Tree - rpms/nss - CentOS Git server

rpms / nss

Blame SOURCES/nss-3.66-no-combo-tests.patch

Blob History Raw

		b31f4f	`diff -up ./gtests/freebl_gtest/rsa_unittest.cc.oldsoft ./gtests/freebl_gtest/rsa_unittest.cc`
		b31f4f	`--- ./gtests/freebl_gtest/rsa_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000`
		b31f4f	`+++ ./gtests/freebl_gtest/rsa_unittest.cc 2021-06-11 19:06:57.778552974 +0000`
		b31f4f	`@@ -9,6 +9,7 @@`
		b31f4f
		b31f4f	`#include "blapi.h"`
		b31f4f	`#include "secitem.h"`
		b31f4f	`+#include "prenv.h"`
		b31f4f
		b31f4f	`template <class T>`
		b31f4f	`struct ScopedDelete {`
		b31f4f	`@@ -76,6 +77,13 @@ TEST_F(RSATest, DecryptBlockTestErrors)`
		b31f4f	`in_small, sizeof(in_small));`
		b31f4f	`EXPECT_EQ(SECFailure, rv);`
		b31f4f
		b31f4f	`+ char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env) {`
		b31f4f	`+ std::cerr << "Skipping RSA blapi DecryptBlockTestErrors because of"`
		b31f4f	`+ << " semantic differences between old and new softoken."`
		b31f4f	`+ << std::endl;`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`uint8_t in[256] = {0};`
		b31f4f	`// This should fail because the padding checks will fail,`
		b31f4f	`// however, mitigations for Bleichenbacher attacks transform failures`
		b31f4f	`diff -up ./gtests/pk11_gtest/pk11_ike_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_ike_unittest.cc`
		b31f4f	`--- ./gtests/pk11_gtest/pk11_ike_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000`
		b31f4f	`+++ ./gtests/pk11_gtest/pk11_ike_unittest.cc 2021-06-11 19:41:20.381137781 +0000`
		b31f4f	`@@ -12,8 +12,10 @@`
		b31f4f	`#include "pk11pub.h"`
		b31f4f	`#include "secerr.h"`
		b31f4f	`#include "sechash.h"`
		b31f4f	`+#include "hasht.h"`
		b31f4f	`#include "util.h"`
		b31f4f	`#include "databuffer.h"`
		b31f4f	`+#include "prenv.h"`
		b31f4f
		b31f4f	`#include "testvectors/ike-sha1-vectors.h"`
		b31f4f	`#include "testvectors/ike-sha256-vectors.h"`
		b31f4f	`@@ -23,6 +25,24 @@`
		b31f4f
		b31f4f	`namespace nss_test {`
		b31f4f
		b31f4f	`+unsigned mech_to_size(CK_MECHANISM_TYPE mech) {`
		b31f4f	`+ switch (mech) {`
		b31f4f	`+ case CKM_SHA_1_HMAC:`
		b31f4f	`+ return SHA1_LENGTH;`
		b31f4f	`+ case CKM_SHA256_HMAC:`
		b31f4f	`+ return SHA256_LENGTH;`
		b31f4f	`+ case CKM_SHA384_HMAC:`
		b31f4f	`+ return SHA384_LENGTH;`
		b31f4f	`+ case CKM_SHA512_HMAC:`
		b31f4f	`+ return SHA512_LENGTH;`
		b31f4f	`+ case CKM_AES_XCBC_MAC:`
		b31f4f	`+ return AES_BLOCK_SIZE;`
		b31f4f	`+ default:`
		b31f4f	`+ break;`
		b31f4f	`+ }`
		b31f4f	`+ return 0;`
		b31f4f	`+}`
		b31f4f	`+`
		b31f4f	`class Pkcs11IkeTest : public ::testing::TestWithParam<`
		b31f4f	`std::tuple<IkeTestVector, CK_MECHANISM_TYPE>> {`
		b31f4f	`protected:`
		b31f4f	`@@ -59,6 +79,7 @@ class Pkcs11IkeTest : public ::testing::`
		b31f4f	`ScopedPK11SymKey gxy_key = nullptr;`
		b31f4f	`ScopedPK11SymKey prev_key = nullptr;`
		b31f4f	`ScopedPK11SymKey ikm = ImportKey(ikm_item);`
		b31f4f	`+ unsigned hashsize = mech_to_size(prf_mech);`
		b31f4f
		b31f4f	`// IKE_PRF structure (used in cases 1, 2 and 3)`
		b31f4f	`CK_NSS_IKE_PRF_DERIVE_PARAMS nss_ike_prf_params = {`
		b31f4f	`@@ -148,6 +169,14 @@ class Pkcs11IkeTest : public ::testing::`
		b31f4f	`ScopedPK11SymKey okm = ScopedPK11SymKey(`
		b31f4f	`PK11_Derive(ikm.get(), derive_mech, &params_item,`
		b31f4f	`CKM_GENERIC_SECRET_KEY_GEN, CKA_DERIVE, vec.size));`
