Bug 229443

Summary: WebCrypto uses deprecated CCKeyDerivationHMac
Product: WebKit Reporter: Kate Cheney <katherine_cheney>
Component: New BugsAssignee: Kate Cheney <katherine_cheney>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, eric.carlson, ews-watchlist, jiewen_tan, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
ews-feeder: commit-queue-
Patch
none
Patch none

Description Kate Cheney 2021-08-24 08:06:59 PDT 
WebCrypto uses deprecated CCKeyDerivationHMac
Comment 1 Kate Cheney 2021-08-24 08:08:53 PDT 
Created attachment 436287 [details]
Patch
Comment 2 Kate Cheney 2021-08-24 08:09:26 PDT 
rdar://48896021
Comment 3 Kate Cheney 2021-08-24 08:51:38 PDT 
Created attachment 436291 [details]
Patch
Comment 4 Brent Fulgham 2021-08-24 11:21:04 PDT 
Comment on attachment 436291 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=436291&action=review

r=me

> Source/WebCore/crypto/mac/CryptoUtilitiesCocoa.cpp:119
> +        return rv;

Does an unsuccessful call to CCKDFParametersCreateHkdf guarantee that the params are properly cleaned up?

> Source/WebCore/crypto/mac/CryptoUtilitiesCocoa.cpp:133
> +    if (keyDerivationHMAC(digestAlgorithm, key, keySize, info, infoSize, salt, saltSize, result.data(), result.size()))

Should this be a check for != kCCSuccess?
Comment 5 Kate Cheney 2021-08-24 11:39:25 PDT 
(In reply to Brent Fulgham from comment #4)
> Comment on attachment 436291 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=436291&action=review
> 
> r=me
> 
> > Source/WebCore/crypto/mac/CryptoUtilitiesCocoa.cpp:119
> > +        return rv;
> 
> Does an unsuccessful call to CCKDFParametersCreateHkdf guarantee that the
> params are properly cleaned up?
> 

Yes, params are not set in CCKDFParametersCreateHkdf unless it is returning kCCSuccess.

> > Source/WebCore/crypto/mac/CryptoUtilitiesCocoa.cpp:133
> > +    if (keyDerivationHMAC(digestAlgorithm, key, keySize, info, infoSize, salt, saltSize, result.data(), result.size()))
> 
> Should this be a check for != kCCSuccess?

Yes, probably easier to read that way. I'll fix before landing.

Thanks for the review!
Comment 6 Kate Cheney 2021-08-24 11:46:08 PDT 
Created attachment 436314 [details]
Patch
Comment 7 EWS 2021-08-25 06:50:12 PDT 
Committed r281554 (240921@main): <https://commits.webkit.org/240921@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 436314 [details].