Package: guix-patches;
Reported by: Timotej Lazar <timotej.lazar <at> araneo.si>
Date: Sun, 16 Apr 2023 08:47:02 UTC
Severity: normal
Tags: patch
Merged with 62913
Done: Andreas Enge <andreas <at> enge.fr>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62878 in the body.
You can then email your comments to 62878 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#62878; Package guix-patches.
(Sun, 16 Apr 2023 08:47:02 GMT) Full text and rfc822 format available.Timotej Lazar <timotej.lazar <at> araneo.si>:guix-patches <at> gnu.org.
(Sun, 16 Apr 2023 08:47:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Timotej Lazar <timotej.lazar <at> araneo.si> To: guix-patches <at> gnu.org Cc: Timotej Lazar <timotej.lazar <at> araneo.si> Subject: [PATCH core-updates] gnu: openhsm: Fix test failure with openssl-3. Date: Sun, 16 Apr 2023 10:45:57 +0200
* gnu/packages/patches/softhsm-fix-openssl3-tests.patch: Add patch from
Debian.
* gnu/packages/security-token.scm (softhsm): Use it.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
.../patches/softhsm-fix-openssl3-tests.patch | 1010 +++++++++++++++++
gnu/packages/security-token.scm | 3 +-
3 files changed, 1013 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/softhsm-fix-openssl3-tests.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 73756a8c49..c253b93b89 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1886,6 +1886,7 @@ dist_patch_DATA = \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
%D%/packages/patches/source-highlight-gcc-compat.patch \
+ %D%/packages/patches/softhsm-fix-openssl3-tests.patch \
%D%/packages/patches/spectre-meltdown-checker-externalize-fwdb.patch \
%D%/packages/patches/spectre-meltdown-checker-find-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
diff --git a/gnu/packages/patches/softhsm-fix-openssl3-tests.patch b/gnu/packages/patches/softhsm-fix-openssl3-tests.patch
new file mode 100644
index 0000000000..1538aa2407
--- /dev/null
+++ b/gnu/packages/patches/softhsm-fix-openssl3-tests.patch
@@ -0,0 +1,1010 @@
+From 643f061e6fbe04552a2c49bd00528e61a9a77064 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy <at> redhat.com>
+Date: Wed, 26 May 2021 20:03:25 +0300
+Subject: [PATCH 1/4] openssl 3.0: Run DES tests only if OpenSSL allows it
+
+OpenSSL 3.0 moves DES into a legacy provider which has to be loaded
+explicitly. By default, it will not be loaded and DES methods in tests
+will fail. Nest test blocks under successful initialization.
+
+Signed-off-by: Alexander Bokovoy <abokovoy <at> redhat.com>
+---
+ src/lib/crypto/test/DESTests.cpp | 350 ++++++++++++++++---------------
+ 1 file changed, 182 insertions(+), 168 deletions(-)
+
+diff --git a/src/lib/crypto/test/DESTests.cpp b/src/lib/crypto/test/DESTests.cpp
+index bcb1c6b..aa68746 100644
+--- a/src/lib/crypto/test/DESTests.cpp
++++ b/src/lib/crypto/test/DESTests.cpp
+@@ -259,54 +259,58 @@ void DESTests::testCBC()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::CBC, IV));
++ if (des->encryptInit(&desKey56, SymMode::CBC, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CBC, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CBC, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++
++ }
+
+ // Test 112-bit key
+ cipherText = ByteString(testResult[i][j][1]);
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::CBC, IV));
++ if (des->encryptInit(&desKey112, SymMode::CBC, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CBC, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CBC, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
++
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
+ #endif
+
+ // Test 168-bit key
+@@ -314,27 +318,28 @@ void DESTests::testCBC()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::CBC, IV));