		b31f4f	`+ char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env && (derive_mech == CKM_NSS_IKE1_APP_B_PRF_DERIVE) &&`
		b31f4f	`+ (vec.size <= hashsize)) {`
		b31f4f	`+ std::cerr << "Skipping Test #" << std::to_string(vec.id)`
		b31f4f	`+ << ". Old tokens process APP B Prf for small keys incorrectly"`
		b31f4f	`+ << std::endl;`
		b31f4f	`+ return;`
		b31f4f	`+ }`
		b31f4f	`if (vec.valid) {`
		b31f4f	`ASSERT_NE(nullptr, okm.get()) << msg;`
		b31f4f	`ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(okm.get())) << msg;`
		b31f4f	`diff -up ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc`
		b31f4f	`--- ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000`
		b31f4f	`+++ ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc 2021-06-11 19:06:57.779552981 +0000`
		b31f4f	`@@ -14,6 +14,7 @@`
		b31f4f	`#include "nss_scoped_ptrs.h"`
		b31f4f	`#include "pk11pub.h"`
		b31f4f	`#include "databuffer.h"`
		b31f4f	`+#include "prenv.h"`
		b31f4f
		b31f4f	`#include "testvectors/rsa_pkcs1_2048_test-vectors.h"`
		b31f4f	`#include "testvectors/rsa_pkcs1_3072_test-vectors.h"`
		b31f4f	`@@ -45,6 +46,14 @@ class RsaDecryptWycheproofTest`
		b31f4f	`rv = PK11_PrivDecryptPKCS1(priv_key.get(), decrypted.data(), &decrypted_len,`
		b31f4f	`decrypted.size(), vec.ct.data(), vec.ct.size());`
		b31f4f
		b31f4f	`+ // semantics changed since the old softken`
		b31f4f	`+ char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env && vec.valid && (rv == SECFailure)) {`
		b31f4f	`+ std::cerr << "Skipping Decrypt test. Old softoken failed on bad data,"`
		b31f4f	`+ << "New softoken generates fake data" << std::endl;`
		b31f4f	`+ return;`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`if (vec.valid) {`
		b31f4f	`EXPECT_EQ(SECSuccess, rv);`
		b31f4f	`decrypted.resize(decrypted_len);`
		b31f4f	`diff -up ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc`
		b31f4f	`--- ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000`
		b31f4f	`+++ ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc 2021-06-11 19:06:57.780552988 +0000`
		b31f4f	`@@ -13,6 +13,7 @@`
		b31f4f	`#include "nss.h"`
		b31f4f	`#include "nss_scoped_ptrs.h"`
		b31f4f	`#include "pk11pub.h"`
		b31f4f	`+#include "prenv.h"`
		b31f4f
		b31f4f	`#include "testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h"`
		b31f4f	`#include "testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h"`
		b31f4f	`@@ -161,6 +162,12 @@ TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwr`
		b31f4f	`rv = PK11_ExtractKeyValue(to_wrap.get());`
		b31f4f	`ASSERT_EQ(rv, SECSuccess);`
		b31f4f
		b31f4f	`+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env) {`
		b31f4f	`+ std::cerr << "Skipping OAEP test, not supported in old softoken\n";`
		b31f4f	`+ return;`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`// References owned by PKCS#11 layer; no need to scope and free.`
		b31f4f	`SECItem* expectedItem = PK11_GetKeyData(to_wrap.get());`
		b31f4f
		b31f4f	`diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc`
		b31f4f	`--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000`
		b31f4f	`+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2021-06-11 19:06:57.781552995 +0000`
		b31f4f	`@@ -16,6 +16,7 @@`
		b31f4f	`#include "secerr.h"`
		b31f4f	`#include "sechash.h"`
		b31f4f	`#include "pk11_signature_test.h"`
		b31f4f	`+#include "prenv.h"`
