diff options
author | Kevin Jacobs <kjacobs@mozilla.com> | 2021-01-13 02:33:06 +0000 |
---|---|---|
committer | Kevin Jacobs <kjacobs@mozilla.com> | 2021-01-13 02:33:06 +0000 |
commit | 11925d05e802a578ee2934924483a5f22951bd0e (patch) | |
tree | c41e54bf284fed471d444dff0486b8ddef84b652 | |
parent | a8c41b1514115268e5bee6f7bc681f67e058d8e0 (diff) | |
download | nss-hg-11925d05e802a578ee2934924483a5f22951bd0e.tar.gz |
Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt
Differential Revision: https://phabricator.services.mozilla.com/D101218
-rw-r--r-- | gtests/softoken_gtest/manifest.mn | 1 | ||||
-rw-r--r-- | gtests/softoken_gtest/softoken_gtest.cc | 56 | ||||
-rw-r--r-- | gtests/softoken_gtest/softoken_gtest.gyp | 1 | ||||
-rw-r--r-- | lib/softoken/sftkdb.c | 3 | ||||
-rwxr-xr-x | tests/gtests/gtests.sh | 11 |
5 files changed, 70 insertions, 2 deletions
diff --git a/gtests/softoken_gtest/manifest.mn b/gtests/softoken_gtest/manifest.mn index f146811ba..81545b2c5 100644 --- a/gtests/softoken_gtest/manifest.mn +++ b/gtests/softoken_gtest/manifest.mn @@ -33,4 +33,5 @@ EXTRA_LIBS = \ $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)sqlite.$(LIB_SUFFIX) \ $(NULL) diff --git a/gtests/softoken_gtest/softoken_gtest.cc b/gtests/softoken_gtest/softoken_gtest.cc index 6fff252bd..59e98765c 100644 --- a/gtests/softoken_gtest/softoken_gtest.cc +++ b/gtests/softoken_gtest/softoken_gtest.cc @@ -14,6 +14,7 @@ #include "databuffer.h" #include <fstream> #include <chrono> +#include <sqlite3.h> using namespace std::chrono; #include "softoken_dh_vectors.h" @@ -42,6 +43,61 @@ class SoftokenTest : public ::testing::Test { ScopedUniqueDirectory mNSSDBDir; }; +TEST_F(SoftokenTest, CheckDefaultPbkdf2Iterations) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password")); + + // Open key4.db and check encoded PBE algorithm and iteration count. + // Compare bytes against the expected values to avoid ASN.1 here. + std::string key_db = mNSSDBDir.GetPath() + "/key4.db"; + + sqlite3 *sql_db = NULL; + ASSERT_EQ(SQLITE_OK, sqlite3_open(key_db.c_str(), &sql_db)); + + char *query_str = sqlite3_mprintf("SELECT item2 FROM metaData;"); + ASSERT_NE(nullptr, query_str); + + sqlite3_stmt *statement = NULL; + ASSERT_EQ(SQLITE_OK, + sqlite3_prepare_v2(sql_db, query_str, -1, &statement, NULL)); + ASSERT_EQ(SQLITE_ROW, sqlite3_step(statement)); + unsigned int len = sqlite3_column_bytes(statement, 0); + const unsigned char *reader = sqlite3_column_text(statement, 0); + + ASSERT_NE(nullptr, reader); + ASSERT_EQ(133U, len); + + // pkcs5PBES2, pkcs5PBKDF2 + const uint8_t pkcs5_with_pbkdf2[] = { + 0x30, 0x81, 0x82, 0x30, 0x6E, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x05, 0x0D, 0x30, 0x61, 0x30, 0x42, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0C, 0x30, 0x35}; + EXPECT_EQ(0, memcmp(reader, pkcs5_with_pbkdf2, sizeof(pkcs5_with_pbkdf2))); + reader += sizeof(pkcs5_with_pbkdf2); + + // Skip over the 32B random salt + const uint8_t salt_prefix[] = {0x04, 0x20}; + EXPECT_EQ(0, memcmp(reader, salt_prefix, sizeof(salt_prefix))); + reader += sizeof(salt_prefix) + 0x20; + + // Expect 10000 iterations + const uint8_t iterations[] = {0x02, 0x02, 0x27, 0x10}; + EXPECT_EQ(0, memcmp(reader, iterations, sizeof(iterations))); + reader += sizeof(iterations); + + // hmacWithSHA256, aes256-CBC + const uint8_t oids[] = {0x02, 0x01, 0x20, 0x30, 0x0A, 0x06, 0x08, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, + 0x09, 0x30, 0x1B, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A}; + EXPECT_EQ(0, memcmp(reader, oids, sizeof(oids))); + + EXPECT_EQ(SQLITE_OK, sqlite3_finalize(statement)); + sqlite3_free(query_str); + sqlite3_close(sql_db); +} + TEST_F(SoftokenTest, ResetSoftokenEmptyPassword) { ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); ASSERT_TRUE(slot); diff --git a/gtests/softoken_gtest/softoken_gtest.gyp b/gtests/softoken_gtest/softoken_gtest.gyp index c613a1ddd..f364dbe33 100644 --- a/gtests/softoken_gtest/softoken_gtest.gyp +++ b/gtests/softoken_gtest/softoken_gtest.gyp @@ -38,6 +38,7 @@ 'dependencies': [ '<(DEPTH)/lib/nss/nss.gyp:nss3', '<(DEPTH)/lib/ssl/ssl.gyp:ssl3', + '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3', ], }], ], diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c index a1a723fe8..5c4608a9b 100644 --- a/lib/softoken/sftkdb.c +++ b/lib/softoken/sftkdb.c @@ -2860,10 +2860,9 @@ sftk_DBInit(const char *configdir, const char *certPrefix, case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */ crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags, noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit); - -#ifndef NSS_DISABLE_DBM legacy = PR_FALSE; +#ifndef NSS_DISABLE_DBM /* * if we failed to open the DB's read only, use the old ones if * the exists. diff --git a/tests/gtests/gtests.sh b/tests/gtests/gtests.sh index 50c0410f0..4005a16a6 100755 --- a/tests/gtests/gtests.sh +++ b/tests/gtests/gtests.sh @@ -68,12 +68,23 @@ gtest_start() if [ "$i" = "mozpkix_gtest" ]; then EXTRA_ASAN_OPTIONS="detect_odr_violation=0" fi + # NSS CI sets a lower max for PBE iterations, otherwise cert.sh + # is very slow. Unset this maxiumum for softoken_gtest, as it + # needs to check the default value. + if [ "$i" = "softoken_gtest" ]; then + OLD_MAX_PBE_ITERATIONS=$NSS_MAX_MP_PBE_ITERATION_COUNT + unset NSS_MAX_MP_PBE_ITERATION_COUNT + fi echo "executing $i" ASAN_OPTIONS="$ASAN_OPTIONS:$EXTRA_ASAN_OPTIONS" "${BINDIR}/$i" \ "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \ -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \ --gtest_filter="${GTESTFILTER:-*}" html_msg $? 0 "$i run successfully" + if [ "$i" = "softoken_gtest" ]; then + export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS + fi + echo "test output dir: ${GTESTREPORT}" echo "executing sed to parse the xml report" sed -f "${COMMON}/parsegtestreport.sed" "$GTESTREPORT" > "$PARSED_REPORT" |