diff options
Diffstat (limited to 'security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc')
-rw-r--r-- | security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc | 94 |
1 files changed, 74 insertions, 20 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc index fc055f400..58684fc77 100644 --- a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc +++ b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc @@ -22,53 +22,102 @@ class Pkcs11Pbkdf2Test : public ::testing::Test { public: void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg) { // Shared between test vectors. - const unsigned int iterations = 4096; + const unsigned int kIterations = 4096; std::string pass("passwordPASSWORDpassword"); std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt"); // Derivation must succeed with the right values. - EXPECT_TRUE(DeriveBytes(pass, salt, derived, hash_alg, iterations)); + EXPECT_TRUE(DeriveBytes(pass, salt, derived, hash_alg, kIterations)); // Derivation must fail when the password is bogus. - std::string bogusPass("PasswordPASSWORDpassword"); - EXPECT_FALSE(DeriveBytes(bogusPass, salt, derived, hash_alg, iterations)); + std::string bogus_pass("PasswordPASSWORDpassword"); + EXPECT_FALSE(DeriveBytes(bogus_pass, salt, derived, hash_alg, kIterations)); // Derivation must fail when the salt is bogus. - std::string bogusSalt("SaltSALTsaltSALTsaltSALTsaltSALTsalt"); - EXPECT_FALSE(DeriveBytes(pass, bogusSalt, derived, hash_alg, iterations)); + std::string bogus_salt("SaltSALTsaltSALTsaltSALTsaltSALTsalt"); + EXPECT_FALSE(DeriveBytes(pass, bogus_salt, derived, hash_alg, kIterations)); // Derivation must fail when using the wrong hash function. SECOidTag next_hash_alg = static_cast<SECOidTag>(hash_alg + 1); - EXPECT_FALSE(DeriveBytes(pass, salt, derived, next_hash_alg, iterations)); + EXPECT_FALSE(DeriveBytes(pass, salt, derived, next_hash_alg, kIterations)); - // Derivation must fail when using the wrong number of iterations. - EXPECT_FALSE(DeriveBytes(pass, salt, derived, hash_alg, iterations + 1)); + // Derivation must fail when using the wrong number of kIterations. + EXPECT_FALSE(DeriveBytes(pass, salt, derived, hash_alg, kIterations + 1)); + } + + void KeySizes(SECOidTag hash_alg) { + // These tests will only validate the controls around the key sizes. + // The resulting key is tested above, with valid key sizes. + const unsigned int kIterations = 10; + std::string pass("passwordPASSWORDpassword"); + std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt"); + + // Derivation must fail when using key sizes bigger than MAX_KEY_LEN. + const int big_key_size = 768; + EXPECT_FALSE(KeySizeParam(pass, salt, big_key_size, hash_alg, kIterations)); + + // Zero is acceptable as key size and will be managed internally. + const int zero_key_size = 0; + EXPECT_TRUE(KeySizeParam(pass, salt, zero_key_size, hash_alg, kIterations)); + + // -1 will be set to 0 internally and this means that the key size will be + // obtained from the template. If the template doesn't have this defined, + // it must fail. + const int minus_key_size = -1; + EXPECT_FALSE( + KeySizeParam(pass, salt, minus_key_size, hash_alg, kIterations)); + + // Lower than -1 is not allowed, as -1 means no keyLen defined. + const int negative_key_size = -10; + EXPECT_FALSE( + KeySizeParam(pass, salt, negative_key_size, hash_alg, kIterations)); } private: bool DeriveBytes(std::string& pass, std::string& salt, std::vector<uint8_t>& derived, SECOidTag hash_alg, - unsigned int iterations) { - SECItem passItem = {siBuffer, ToUcharPtr(pass), - static_cast<unsigned int>(pass.length())}; - SECItem saltItem = {siBuffer, ToUcharPtr(salt), - static_cast<unsigned int>(salt.length())}; + unsigned int kIterations) { + SECItem pass_item = {siBuffer, ToUcharPtr(pass), + static_cast<unsigned int>(pass.length())}; + SECItem salt_item = {siBuffer, ToUcharPtr(salt), + static_cast<unsigned int>(salt.length())}; // Set up PBKDF2 params. ScopedSECAlgorithmID alg_id( PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg, - derived.size(), iterations, &saltItem)); + derived.size(), kIterations, &salt_item)); // Derive. ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); - ScopedPK11SymKey symKey( - PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr)); + ScopedPK11SymKey sym_key( + PK11_PBEKeyGen(slot.get(), alg_id.get(), &pass_item, false, nullptr)); - SECStatus rv = PK11_ExtractKeyValue(symKey.get()); + SECStatus rv = PK11_ExtractKeyValue(sym_key.get()); EXPECT_EQ(rv, SECSuccess); - SECItem* keyData = PK11_GetKeyData(symKey.get()); - return !memcmp(&derived[0], keyData->data, keyData->len); + SECItem* key_data = PK11_GetKeyData(sym_key.get()); + return !memcmp(&derived[0], key_data->data, key_data->len); + } + + bool KeySizeParam(std::string& pass, std::string& salt, const int key_size, + SECOidTag hash_alg, unsigned int kIterations) { + SECItem pass_item = {siBuffer, ToUcharPtr(pass), + static_cast<unsigned int>(pass.length())}; + SECItem salt_item = {siBuffer, ToUcharPtr(salt), + static_cast<unsigned int>(salt.length())}; + + // Set up PBKDF2 params. + ScopedSECAlgorithmID alg_id( + PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg, + key_size, kIterations, &salt_item)); + + // Try to generate a key with the defined params. + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey sym_key( + PK11_PBEKeyGen(slot.get(), alg_id.get(), &pass_item, false, nullptr)); + + // Should be nullptr if fail. + return sym_key.get(); } }; @@ -93,4 +142,9 @@ TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) { Derive(derived, SEC_OID_HMAC_SHA256); } +TEST_F(Pkcs11Pbkdf2Test, KeyLenSizes) { + // The size controls are regardless of the algorithms. + KeySizes(SEC_OID_HMAC_SHA256); +} + } // namespace nss_test |