++ if (des->encryptInit(&desKey168, SymMode::CBC, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CBC, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CBC, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ }
+ }
+ }
+@@ -534,54 +539,56 @@ void DESTests::testECB()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::ECB, IV));
++ if (des->encryptInit(&desKey56, SymMode::ECB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::ECB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::ECB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+
+ // Test 112-bit key
+ cipherText = ByteString(testResult[i][j][1]);
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::ECB, IV));
++ if (des->encryptInit(&desKey112, SymMode::ECB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::ECB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::ECB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ #endif
+
+ // Test 168-bit key
+@@ -589,27 +596,28 @@ void DESTests::testECB()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::ECB, IV));
++ if (des->encryptInit(&desKey168, SymMode::ECB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::ECB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::ECB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ }
+ }
+ }
+@@ -809,54 +817,56 @@ void DESTests::testOFB()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::OFB, IV));
++ if (des->encryptInit(&desKey56, SymMode::OFB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::OFB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::OFB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+
+ // Test 112-bit key
+ cipherText = ByteString(testResult[i][j][1]);
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::OFB, IV));
++ if (des->encryptInit(&desKey112, SymMode::OFB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::OFB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::OFB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ #endif
+
+ // Test 168-bit key
+@@ -864,27 +874,28 @@ void DESTests::testOFB()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::OFB, IV));
++ if (des->encryptInit(&desKey168, SymMode::OFB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::OFB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::OFB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ }
+ }
+ }
+@@ -1083,54 +1094,56 @@ void DESTests::testCFB()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::CFB, IV));
++ if (des->encryptInit(&desKey56, SymMode::CFB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CFB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CFB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+
+ // Test 112-bit key
+ cipherText = ByteString(testResult[i][j][1]);
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::CFB, IV));
++ if (des->encryptInit(&desKey112, SymMode::CFB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CFB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CFB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ #endif
+
+ // Test 168-bit key
+@@ -1138,27 +1151,28 @@ void DESTests::testCFB()
+
+ // Now, do the same thing using our DES implementation
+ shsmCipherText.wipe();
+- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::CFB, IV));
++ if (des->encryptInit(&desKey168, SymMode::CFB, IV)) {
+
+- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(des->encryptFinal(OB));
+- shsmCipherText += OB;
++ CPPUNIT_ASSERT(des->encryptFinal(OB));
++ shsmCipherText += OB;
+
+- CPPUNIT_ASSERT(shsmCipherText == cipherText);
++ CPPUNIT_ASSERT(shsmCipherText == cipherText);
+
+- // Check that we can get the plain text
+- shsmPlainText.wipe();
+- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CFB, IV));
