apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r1626562 - in /apr/apr-util/branches/1.5.x: ./ CHANGES crypto/apr_crypto_nss.c test/testcrypto.c
Date Sun, 21 Sep 2014 11:00:37 GMT
Author: minfrin
Date: Sun Sep 21 11:00:37 2014
New Revision: 1626562

URL: http://svn.apache.org/r1626562
Log:
apr_crypto_nss: Explicitly declare key sizes when using NSS. Not all versions
of NSS detect key sizes correctly, leading to test failures.

Modified:
    apr/apr-util/branches/1.5.x/   (props changed)
    apr/apr-util/branches/1.5.x/CHANGES
    apr/apr-util/branches/1.5.x/crypto/apr_crypto_nss.c
    apr/apr-util/branches/1.5.x/test/testcrypto.c

Propchange: apr/apr-util/branches/1.5.x/
------------------------------------------------------------------------------
  Merged /apr/apr-util/trunk:r1626561
  Merged /apr/apr/trunk:r1626561

Modified: apr/apr-util/branches/1.5.x/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/CHANGES?rev=1626562&r1=1626561&r2=1626562&view=diff
==============================================================================
--- apr/apr-util/branches/1.5.x/CHANGES [utf-8] (original)
+++ apr/apr-util/branches/1.5.x/CHANGES [utf-8] Sun Sep 21 11:00:37 2014
@@ -1,6 +1,9 @@
                                                      -*- coding: utf-8 -*-
 Changes with APR-util 1.5.5
 
+  *) apr_crypto_nss: Explicitly declare key sizes when using NSS. Not all
+     versions of NSS detect key sizes correctly, leading to test failures.
+     [Graham Leggett]
 
 Changes with APR-util 1.5.4
 

Modified: apr/apr-util/branches/1.5.x/crypto/apr_crypto_nss.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/crypto/apr_crypto_nss.c?rev=1626562&r1=1626561&r2=1626562&view=diff
==============================================================================
--- apr/apr-util/branches/1.5.x/crypto/apr_crypto_nss.c (original)
+++ apr/apr-util/branches/1.5.x/crypto/apr_crypto_nss.c Sun Sep 21 11:00:37 2014
@@ -68,6 +68,7 @@ struct apr_crypto_key_t {
     SECOidTag cipherOid;
     PK11SymKey *symKey;
     int ivSize;
+    int keyLength;
 };
 
 struct apr_crypto_block_t {
@@ -426,6 +427,7 @@ static apr_status_t crypto_passphrase(ap
             return APR_ENOCIPHER;
             /* No OID for CKM_DES3_ECB; */
         }
+        key->keyLength = 24;
         break;
     case (APR_KEY_AES_128):
         if (APR_MODE_CBC == mode) {
@@ -434,6 +436,7 @@ static apr_status_t crypto_passphrase(ap
         else {
             key->cipherOid = SEC_OID_AES_128_ECB;
         }
+        key->keyLength = 16;
         break;
     case (APR_KEY_AES_192):
         if (APR_MODE_CBC == mode) {
@@ -442,6 +445,7 @@ static apr_status_t crypto_passphrase(ap
         else {
             key->cipherOid = SEC_OID_AES_192_ECB;
         }
+        key->keyLength = 24;
         break;
     case (APR_KEY_AES_256):
         if (APR_MODE_CBC == mode) {
@@ -450,6 +454,7 @@ static apr_status_t crypto_passphrase(ap
         else {
             key->cipherOid = SEC_OID_AES_256_ECB;
         }
+        key->keyLength = 32;
         break;
     default:
         /* unknown key type, give up */
@@ -478,9 +483,9 @@ static apr_status_t crypto_passphrase(ap
     saltItem.len = saltLen;
 
     /* generate the key */
-    /* pbeAlg and cipherAlg are the same. NSS decides the keylength. */
+    /* pbeAlg and cipherAlg are the same. */
     algid = PK11_CreatePBEV2AlgorithmID(key->cipherOid, key->cipherOid,
-            SEC_OID_HMAC_SHA1, 0, iterations, &saltItem);
+            SEC_OID_HMAC_SHA1, key->keyLength, iterations, &saltItem);
     if (algid) {
         slot = PK11_GetBestSlot(key->cipherMech, wincx);
         if (slot) {

Modified: apr/apr-util/branches/1.5.x/test/testcrypto.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/test/testcrypto.c?rev=1626562&r1=1626561&r2=1626562&view=diff
==============================================================================
--- apr/apr-util/branches/1.5.x/test/testcrypto.c (original)
+++ apr/apr-util/branches/1.5.x/test/testcrypto.c Sun Sep 21 11:00:37 2014
@@ -463,17 +463,14 @@ static void test_crypto_block_nss_openss
             inlen, "KEY_AES_256/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
             inlen, "KEY_AES_256/MODE_ECB");
-
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 0, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 0, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 0, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 0, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_192/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_192/MODE_ECB");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_128/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_128/MODE_ECB");
     apr_pool_destroy(pool);
 
 }
@@ -502,17 +499,14 @@ static void test_crypto_block_openssl_ns
             inlen, "KEY_AES_256/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
             inlen, "KEY_AES_256/MODE_ECB");
-
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 0, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 0, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 0, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 0, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_192/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_192/MODE_ECB");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 0, in,
+            inlen, "KEY_AES_128/MODE_CBC");
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 0, in,
+            inlen, "KEY_AES_128/MODE_ECB");
     apr_pool_destroy(pool);
 
 }
@@ -623,16 +617,20 @@ static void test_crypto_block_nss_openss
     /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
     /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/
 
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 1, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 1, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 1, in,
+            inlen, "KEY_AES_192/MODE_CBC");
+
+    /* KEY_AES_192 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 1, in,
+            inlen, "KEY_AES_192/MODE_ECB");*/
+
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 1, in,
+            inlen, "KEY_AES_128/MODE_CBC");
+
+    /* KEY_AES_192 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 1, in,
+            inlen, "KEY_AES_128/MODE_ECB");*/
+
     apr_pool_destroy(pool);
 
 }
@@ -663,16 +661,20 @@ static void test_crypto_block_openssl_ns
     /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
     /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/
 
-    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
-     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
-     * investigated.
-     */
-    /*
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 1, in, inlen, "KEY_AES_192/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 1, in, inlen, "KEY_AES_128/MODE_CBC");
-     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");
-     */
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 1, in, inlen,
+            "KEY_AES_192/MODE_CBC");
+
+    /* KEY_AES_192 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 1, in, inlen,
+            "KEY_AES_192/MODE_ECB");*/
+
+    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 1, in, inlen,
+            "KEY_AES_128/MODE_CBC");
+
+    /* KEY_AES_128 / MODE_ECB doesn't support padding on NSS */
+    /*crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 1, in, inlen,
+            "KEY_AES_128/MODE_ECB");*/
+
     apr_pool_destroy(pool);
 
 }



Mime
View raw message