diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-12-15 01:42:53 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-12-15 01:42:53 +0100 |
commit | 74cabf7948b2597f5b6a67d6910c844fd1a88ff6 (patch) | |
tree | db1f30ada487c3831ea8e4e98b2d39edc9e88eea /security/nss/gtests/pk11_gtest | |
parent | 09ef48bd005a7f9e97a3fe797a079fcf2b5e58d3 (diff) | |
download | uxp-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.gz |
Update NSS to 3.41
Diffstat (limited to 'security/nss/gtests/pk11_gtest')
15 files changed, 204 insertions, 12 deletions
diff --git a/security/nss/gtests/pk11_gtest/manifest.mn b/security/nss/gtests/pk11_gtest/manifest.mn index a3dff9d100..ea7b43a2b0 100644 --- a/security/nss/gtests/pk11_gtest/manifest.mn +++ b/security/nss/gtests/pk11_gtest/manifest.mn @@ -16,6 +16,7 @@ CPPSRCS = \ pk11_pbkdf2_unittest.cc \ pk11_prf_unittest.cc \ pk11_prng_unittest.cc \ + pk11_rsapkcs1_unittest.cc \ pk11_rsapss_unittest.cc \ pk11_der_private_key_import_unittest.cc \ $(NULL) diff --git a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc index a4e8bedba1..4072cf2b72 100644 --- a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc @@ -10,7 +10,7 @@ #include "secerr.h" #include "sechash.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "gcm-vectors.h" #include "gtest/gtest.h" diff --git a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc index a0226e6dfd..4d4250a5e9 100644 --- a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc @@ -9,7 +9,7 @@ #include "pk11pub.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" namespace nss_test { @@ -129,4 +129,4 @@ TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest6) { WrapUnwrap(kKEK3, sizeof(kKEK3), kKD6, sizeof(kKD6), kC6); } -} /* nss_test */
\ No newline at end of file +} /* nss_test */ diff --git a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc index dac2a41ba8..07bc91ee69 100644 --- a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc @@ -10,7 +10,7 @@ #include "sechash.h" #include "cpputil.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "gtest/gtest.h" diff --git a/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc new file mode 100644 index 0000000000..38982fd885 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc @@ -0,0 +1,80 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this file, +// You can obtain one at http://mozilla.org/MPL/2.0/. + +#include "gtest/gtest.h" + +#include <assert.h> +#include <limits.h> +#include <prinit.h> +#include <nss.h> +#include <pk11pub.h> + +static const size_t kKeyLen = 128 / 8; + +namespace nss_test { + +// +// The ciper tests using the bltest command cover a great deal of testing. +// However, Bug 1489691 revealed a corner case which is covered here. +// This test will make multiple calls to PK11_CipherOp using the same +// cipher context with data that is not cipher block aligned. +// + +static SECStatus GetBytes(PK11Context* ctx, uint8_t* bytes, size_t len) { + std::vector<uint8_t> in(len, 0); + + int outlen; + SECStatus rv = PK11_CipherOp(ctx, bytes, &outlen, len, &in[0], len); + if (static_cast<size_t>(outlen) != len) { + return SECFailure; + } + return rv; +} + +TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) { + PK11SlotInfo* slot; + PK11SymKey* key; + PK11Context* ctx; + + NSSInitContext* globalctx = + NSS_InitContext("", "", "", "", NULL, + NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | + NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT); + + const CK_MECHANISM_TYPE cipher = CKM_AES_CTR; + + slot = PK11_GetInternalSlot(); + ASSERT_TRUE(slot); + + // Use arbitrary bytes for the AES key + uint8_t key_bytes[kKeyLen]; + for (size_t i = 0; i < kKeyLen; i++) { + key_bytes[i] = i; + } + + SECItem keyItem = {siBuffer, key_bytes, kKeyLen}; + + // The IV can be all zeros since we only encrypt once with + // each AES key. + CK_AES_CTR_PARAMS param = {128, {}}; + SECItem paramItem = {siBuffer, reinterpret_cast<unsigned char*>(¶m), + sizeof(CK_AES_CTR_PARAMS)}; + + key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT, + &keyItem, NULL); + ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, ¶mItem); + ASSERT_TRUE(key); + ASSERT_TRUE(ctx); + + uint8_t outbuf[128]; + ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECSuccess); + ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess); + + PK11_FreeSymKey(key); + PK11_FreeSlot(slot); + PK11_DestroyContext(ctx, PR_TRUE); + NSS_ShutdownContext(globalctx); +} + +} // namespace nss_test diff --git a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc index 40b5362073..009c44fce8 100644 --- a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc @@ -7,7 +7,7 @@ #include "pk11pub.h" #include "cpputil.