++ // Check that we can get the plain text
++ shsmPlainText.wipe();
++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CFB, IV));
+
+- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(des->decryptFinal(OB));
+- shsmPlainText += OB;
++ CPPUNIT_ASSERT(des->decryptFinal(OB));
++ shsmPlainText += OB;
+
+- CPPUNIT_ASSERT(shsmPlainText == plainText);
++ CPPUNIT_ASSERT(shsmPlainText == plainText);
++ }
+ }
+ }
+ }
+--
+2.31.1
+
+
+From 4e368d1b1d835b169d3b9f44e064813d132f3da6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy <at> redhat.com>
+Date: Wed, 26 May 2021 20:09:31 +0300
+Subject: [PATCH 2/4] openssl 3.0: use 2048 instead of 1024 bit for RSA tests
+
+Signed-off-by: Alexander Bokovoy <abokovoy <at> redhat.com>
+---
+ src/lib/crypto/test/RSATests.cpp | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/crypto/test/RSATests.cpp b/src/lib/crypto/test/RSATests.cpp
+index 6af1e19..e583b8b 100644
+--- a/src/lib/crypto/test/RSATests.cpp
++++ b/src/lib/crypto/test/RSATests.cpp
+@@ -78,7 +78,6 @@ void RSATests::testKeyGeneration()
+
+ // Key sizes to test
+ std::vector<size_t> keySizes;
+- keySizes.push_back(1024);
+ #ifndef WITH_FIPS
+ keySizes.push_back(1025);
+ #endif
+@@ -111,12 +110,12 @@ void RSATests::testKeyGeneration()
+
+ void RSATests::testSerialisation()
+ {
+- // Generate a 1024-bit key-pair for testing
++ // Generate a 2048-bit key-pair for testing
+ AsymmetricKeyPair* kp;
+ RSAParameters p;
+
+ p.setE("010001");
+- p.setBitLength(1024);
++ p.setBitLength(2048);
+
+ CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
+ CPPUNIT_ASSERT(kp != NULL);
+@@ -204,12 +203,12 @@ void RSATests::testSerialisation()
+
+ void RSATests::testPKCS8()
+ {
+- // Generate a 1024-bit key-pair for testing
++ // Generate a 2048-bit key-pair for testing
+ AsymmetricKeyPair* kp;
+ RSAParameters p;
+
+ p.setE("010001");
+- p.setBitLength(1024);
++ p.setBitLength(2048);
+
+ CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
+ CPPUNIT_ASSERT(kp != NULL);
+@@ -253,7 +252,6 @@ void RSATests::testSigningVerifying()
+
+ // Key sizes to test
+ std::vector<size_t> keySizes;
+- keySizes.push_back(1024);
+ keySizes.push_back(1280);
+ keySizes.push_back(2048);
+ //keySizes.push_back(4096);
+@@ -611,7 +609,6 @@ void RSATests::testEncryptDecrypt()
+
+ // Key sizes to test
+ std::vector<size_t> keySizes;
+- keySizes.push_back(1024);
+ keySizes.push_back(1280);
+ keySizes.push_back(2048);
+ //keySizes.push_back(4096);
+--
+2.31.1
+
+
+From d8b6ebb67244f6fb4d2c8f72ae2b8bef5ca96bed Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy <at> redhat.com>
+Date: Wed, 26 May 2021 22:29:22 +0300
+Subject: [PATCH 3/4] openssl 3.0: Skip tests with unsupported key sizes
+
+OpenSSL 3.0 on systems with systemd-wide crypto policy (Fedora, RHEL,
+CentOS 9 Stream) might block certain key sizes which causes the tests to
+fail. Skip these tests because we are not going to get the results
+anyway.
+
+There is no way with CPPUNIT to produce a warning only, so we have to
+skip the whole test result.
+
+Signed-off-by: Alexander Bokovoy <abokovoy <at> redhat.com>
+---
+ src/lib/crypto/test/RSATests.cpp | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/src/lib/crypto/test/RSATests.cpp b/src/lib/crypto/test/RSATests.cpp
+index e583b8b..3b397d2 100644
+--- a/src/lib/crypto/test/RSATests.cpp
++++ b/src/lib/crypto/test/RSATests.cpp
+@@ -92,18 +92,19 @@ void RSATests::testKeyGeneration()
+ p.setE(*e);
+ p.setBitLength(*k);
+
+- // Generate key-pair
+- CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
++ // Generate key-pair but skip test if key size is unsupported in OpenSSL 3.0.0
++ if (rsa->generateKeyPair(&kp, &p)) {
+
+- RSAPublicKey* pub = (RSAPublicKey*) kp->getPublicKey();
+- RSAPrivateKey* priv = (RSAPrivateKey*) kp->getPrivateKey();
