Paul Wouters paul at nohats.ca
Fri Jul 24 16:53:09 EEST 2015

On Fri, 24 Jul 2015, D. Hugh Redelmeier wrote:

> | From: Andrew Cagney <andrew.cagney at gmail.com>
> |
> | Did you consider deleting most of the macros (and instead in-lining
> | the values used to constructing 'struct hash_desc' entries)?
> | It would help take away some of the temptation to use those macros
> | when code should be using 'struct hash_desc' fields.
> I thought about it but I wasn't bold enough.  I actually think that
> this would be an improvement.  So I've done it.
> This required dealing with a case I don't really understand: sizing
> the ckaid array in struct RSA_private_key.  It has to be large enough
> to take the result of PK11_GetLowLevelKeyIDForCert.  I don't know of
> documentation that would tell me what that size should be.  So I
> hardwired 64, replacing HMAC_RFC2104_BLOCKSIZE (which isn't obviously
> correct).  Do you know what the bound should be?

the NATD MD5 and SHA1 payloads should be done with direct NSS calls and
NOT depend on the registration interface we have, because of FIPS
restrictions. Since the NATD payloads are not related to authentication
or encryption this use is allowed even in FIPS mode (and required for us
to create the NATD payload)


More information about the Swan-dev mailing list