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "gtest/gtest.h" diff --git a/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc index 836cc78765..88c2833170 100644 --- a/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc @@ -11,7 +11,7 @@ #include "secutil.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" namespace nss_test { diff --git a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc index fb06598525..e905f78350 100644 --- a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc @@ -8,7 +8,7 @@ #include "sechash.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "pk11_ecdsa_vectors.h" #include "pk11_signature_test.h" diff --git a/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc index aa92756f26..f4accac023 100644 --- a/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc @@ -8,7 +8,7 @@ #include "prerror.h" #include "nss.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "cpputil.h" #include "databuffer.h" #include "util.h" diff --git a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc index e5d5ae8e99..bfd65b952e 100644 --- a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc @@ -9,7 +9,7 @@ #include "pk11pub.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" namespace nss_test { diff --git a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp index 076b4d37ff..c73139b05a 100644 --- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp +++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp @@ -14,12 +14,14 @@ 'pk11_aeskeywrap_unittest.cc', 'pk11_aes_gcm_unittest.cc', 'pk11_chacha20poly1305_unittest.cc', + 'pk11_cipherop_unittest.cc', 'pk11_curve25519_unittest.cc', 'pk11_ecdsa_unittest.cc', 'pk11_encrypt_derive_unittest.cc', 'pk11_pbkdf2_unittest.cc', 'pk11_prf_unittest.cc', 'pk11_prng_unittest.cc', + 'pk11_rsapkcs1_unittest.cc', 'pk11_rsapss_unittest.cc', 'pk11_der_private_key_import_unittest.cc', '<(DEPTH)/gtests/common/gtests.cc' diff --git a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc index d72f94c2cb..fc055f4009 100644 --- a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc @@ -9,7 +9,7 @@ #include "pk11pub.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" namespace nss_test { diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc new file mode 100644 index 0000000000..044d4e25e8 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc @@ -0,0 +1,109 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <stdint.h> +#include "cryptohi.h" +#include "nss.h" +#include "pk11pub.h" + +#include "gtest/gtest.h" +#include "nss_scoped_ptrs.h" +#include "cpputil.h" + +namespace nss_test { + +// Test that the RSASSA-PKCS1-v1_5 implementation enforces the missing NULL +// parameter. +TEST(RsaPkcs1Test, RequireNullParameter) { + // kSpki is an RSA public key in an X.509 SubjectPublicKeyInfo. + const uint8_t kSpki[] = { + 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, + 0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, + 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, + 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, + 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, + 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, + 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, + 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, + 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, + 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, + 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, + 