		b31f4f
		b31f4f	`#include "testvectors/rsa_signature_2048_sha224-vectors.h"`
		b31f4f	`#include "testvectors/rsa_signature_2048_sha256-vectors.h"`
		b31f4f	`@@ -175,6 +176,13 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)`
		b31f4f	`SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),`
		b31f4f	`static_cast<unsigned int>(hash.len())};`
		b31f4f	`SECItem sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len};`
		b31f4f	`+`
		b31f4f	`+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env) {`
		b31f4f	`+ std::cerr << "Skipping pkcs1 padding test, not supported in old softoken\n";`
		b31f4f	`+ return;`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`rv = VFY_VerifyDigestDirect(&hash_item, short_pub.get(), &sig_item,`
		b31f4f	`SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,`
		b31f4f	`nullptr);`
		b31f4f	`diff -up ./gtests/pk11_gtest/pk11_signature_test.cc.oldsoft ./gtests/pk11_gtest/pk11_signature_test.cc`
		b31f4f	`--- ./gtests/pk11_gtest/pk11_signature_test.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000`
		b31f4f	`+++ ./gtests/pk11_gtest/pk11_signature_test.cc 2021-06-11 19:06:57.781552995 +0000`
		b31f4f	`@@ -4,6 +4,7 @@`
		b31f4f
		b31f4f	`#include <memory>`
		b31f4f	`#include "nss.h"`
		b31f4f	`+#include "prenv.h"`
		b31f4f	`#include "pk11pub.h"`
		b31f4f	`#include "sechash.h"`
		b31f4f	`#include "prerror.h"`
		b31f4f	`@@ -77,6 +78,25 @@ bool Pk11SignatureTest::SignData(ScopedS`
		b31f4f	`EXPECT_LT(0, (int)sigLen);`
		b31f4f	`sig->Allocate(static_cast<size_t>(sigLen));`
		b31f4f
		b31f4f	`+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env != NULL) {`
		b31f4f	`+ std::cerr << "Skipping combo mechanism 0x" << std::hex << combo_`
		b31f4f	`+ << ", no token support.\n";`
		b31f4f	`+ DataBuffer hash;`
		b31f4f	`+ if (!ComputeHash(data, &hash)) {`
		b31f4f	`+ ADD_FAILURE() << "Failed to compute hash";`
		b31f4f	`+ return false;`
		b31f4f	`+ }`
		b31f4f	`+ if (!SignHashedData(privKey, hash, sig)) {`
		b31f4f	`+ ADD_FAILURE() << "Failed to sign hashed data";`
		b31f4f	`+ return false;`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`+ return true;`
		b31f4f	`+ } else {`
		b31f4f	`+ std::cerr << "PR_GetEnvSecure(\"NSS_OLD_SOFTOKEN\") return null!!!\n";`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`// test the hash and verify interface */`
		b31f4f	`PK11Context* context = PK11_CreateContextByPrivKey(`
		b31f4f	`combo_, CKA_SIGN, privKey.get(), parameters());`
		b31f4f	`@@ -160,6 +180,17 @@ void Pk11SignatureTest::Verify(const Pkc`
		b31f4f	`EXPECT_EQ(rv, valid ? SECSuccess : SECFailure);`
		b31f4f	`}`
		b31f4f
		b31f4f	`+ /* old softokens don't understand all the new combo mechanism. */`
		b31f4f	`+ /* skip it */`
		b31f4f	`+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");`
		b31f4f	`+ if (env != NULL) {`
		b31f4f	`+ std::cerr << "Skipping combo mechanism 0x" << std::hex << combo_`
		b31f4f	`+ << ", no token support.\n";`
		b31f4f	`+ return;`
		b31f4f	`+ } else {`
		b31f4f	`+ std::cerr << "PR_GetEnvSecure(\"NSS_OLD_SOFTOKEN\") return null!!!\n";`
		b31f4f	`+ }`
		b31f4f	`+`
		b31f4f	`// test the hash and verify interface */`
		b31f4f	`PK11Context* context = PK11_CreateContextByPubKey(`
		b31f4f	`combo_, CKA_VERIFY, pubKey.get(), parameters(), NULL);`

rpms / nss

Source Code

Blame SOURCES/nss-3.66-no-combo-tests.patch