++ RSAPublicKey* pub = (RSAPublicKey*) kp->getPublicKey();
++ RSAPrivateKey* priv = (RSAPrivateKey*) kp->getPrivateKey();
+
+- CPPUNIT_ASSERT(pub->getBitLength() == *k);
+- CPPUNIT_ASSERT(priv->getBitLength() == *k);
+- CPPUNIT_ASSERT(pub->getE() == *e);
+- CPPUNIT_ASSERT(priv->getE() == *e);
++ CPPUNIT_ASSERT(pub->getBitLength() == *k);
++ CPPUNIT_ASSERT(priv->getBitLength() == *k);
++ CPPUNIT_ASSERT(pub->getE() == *e);
++ CPPUNIT_ASSERT(priv->getE() == *e);
+
+- rsa->recycleKeyPair(kp);
++ rsa->recycleKeyPair(kp);
++ }
+ }
+ }
+ }
+@@ -291,8 +292,10 @@ void RSATests::testSigningVerifying()
+ p.setE(*e);
+ p.setBitLength(*k);
+
+- // Generate key-pair
+- CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
++ // Generate key-pair but skip those that unsupported in OpenSSL 3.0.0
++ if (!rsa->generateKeyPair(&kp, &p)) {
++ continue;
++ }
+
+ // Generate some data to sign
+ ByteString dataToSign;
+@@ -626,8 +629,10 @@ void RSATests::testEncryptDecrypt()
+ p.setE(*e);
+ p.setBitLength(*k);
+
+- // Generate key-pair
+- CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
++ // Generate key-pair but skip those that unsupported in OpenSSL 3.0.0
++ if (!rsa->generateKeyPair(&kp, &p)) {
++ continue;
++ }
+
+ RNG* rng = CryptoFactory::i()->getRNG();
+
+--
+2.31.1
+
+
+From ca037b327fc77b8a7078c63118f507a157d3c913 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy <at> redhat.com>
+Date: Thu, 27 May 2021 15:08:02 +0300
+Subject: [PATCH 4/4] openssl3: skip DES* tests
+
+Signed-off-by: Alexander Bokovoy <abokovoy <at> redhat.com>
+---
+ src/lib/test/DeriveTests.cpp | 16 ++-
+ src/lib/test/ObjectTests.cpp | 21 ++--
+ src/lib/test/SymmetricAlgorithmTests.cpp | 129 +++++++++++++----------
+ 3 files changed, 100 insertions(+), 66 deletions(-)
+
+diff --git a/src/lib/test/DeriveTests.cpp b/src/lib/test/DeriveTests.cpp
+index 9438ac2..275c399 100644
+--- a/src/lib/test/DeriveTests.cpp
++++ b/src/lib/test/DeriveTests.cpp
+@@ -666,11 +666,14 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C
+ 0x25, 0x26, 0x27, 0x28, 0x29, 0x30, 0x31, 0x32
+ };
+ CK_ULONG secLen = 0;
++ CK_BBOOL oldMechs = CK_FALSE;
+
+ switch (mechType)
+ {
+ case CKM_DES_ECB_ENCRYPT_DATA:
+ case CKM_DES3_ECB_ENCRYPT_DATA:
++ oldMechs = CK_TRUE;
++ /* fall-through */
+ case CKM_AES_ECB_ENCRYPT_DATA:
+ param1.pData = &data[0];
+ param1.ulLen = sizeof(data);
+@@ -679,6 +682,7 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C
+ break;
+ case CKM_DES_CBC_ENCRYPT_DATA:
+ case CKM_DES3_CBC_ENCRYPT_DATA:
++ oldMechs = CK_TRUE;
+ memcpy(param2.iv, "12345678", 8);
+ param2.pData = &data[0];
+ param2.length = sizeof(data);
+@@ -703,10 +707,12 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C
+ break;
+ case CKK_DES:
+ mechEncrypt.mechanism = CKM_DES_ECB;
++ oldMechs = CK_TRUE;
+ break;
+ case CKK_DES2:
+ case CKK_DES3:
+ mechEncrypt.mechanism = CKM_DES3_ECB;
++ oldMechs = CK_TRUE;
+ break;
+ case CKK_AES:
+ mechEncrypt.mechanism = CKM_AES_ECB;
+@@ -743,7 +749,11 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C
+ keyAttribs, sizeof(keyAttribs)/sizeof(CK_ATTRIBUTE) - 1,
+ &hDerive) );
+ }
+- CPPUNIT_ASSERT(rv == CKR_OK);
++ if (rv != CKR_OK && oldMechs == CK_TRUE) {
++ // Skip old mechanisms, they don't work under this crypto library
++ return;
++ }
++ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ // Check that KCV has been set
+ CK_ATTRIBUTE checkAttribs[] = {
+@@ -764,6 +774,10 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C
+ CK_ULONG ulRecoveredTextLen;
+
+ rv = CRYPTOKI_F_PTR( C_EncryptInit(hSession,&mechEncrypt,hDerive) );
++ if (rv != CKR_OK && oldMechs == CK_TRUE) {
++ // Skip old mechanisms, they don't work under this crypto library
++ return;
++ }
+ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ ulCipherTextLen = sizeof(cipherText);
+diff --git a/src/lib/test/ObjectTests.cpp b/src/lib/test/ObjectTests.cpp
+index 9491ce1..4ffc1c8 100644
+--- a/src/lib/test/ObjectTests.cpp
++++ b/src/lib/test/ObjectTests.cpp
+@@ -2370,8 +2370,10 @@ void ObjectTests::testCreateSecretKey()
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, attribKCV, 1) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+- CPPUNIT_ASSERT(attribKCV[0].ulValueLen == 3);
+- CPPUNIT_ASSERT(memcmp(pCheckValue, desKCV, 3) == 0);
++ // If DES key is not supported, skip it
++ if (attribKCV[0].ulValueLen == 3) {
++ CPPUNIT_ASSERT(memcmp(pCheckValue, desKCV, 3) == 0);
++ }
+ rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+
+@@ -2381,9 +2383,12 @@ void ObjectTests::testCreateSecretKey()
+ rv = CRYPTOKI_F_PTR( C_CreateObject(hSession, attribs, sizeof(attribs)/sizeof(CK_ATTRIBUTE), &hObject) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, attribKCV, 1) );
+- CPPUNIT_ASSERT(rv == CKR_OK);
+- CPPUNIT_ASSERT(attribKCV[0].ulValueLen == 3);
+- CPPUNIT_ASSERT(memcmp(pCheckValue, des2KCV, 3) == 0);
++ // If DES2 key is not supported, skip it
++ if (rv == CKR_OK) {
++ if (attribKCV[0].ulValueLen == 3) {
++ CPPUNIT_ASSERT(memcmp(pCheckValue, des2KCV, 3) == 0);
++ }
++ }
+ rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+
+@@ -2394,8 +2399,10 @@ void ObjectTests::testCreateSecretKey()
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, attribKCV, 1) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+- CPPUNIT_ASSERT(attribKCV[0].ulValueLen == 3);
+- CPPUNIT_ASSERT(memcmp(pCheckValue, des3KCV, 3) == 0);
++ // If DES3 key is not supported, skip it
++ if (attribKCV[0].ulValueLen == 3) {
++ CPPUNIT_ASSERT(memcmp(pCheckValue, des3KCV, 3) == 0);
++ }
+ rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ }
+diff --git a/src/lib/test/SymmetricAlgorithmTests.cpp b/src/lib/test/SymmetricAlgorithmTests.cpp
+index b24caaf..1994563 100644
+--- a/src/lib/test/SymmetricAlgorithmTests.cpp
++++ b/src/lib/test/SymmetricAlgorithmTests.cpp
+@@ -195,6 +195,8 @@ void SymmetricAlgorithmTests::encryptDecrypt(
+ std::vector<CK_BYTE> vEncryptedData;
+ std::vector<CK_BYTE> vEncryptedDataParted;
+ PartSize partSize(blockSize, &vData);
++ CK_BBOOL oldMechs = CK_FALSE;
++ CK_RV rv = CKR_OK;
+
+ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_GenerateRandom(hSession, (CK_BYTE_PTR)&vData.front(), messageSize) ) );
+
+@@ -233,6 +235,8 @@ void SymmetricAlgorithmTests::encryptDecrypt(
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC:
+ case CKM_DES3_CBC_PAD:
++ oldMechs = CK_TRUE;
++ /* fall-through */
+ case CKM_AES_CBC:
+ case CKM_AES_CBC_PAD:
+ pMechanism->pParameter = (CK_VOID_PTR)&vData.front();
+@@ -246,12 +250,18 @@ void SymmetricAlgorithmTests::encryptDecrypt(
+ pMechanism->pParameter = &gcmParams;
+ pMechanism->ulParameterLen = sizeof(gcmParams);
+ break;
++ case CKM_DES_ECB:
++ case CKM_DES3_ECB:
++ oldMechs = CK_TRUE;
++ break;
+ default:
+ break;
+ }
+
+ // Single-part encryption
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) ) );
++ rv = CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) );
++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) );
++ if (oldMechs == CK_FALSE)
+ {
+ CK_ULONG ulEncryptedDataLen;
+ const CK_RV rv( CRYPTOKI_F_PTR( C_Encrypt(hSession,(CK_BYTE_PTR)&vData.front(),messageSize,NULL_PTR,&ulEncryptedDataLen) ) );
+@@ -267,40 +277,42 @@ void SymmetricAlgorithmTests::encryptDecrypt(
+ }
+
+ // Multi-part encryption
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) ) );
+-
+- for ( std::vector<CK_BYTE>::const_iterator i(vData.begin()); i<vData.end(); i+=partSize.getCurrent() ) {
+- const CK_ULONG lPartLen( i+partSize.getNext()<vData.end() ? partSize.getCurrent() : vData.end()-i );
