apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r1626561 - in /apr/apr/trunk: crypto/apr_crypto_nss.c test/testcrypto.c
Date Sun, 21 Sep 2014 10:57:22 GMT
Author: minfrin
Date: Sun Sep 21 10:57:21 2014
New Revision: 1626561

URL: http://svn.apache.org/r1626561
Log:
apr_crypto_nss: Explicitly declare key sizes when using NSS. Not all versions
of NSS detect key sizes correctly, leading to test failures.

Modified:
    apr/apr/trunk/crypto/apr_crypto_nss.c
    apr/apr/trunk/test/testcrypto.c

Modified: apr/apr/trunk/crypto/apr_crypto_nss.c
URL: http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_crypto_nss.c?rev=1626561&r1=1626560&r2=1626561&view=diff
==============================================================================
--- apr/apr/trunk/crypto/apr_crypto_nss.c (original)
+++ apr/apr/trunk/crypto/apr_crypto_nss.c Sun Sep 21 10:57:21 2014
@@ -68,6 +68,7 @@ struct apr_crypto_key_t {
     SECOidTag cipherOid;
     PK11SymKey *symKey;
     int ivSize;
+    int keyLength;
 };
 
 struct apr_crypto_block_t {
@@ -426,6 +427,7 @@ static apr_status_t crypto_passphrase(ap
             return APR_ENOCIPHER;
             /* No OID for CKM_DES3_ECB; */
         }
+        key->keyLength = 24;
         break;
     case (APR_KEY_AES_128):
         if (APR_MODE_CBC == mode) {
@@ -434,6 +436,7 @@ static apr_status_t crypto_passphrase(ap
         else {
             key->cipherOid = SEC_OID_AES_128_ECB;
         }
+        key->keyLength = 16;
         break;
     case (APR_KEY_AES_192):
         if (APR_MODE_CBC == mode) {
@@ -442,6 +445,7 @@ static apr_status_t crypto_passphrase(ap
         else {
             key->cipherOid = SEC_OID_AES_192_ECB;
         }
+        key->keyLength = 24;
         break;
     case (APR_KEY_AES_256):
         if (APR_MODE_CBC == mode) {
@@ -450,6 +454,7 @@ static apr_status_t crypto_passphrase(ap
         else {
             key->cipherOid = SEC_OID_AES_256_ECB;
         }
+        key->keyLength = 32;
         break;
     default:
         /* unknown key type, give up */
@@ -478,9 +483,9 @@ static apr_status_t crypto_passphrase(ap
     saltItem.len = saltLen;
 
     /* generate the key */
-    /* pbeAlg and cipherAlg are the same. NSS decides the keylength. */
+    /* pbeAlg and cipherAlg are the same. */
     algid = PK11_CreatePBEV2AlgorithmID(key->cipherOid, key->cipherOid,
-            SEC_OID_HMAC_SHA1, 0, iterations, &saltItem);
+            SEC_OID_HMAC_SHA1, key->keyLength, iterations, &saltItem);
     if (algid) {
         slot = PK11_GetBestSlot(key->cipherMech, wincx);
         if (slot) {

Modified: apr/apr/trunk/test/testcrypto.c
URL: http://svn.apache.org/viewvc/apr/apr/trunk/test/testcrypto.c?rev=1626561&r1=1626560&r2=1626561&view=diff
==============================================================================
--- apr/apr/trunk/test/testcrypto.c (original)
+++ apr/apr/trunk/test/testcrypto.c Sun Sep 21 10:57:21 2014
@@ -521,17 +521,14 @@ static void test_crypto_block_nss_openss
             inlen, "KEY_AES_256/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
             inlen, "KEY_AES_256/MODE_ECB");
-
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 0, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 0, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 0, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 0, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_192/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_192/MODE_ECB");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_128/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_128/MODE_ECB");
     apr_pool_destroy(pool);
 
 }
@@ -560,17 +557,14 @@ static void test_crypto_block_openssl_ns
             inlen, "KEY_AES_256/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
             inlen, "KEY_AES_256/MODE_ECB");
-
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 0, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 0, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 0, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 0, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_192/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_192/MODE_ECB");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_128/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_128/MODE_ECB");
     apr_pool_destroy(pool);
 
 }
@@ -789,16 +783,20 @@ static void test_crypto_block_nss_openss
     /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
     /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/
 
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 1, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 1, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 1, in,
+            inlen, "KEY_AES_192/MODE_CBC");
+
+    /* KEY_AES_192 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 1, in,
+            inlen, "KEY_AES_192/MODE_ECB");*/
+
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 1, in,
+            inlen, "KEY_AES_128/MODE_CBC");
+
+    /* KEY_AES_192 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 1, in,
+            inlen, "KEY_AES_128/MODE_ECB");*/
+
     apr_pool_destroy(pool);
 
 }
@@ -829,16 +827,20 @@ static void test_crypto_block_openssl_ns
     /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
     /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/
 
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 1, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 1, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 1, in, inlen,
+            "KEY_AES_192/MODE_CBC");
+
+    /* KEY_AES_192 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 1, in, inlen,
+            "KEY_AES_192/MODE_ECB");*/
+
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 1, in, inlen,
+            "KEY_AES_128/MODE_CBC");
+
+    /* KEY_AES_128 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 1, in, inlen,
+            "KEY_AES_128/MODE_ECB");*/
+
     apr_pool_destroy(pool);
 
 }



Mime
View raw message