Incorrect hash comparison

[lampeh]

In my tests, the hasher repeats the first byte after the hash and prevents successful comparison to the TLSA value:

extval: checking tlsa record: 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3666666666666 / 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3

Cutting the hash to the appropriate length restores validation:

extval: checking tlsa record: 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3 / 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3 extval: dns_trusted = true extval: Changing state to: certDNSSEC(www.hauke-lampe.de)

This patch works for me:

--- Extended-DNSSEC-Validator/add-on/content/Extval.CertTools.js.orig +++ Extended-DNSSEC-Validator/add-on/content/Extval.CertTools.js @@ -125,11 +125,14 @@ check_cert: function(cert, tlsa_record) { var ihash = Components.interfaces.nsICryptoHash; var hasher = Components.classes["@mozilla.org/security/hash;1"].createInstance(ihash);

• var hashlen = 0; if (tlsa_record[2] == 1) { hasher.init(ihash.SHA256);
• hashlen = 64; } else if (tlsa_record[2] == 2) { hasher.init(ihash.SHA512);
• hashlen = 128; } else { //0 type (exact content) not supported yet @@ -141,7 +144,7 @@ hasher.update(der, len.value); var binHash = hasher.finish(false); // convert the binary hash data to a hex string.
• var s = [this.charcodeToHexString(binHash.charCodeAt(i)) for (i in binHash)].join("").toUpperCase();
• var s = [this.charcodeToHexString(binHash.charCodeAt(i)) for (i in binHash)].join("").toUpperCase().substring(0,hashlen); org.os3sec.Extval.Extension.logMsg("checking tlsa record: " + s + " / " + tlsa_record[3]); return s == tlsa_record[3]; },

[dannygroenewegen]

Thanks! Applied this fix in 0.6