summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Jacobs <kjacobs@mozilla.com>2021-01-13 02:33:06 +0000
committerKevin Jacobs <kjacobs@mozilla.com>2021-01-13 02:33:06 +0000
commit11925d05e802a578ee2934924483a5f22951bd0e (patch)
treec41e54bf284fed471d444dff0486b8ddef84b652
parenta8c41b1514115268e5bee6f7bc681f67e058d8e0 (diff)
downloadnss-hg-11925d05e802a578ee2934924483a5f22951bd0e.tar.gz
Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt
Differential Revision: https://phabricator.services.mozilla.com/D101218
-rw-r--r--gtests/softoken_gtest/manifest.mn1
-rw-r--r--gtests/softoken_gtest/softoken_gtest.cc56
-rw-r--r--gtests/softoken_gtest/softoken_gtest.gyp1
-rw-r--r--lib/softoken/sftkdb.c3
-rwxr-xr-xtests/gtests/gtests.sh11
5 files changed, 70 insertions, 2 deletions
diff --git a/gtests/softoken_gtest/manifest.mn b/gtests/softoken_gtest/manifest.mn
index f146811ba..81545b2c5 100644
--- a/gtests/softoken_gtest/manifest.mn
+++ b/gtests/softoken_gtest/manifest.mn
@@ -33,4 +33,5 @@ EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)sqlite.$(LIB_SUFFIX) \
$(NULL)
diff --git a/gtests/softoken_gtest/softoken_gtest.cc b/gtests/softoken_gtest/softoken_gtest.cc
index 6fff252bd..59e98765c 100644
--- a/gtests/softoken_gtest/softoken_gtest.cc
+++ b/gtests/softoken_gtest/softoken_gtest.cc
@@ -14,6 +14,7 @@
#include "databuffer.h"
#include <fstream>
#include <chrono>
+#include <sqlite3.h>
using namespace std::chrono;
#include "softoken_dh_vectors.h"
@@ -42,6 +43,61 @@ class SoftokenTest : public ::testing::Test {
ScopedUniqueDirectory mNSSDBDir;
};
+TEST_F(SoftokenTest, CheckDefaultPbkdf2Iterations) {
+ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+ ASSERT_TRUE(slot);
+ EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
+
+ // Open key4.db and check encoded PBE algorithm and iteration count.
+ // Compare bytes against the expected values to avoid ASN.1 here.
+ std::string key_db = mNSSDBDir.GetPath() + "/key4.db";
+
+ sqlite3 *sql_db = NULL;
+ ASSERT_EQ(SQLITE_OK, sqlite3_open(key_db.c_str(), &sql_db));
+
+ char *query_str = sqlite3_mprintf("SELECT item2 FROM metaData;");
+ ASSERT_NE(nullptr, query_str);
+
+ sqlite3_stmt *statement = NULL;
+ ASSERT_EQ(SQLITE_OK,
+ sqlite3_prepare_v2(sql_db, query_str, -1, &statement, NULL));
+ ASSERT_EQ(SQLITE_ROW, sqlite3_step(statement));
+ unsigned int len = sqlite3_column_bytes(statement, 0);
+ const unsigned char *reader = sqlite3_column_text(statement, 0);
+
+ ASSERT_NE(nullptr, reader);
+ ASSERT_EQ(133U, len);
+
+ // pkcs5PBES2, pkcs5PBKDF2
+ const uint8_t pkcs5_with_pbkdf2[] = {
+ 0x30, 0x81, 0x82, 0x30, 0x6E, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+ 0xF7, 0x0D, 0x01, 0x05, 0x0D, 0x30, 0x61, 0x30, 0x42, 0x06, 0x09,
+ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0C, 0x30, 0x35};
+ EXPECT_EQ(0, memcmp(reader, pkcs5_with_pbkdf2, sizeof(pkcs5_with_pbkdf2)));
+ reader += sizeof(pkcs5_with_pbkdf2);
+
+ // Skip over the 32B random salt
+ const uint8_t salt_prefix[] = {0x04, 0x20};
+ EXPECT_EQ(0, memcmp(reader, salt_prefix, sizeof(salt_prefix)));
+ reader += sizeof(salt_prefix) + 0x20;
+
+ // Expect 10000 iterations
+ const uint8_t iterations[] = {0x02, 0x02, 0x27, 0x10};
+ EXPECT_EQ(0, memcmp(reader, iterations, sizeof(iterations)));
+ reader += sizeof(iterations);
+
+ // hmacWithSHA256, aes256-CBC
+ const uint8_t oids[] = {0x02, 0x01, 0x20, 0x30, 0x0A, 0x06, 0x08,
+ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02,
+ 0x09, 0x30, 0x1B, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A};
+ EXPECT_EQ(0, memcmp(reader, oids, sizeof(oids)));
+
+ EXPECT_EQ(SQLITE_OK, sqlite3_finalize(statement));
+ sqlite3_free(query_str);
+ sqlite3_close(sql_db);
+}
+
TEST_F(SoftokenTest, ResetSoftokenEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
diff --git a/gtests/softoken_gtest/softoken_gtest.gyp b/gtests/softoken_gtest/softoken_gtest.gyp
index c613a1ddd..f364dbe33 100644
--- a/gtests/softoken_gtest/softoken_gtest.gyp
+++ b/gtests/softoken_gtest/softoken_gtest.gyp
@@ -38,6 +38,7 @@
'dependencies': [
'<(DEPTH)/lib/nss/nss.gyp:nss3',
'<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+ '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
],
}],
],
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
index a1a723fe8..5c4608a9b 100644
--- a/lib/softoken/sftkdb.c
+++ b/lib/softoken/sftkdb.c
@@ -2860,10 +2860,9 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */
crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags,
noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
-
-#ifndef NSS_DISABLE_DBM
legacy = PR_FALSE;
+#ifndef NSS_DISABLE_DBM
/*
* if we failed to open the DB's read only, use the old ones if
* the exists.
diff --git a/tests/gtests/gtests.sh b/tests/gtests/gtests.sh
index 50c0410f0..4005a16a6 100755
--- a/tests/gtests/gtests.sh
+++ b/tests/gtests/gtests.sh
@@ -68,12 +68,23 @@ gtest_start()
if [ "$i" = "mozpkix_gtest" ]; then
EXTRA_ASAN_OPTIONS="detect_odr_violation=0"
fi
+ # NSS CI sets a lower max for PBE iterations, otherwise cert.sh
+ # is very slow. Unset this maxiumum for softoken_gtest, as it
+ # needs to check the default value.
+ if [ "$i" = "softoken_gtest" ]; then
+ OLD_MAX_PBE_ITERATIONS=$NSS_MAX_MP_PBE_ITERATION_COUNT
+ unset NSS_MAX_MP_PBE_ITERATION_COUNT
+ fi
echo "executing $i"
ASAN_OPTIONS="$ASAN_OPTIONS:$EXTRA_ASAN_OPTIONS" "${BINDIR}/$i" \
"${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
-d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
--gtest_filter="${GTESTFILTER:-*}"
html_msg $? 0 "$i run successfully"
+ if [ "$i" = "softoken_gtest" ]; then
+ export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS
+ fi
+
echo "test output dir: ${GTESTREPORT}"
echo "executing sed to parse the xml report"
sed -f "${COMMON}/parsegtestreport.sed" "$GTESTREPORT" > "$PARSED_REPORT"