Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs
Summary: Let's make sure the DES IV has the length we expect it to have.

Bug #: 1591742

Differential Revision: https://phabricator.services.mozilla.com/D51073

--HG--
extra : rebase_source : ae822ee49ed84852e702d87f307d90404c7afcff
extra : amend_source : 7b3c1f6eb0f0c286cb646c4113c1508f5de039b2
  • Loading branch information
franziskuskiefer committed Nov 1, 2019
1 parent 03c4635 commit 9eb7ace
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 0 deletions.
1 change: 1 addition & 0 deletions gtests/pk11_gtest/manifest.mn
Expand Up @@ -14,6 +14,7 @@ CPPSRCS = \
pk11_chacha20poly1305_unittest.cc \
pk11_curve25519_unittest.cc \
pk11_der_private_key_import_unittest.cc \
pk11_des_unittest.cc \
pk11_ecdsa_unittest.cc \
pk11_encrypt_derive_unittest.cc \
pk11_export_unittest.cc \
Expand Down
65 changes: 65 additions & 0 deletions gtests/pk11_gtest/pk11_des_unittest.cc
@@ -0,0 +1,65 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */

#include <memory>
#include "nss.h"
#include "pk11pub.h"

#include "nss_scoped_ptrs.h"

#include "gtest/gtest.h"

namespace nss_test {

class Pkcs11DesTest : public ::testing::Test {
protected:
SECStatus EncryptWithIV(std::vector<uint8_t>& iv,
const CK_MECHANISM_TYPE mech) {
// Generate a random key.
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ScopedPK11SymKey sym_key(
PK11_KeyGen(slot.get(), mech, nullptr, 8, nullptr));
EXPECT_TRUE(!!sym_key);

std::vector<uint8_t> data(16);
std::vector<uint8_t> output(16);

SECItem params = {siBuffer, iv.data(),
static_cast<unsigned int>(iv.size())};

// Try to encrypt.
unsigned int output_len = 0;
return PK11_Encrypt(sym_key.get(), mech, &params, output.data(),
&output_len, output.size(), data.data(), data.size());
}
};

TEST_F(Pkcs11DesTest, ZeroLengthIV) {
std::vector<uint8_t> iv(0);
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES3_CBC));
}

TEST_F(Pkcs11DesTest, IVTooShort) {
std::vector<uint8_t> iv(7);
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES3_CBC));
}

TEST_F(Pkcs11DesTest, WrongLengthIV) {
// We tolerate IVs > 8
std::vector<uint8_t> iv(15, 0);
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES3_CBC));
}

TEST_F(Pkcs11DesTest, AllGood) {
std::vector<uint8_t> iv(8, 0);
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES3_CBC));
}

} // namespace nss_test
1 change: 1 addition & 0 deletions gtests/pk11_gtest/pk11_gtest.gyp
Expand Up @@ -20,6 +20,7 @@
'pk11_cipherop_unittest.cc',
'pk11_curve25519_unittest.cc',
'pk11_der_private_key_import_unittest.cc',
'pk11_des_unittest.cc',
'pk11_ecdsa_unittest.cc',
'pk11_encrypt_derive_unittest.cc',
'pk11_find_certs_unittest.cc',
Expand Down
8 changes: 8 additions & 0 deletions lib/softoken/pkcs11c.c
Expand Up @@ -1002,6 +1002,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->ulParameterLen < 8) {
crv = CKR_DOMAIN_PARAMS_INVALID;
break;
}
t = NSS_DES_CBC;
goto finish_des;
case CKM_DES3_ECB:
Expand All @@ -1019,6 +1023,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->ulParameterLen < 8) {
crv = CKR_DOMAIN_PARAMS_INVALID;
break;
}
t = NSS_DES_EDE3_CBC;
finish_des:
context->blockSize = 8;
Expand Down

0 comments on commit 9eb7ace

Please sign in to comment.