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, + 0x07, 0x02, 0x03, 0x01, 0x00, 0x01, + }; + // kHash is the SHA-256 hash of {1,2,3,4}. + const uint8_t kHash[] = { + 0x9f, 0x64, 0xa7, 0x47, 0xe1, 0xb9, 0x7f, 0x13, 0x1f, 0xab, 0xb6, + 0xb4, 0x47, 0x29, 0x6c, 0x9b, 0x6f, 0x02, 0x01, 0xe7, 0x9f, 0xb3, + 0xc5, 0x35, 0x6e, 0x6c, 0x77, 0xe8, 0x9b, 0x6a, 0x80, 0x6a, + }; + // kSignature is the signature of kHash with RSASSA-PKCS1-v1_5. + const uint8_t kSignature[] = { + 0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d, + 0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e, + 0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04, + 0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09, + 0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67, + 0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a, + 0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda, + 0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48, + 0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04, + 0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7, + 0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42, + }; + // kSignature is an invalid signature of kHash with RSASSA-PKCS1-v1_5 with the + // NULL parameter omitted. + const uint8_t kSignatureInvalid[] = { + 0x71, 0x6c, 0x24, 0x4e, 0xc9, 0x9b, 0x19, 0xc7, 0x49, 0x29, 0xb8, 0xd4, + 0xfb, 0x26, 0x23, 0xc0, 0x96, 0x18, 0xcd, 0x1e, 0x60, 0xe8, 0x88, 0x94, + 0x8c, 0x59, 0xfb, 0x58, 0x5c, 0x61, 0x58, 0x7a, 0xae, 0xcc, 0xeb, 0xee, + 0x1e, 0x85, 0x7d, 0x83, 0xa9, 0xdc, 0x6f, 0x4c, 0x34, 0x5c, 0xcb, 0xd9, + 0xde, 0x58, 0x76, 0xdf, 0x1f, 0x5e, 0xd4, 0x57, 0x5b, 0xeb, 0xaf, 0x4f, + 0x7a, 0xa7, 0x6b, 0x21, 0xf1, 0x0a, 0x96, 0x78, 0xc7, 0xa8, 0x02, 0x7a, + 0xc2, 0x06, 0xd3, 0x18, 0x79, 0x72, 0x6b, 0xfe, 0x2d, 0xec, 0xd8, 0x8e, + 0x98, 0x86, 0x89, 0xf4, 0x67, 0x14, 0x2b, 0xac, 0x6d, 0xd7, 0x04, 0xd8, + 0xab, 0x05, 0xe6, 0x51, 0xf6, 0xee, 0x58, 0x63, 0xef, 0x6a, 0x3e, 0x89, + 0x99, 0x2a, 0x1c, 0x10, 0xc2, 0xd0, 0x41, 0x9e, 0x1e, 0x9a, 0x9a, 0x57, + 0x32, 0x0f, 0x49, 0xb4, 0x57, 0x37, 0xa4, 0x26, + }; + + // The test vectors may be verified with: + // + // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig.bin | der2ascii + // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig2.bin | der2ascii + + // Import public key. + SECItem spkiItem = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)}; + ScopedCERTSubjectPublicKeyInfo certSpki( + SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem)); + ASSERT_TRUE(certSpki); + ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get())); + ASSERT_TRUE(pubKey); + + SECItem hash = {siBuffer, toUcharPtr(kHash), sizeof(kHash)}; + + // kSignature is a valid signature. + SECItem sigItem = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)}; + SECStatus rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem, + SEC_OID_PKCS1_RSA_ENCRYPTION, + SEC_OID_SHA256, nullptr); + EXPECT_EQ(SECSuccess, rv); + + // kSignatureInvalid is not. + sigItem = {siBuffer, toUcharPtr(kSignatureInvalid), + sizeof(kSignatureInvalid)}; + rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem, + SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256, + nullptr); +#ifdef NSS_PKCS1_AllowMissingParameters + EXPECT_EQ(SECSuccess, rv); +#else + EXPECT_EQ(SECFailure, rv); +#endif +} + +} // namespace nss_test diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc index 6c8c5ab4e9..ed0573027f 100644 --- a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc @@ -10,7 +10,7 @@ #include "sechash.h" #include "gtest/gtest.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "pk11_signature_test.h" #include "pk11_rsapss_vectors.h" diff --git a/security/nss/gtests/pk11_gtest/pk11_signature_test.h b/security/nss/gtests/pk11_gtest/pk11_signature_test.h index 8a12171a0a..0526fea559 100644 --- a/security/nss/gtests/pk11_gtest/pk11_signature_test.h +++ b/security/nss/gtests/pk11_gtest/pk11_signature_test.h @@ -8,7 +8,7 @@ #include "sechash.h" #include "cpputil.h" -#include "scoped_ptrs.h" +#include "nss_scoped_ptrs.h" #include "databuffer.h" #include "gtest/gtest.h" |