https://stackoverflow.com/questions/79392501/whats-so-dangerous-about-pkcs12loaderlimits-dangerousnolimits (tracked at #111926). Customers that use X509CertificateLoader.LoadPkcs12 from the Microsoft.Bcl.Cryptography package will be unable to use it with the default limits if the platform selects netstandard2.0 assets, and will receive a CryptographicException. This may occur for platforms such as UWP.

This occurred because the validator incorrectly handled the name of HMAC algorithms.

Regression

  • Yes
  • No

Testing

The fix was manually verified by building the changes locally and observing that the exception no long occurred.

Risk

Low. The code that was identified as problematic was removed, as it was determined that checking the algorithm names in that location was not needed.

@vcsjones
Fix shimmed implementation of TryGetHashAndReset to handle HMAC.
6e6f8d0 
The TryGetHashAndReset in switches on the algorithm name of IncrementalHash. IncrementalHash prepends "HMAC" in front of the algorithm name, so the shim did not correctly handle the HMAC-prepended algorithm names.
@vcsjones
Simplify TryGetHashAndReset in NetStandardShims
c4af28a
@ghost ghost added the area-System.Security label Jan 30, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 30, 2025

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@vcsjones vcsjones requested a review from bartonjs January 30, 2025 23:05
This was referenced Jan 31, 2025
Open
Open
@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Feb 4, 2025
@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Feb 4, 2025
@rbhanda rbhanda added this to the 9.0.3 milestone Feb 4, 2025
@bartonjs
Copy link
Member

bartonjs commented Feb 6, 2025

/ba-g The modified code is not reachable on the leg that timed out.

@bartonjs bartonjs merged commit e50cf90 into release/9.0-staging Feb 6, 2025
88 of 92 checks passed
@bartonjs bartonjs deleted the backport/pr-111929-to-release/9.0-staging branch February 6, 2025 21:53
@github-actions github-actions bot locked and limited conversation to collaborators Mar 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

No one assigned

Labels

area-System.Security Servicing-approved Approved for servicing release

Projects

None yet

Milestone

9.0.3

Development

Successfully merging this pull request may close these issues.

4 participants

@bartonjs @rbhanda @vcsjones @lewing