Fixes for things found with the NSS regression suite #110
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LinuxJedi
force-pushed
the
nss-fixes
branch
4 times, most recently
from
4c38cd8 to
94ad8ff
Compare
|
@julek-wolfssl when back could you review this? Please un-assign yourself and assign to wolfssl-bot when ready for final review/merge. |
julek-wolfssl
requested changes
Jul 7, 2025
LinuxJedi
force-pushed
the
nss-fixes
branch
2 times, most recently
from
6a48d28 to
c929ebf
Compare
julek-wolfssl
requested changes
Jul 10, 2025
src/internal.c
Outdated
Comment on lines
2072
to
2076
| if (initialDerSz == LENGTH_ONLY_E || initialDerSz == 0) { | ||
| /* wolfSSL 5.6.6 compatibility */ | ||
| derSz = 256; /* Conservative estimate for ECC key DER */ | ||
| ret = 0; | ||
| } else if (initialDerSz > 0) { |
There was a problem hiding this comment.
Let's just use wc_EccKeyDerSize in all cases to get the der size.
Merged
julek-wolfssl
force-pushed
the
nss-fixes
branch
2 times, most recently
from
bb1c7dd to
6e43521
Compare
* Declare `CKM_HKDF_KEY_GEN` properly * Increase object cuonts for NSS * Add configdir parameter during `C_Initialize` for NSS
`C_CopyObject` was not doing a proper copy. This changes the behaviour so that it does.
* `C_CopyObject` template check if there is a `ulCount` * `WP_EC_Derive` would crash when the point isn't DER encoded
* `C_Decrypt` should return `CKR_ENCRYPTED_DATA_INVALID` when decryption fails * Fix Clang compiler error * Fix RSA test for storage disabled * Fix NSS + storage disabled compiling * Declare `CKM_HKDF_KEY_GEN` in mechanism list
…ation This fixes a regression of revision c929ebf, which improved support for CKO_DATA. Since the data in CKO_DATA objects is now stored in a different format, we need to differentiate on the object class used for the input key when performing an HKDF derivation.
WP11_Slot_CheckUserPin is very resource intensive and caching this result helps with speeding up tests
For some reason C_DeriveKey does not check if CKA_DERIVE is set
No longer returns the length but for now NSS doesn't use it to check length
Disabling SHA3 causes the following
```
In file included from lib/wolfssl/wolfssl/wolfcrypt/error-crypt.h:34,
from lib/wolfPKCS11/src/crypto.c:33:
lib/wolfPKCS11/src/crypto.c: In function 'C_SignInit':
lib/wolfssl/wolfssl/wolfcrypt/types.h:446:36: error: attribute 'fallthrough' not preceding a case label or default label [-Werror]
446 | #define FALL_THROUGH ; __attribute__ ((fallthrough))
| ^~~~~~~~~~~~~
lib/wolfPKCS11/src/crypto.c:4000:13: note: in expansion of macro 'FALL_THROUGH'
4000 | FALL_THROUGH;
| ^~~~~~~~~~~~
lib/wolfPKCS11/src/crypto.c: In function 'C_VerifyInit':
lib/wolfssl/wolfssl/wolfcrypt/types.h:446:36: error: attribute 'fallthrough' not preceding a case label or default label [-Werror]
446 | #define FALL_THROUGH ; __attribute__ ((fallthrough))
| ^~~~~~~~~~~~~
lib/wolfPKCS11/src/crypto.c:5019:13: note: in expansion of macro 'FALL_THROUGH'
5019 | FALL_THROUGH;
```
Length calculation was incorrect, causing an error. In addition, lengths for arrays were double-stored.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CKM_HKDF_KEY_GENproperlyC_Initializefor NSSC_CopyObjectwas not doing a proper copy. This changes the behaviour so that it does.C_CopyObjecttemplate check if there is aulCountWP_EC_Derivewould crash when the point isn't DER encodedCKM_RSA_PKCSto wrap and unwrapC_Decryptshould returnCKR_ENCRYPTED_DATA_INVALIDwhen decryptionfails
CKO_DATAobjects