12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt"pkcs11-hmacmd5" is here to check for the presence of a known bug in

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Huntthe Thales nCipher PKCS#11 provider library. To test for the bug, use

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Huntpkcs11-hmacmd5 to hash a test vector from RFC 2104, and determine

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Huntwhether the resulting digest is is correct. For instance:

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt echo -n "Hi There" | \

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt ./pkcs11-hmacmd5 -p <PIN> -k '0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b'

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt...must return "9294727a3638bb1c13f48ef8158bfc9d".

12bf5d4796505b4c20680531da96a31e6c2c1144Evan Hunt

12bf5d4796505b4c20680531da96a31e6c2c1144Evan HuntIf any other value is returned, then the provider library is buggy,

c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrewsand theflag PK11_MD5_HMAC_REPLACE must be defined in

12bf5d4796505b4c20680531da96a31e6c2c1144Evan HuntHowever, if the correct value is returned, then it is safe to turn

c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5Mark Andrewsoff PK11_MD5_HMAC_REPLACE. (It is on by default.)