+- CK_ULONG ulEncryptedPartLen;
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptUpdate(hSession,(CK_BYTE_PTR)&(*i),lPartLen,NULL_PTR,&ulEncryptedPartLen) ) );
+- const size_t oldSize( vEncryptedDataParted.size() );
+- vEncryptedDataParted.resize(oldSize+ulEncryptedPartLen);
+- CK_BYTE dummy;
+- const CK_BYTE_PTR pEncryptedPart( ulEncryptedPartLen>0 ? &vEncryptedDataParted.at(oldSize) : &dummy );
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptUpdate(hSession,(CK_BYTE_PTR)&(*i),lPartLen,pEncryptedPart,&ulEncryptedPartLen) ) );
+- vEncryptedDataParted.resize(oldSize+ulEncryptedPartLen);
+- }
+- {
+- CK_ULONG ulLastEncryptedPartLen;
+- const CK_RV rv( CRYPTOKI_F_PTR( C_EncryptFinal(hSession,NULL_PTR,&ulLastEncryptedPartLen) ) );
+- if ( isSizeOK ) {
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, rv );
++ rv = CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) );
++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) );
++ if (oldMechs == CK_FALSE) {
++ for ( std::vector<CK_BYTE>::const_iterator i(vData.begin()); i<vData.end(); i+=partSize.getCurrent() ) {
++ const CK_ULONG lPartLen( i+partSize.getNext()<vData.end() ? partSize.getCurrent() : vData.end()-i );
++ CK_ULONG ulEncryptedPartLen;
++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptUpdate(hSession,(CK_BYTE_PTR)&(*i),lPartLen,NULL_PTR,&ulEncryptedPartLen) ) );
+ const size_t oldSize( vEncryptedDataParted.size() );
++ vEncryptedDataParted.resize(oldSize+ulEncryptedPartLen);
+ CK_BYTE dummy;
+- vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen);
+- const CK_BYTE_PTR pLastEncryptedPart( ulLastEncryptedPartLen>0 ? &vEncryptedDataParted.at(oldSize) : &dummy );
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptFinal(hSession,pLastEncryptedPart,&ulLastEncryptedPartLen) ) );
+- vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen);
+- } else {
+- CPPUNIT_ASSERT_EQUAL_MESSAGE("C_EncryptFinal should fail with C_CKR_DATA_LEN_RANGE", (CK_RV)CKR_DATA_LEN_RANGE, rv);
+- vEncryptedDataParted = vData;
++ const CK_BYTE_PTR pEncryptedPart( ulEncryptedPartLen>0 ? &vEncryptedDataParted.at(oldSize) : &dummy );
++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptUpdate(hSession,(CK_BYTE_PTR)&(*i),lPartLen,pEncryptedPart,&ulEncryptedPartLen) ) );
++ vEncryptedDataParted.resize(oldSize+ulEncryptedPartLen);
++ }
++ {
++ CK_ULONG ulLastEncryptedPartLen;
++ const CK_RV rv( CRYPTOKI_F_PTR( C_EncryptFinal(hSession,NULL_PTR,&ulLastEncryptedPartLen) ) );
++ if ( isSizeOK ) {
++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, rv );
++ const size_t oldSize( vEncryptedDataParted.size() );
++ CK_BYTE dummy;
++ vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen);
++ const CK_BYTE_PTR pLastEncryptedPart( ulLastEncryptedPartLen>0 ? &vEncryptedDataParted.at(oldSize) : &dummy );
++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptFinal(hSession,pLastEncryptedPart,&ulLastEncryptedPartLen) ) );
++ vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen);
++ } else {
++ CPPUNIT_ASSERT_EQUAL_MESSAGE("C_EncryptFinal should fail with C_CKR_DATA_LEN_RANGE", (CK_RV)CKR_DATA_LEN_RANGE, rv);
++ vEncryptedDataParted = vData;
++ }
+ }
+ }
+
+ // Single-part decryption
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) ) );
+-
+- {
++ rv = CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) );
++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) );
++ if (oldMechs == CK_FALSE) {
+ CK_ULONG ulDataLen;
+ const CK_RV rv( CRYPTOKI_F_PTR( C_Decrypt(hSession,&vEncryptedData.front(),vEncryptedData.size(),NULL_PTR,&ulDataLen) ) );
+ if ( isSizeOK ) {
+@@ -315,8 +327,9 @@ void SymmetricAlgorithmTests::encryptDecrypt(
+ }
+
+ // Multi-part decryption
+- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) ) );
+- {
++ rv = CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) );
++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) );
++ if (oldMechs == CK_FALSE) {
+ std::vector<CK_BYTE> vDecryptedData;
+ CK_BYTE dummy;
+ for ( std::vector<CK_BYTE>::iterator i(vEncryptedDataParted.begin()); i<vEncryptedDataParted.end(); i+=partSize.getCurrent()) {
+@@ -977,44 +990,44 @@ void SymmetricAlgorithmTests::testDesEncryptDecrypt()
+
+ // Generate all combinations of session/token keys.
+ rv = generateDesKey(hSessionRW,IN_SESSION,IS_PUBLIC,hKey);
+- CPPUNIT_ASSERT(rv == CKR_OK);
+-
+- encryptDecrypt(CKM_DES_CBC_PAD,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST-1);
+- encryptDecrypt(CKM_DES_CBC_PAD,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST+1);
+- encryptDecrypt(CKM_DES_CBC_PAD,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES_CBC,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES_CBC,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
+- encryptDecrypt(CKM_DES_ECB,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES_ECB,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ if (rv == CKR_OK) {
++ encryptDecrypt(CKM_DES_CBC_PAD,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST-1);
++ encryptDecrypt(CKM_DES_CBC_PAD,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST+1);
++ encryptDecrypt(CKM_DES_CBC_PAD,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES_CBC,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES_CBC,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ encryptDecrypt(CKM_DES_ECB,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES_ECB,blockSize,hSessionRO,hKey,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ }
+
+ CK_OBJECT_HANDLE hKey2 = CK_INVALID_HANDLE;
+
+ // Generate all combinations of session/token keys.
+ rv = generateDes2Key(hSessionRW,IN_SESSION,IS_PUBLIC,hKey2);
+- CPPUNIT_ASSERT(rv == CKR_OK);
+-
+- encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST-1);
+- encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST+1);
+- encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
+- encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ if (rv == CKR_OK) {
++ encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST-1);
++ encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST+1);
++ encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey2,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ }
+ #endif
+
+ CK_OBJECT_HANDLE hKey3 = CK_INVALID_HANDLE;
+
+ // Generate all combinations of session/token keys.
+ rv = generateDes3Key(hSessionRW,IN_SESSION,IS_PUBLIC,hKey3);
+- CPPUNIT_ASSERT(rv == CKR_OK);
+-
+- encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST-1);
+- encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST+1);
+- encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
+- encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST);
+- encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ if (rv == CKR_OK) {
++ encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST-1);
++ encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST+1);
++ encryptDecrypt(CKM_DES3_CBC_PAD,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES3_CBC,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST);
++ encryptDecrypt(CKM_DES3_ECB,blockSize,hSessionRO,hKey3,blockSize*NR_OF_BLOCKS_IN_TEST+1, false);
++ }
+ }
+
+ void SymmetricAlgorithmTests::testNullTemplate()
+--
+2.31.1
diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 0dad9ec42b..f1d83d49f6 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -210,7 +210,8 @@ (define-public softhsm
"softhsm-" version ".tar.gz"))
(sha256
(base32
- "1wkmyi6n3z2pak1cj5yk6v6bv9w0m24skycya48iikab0mrr8931"))))
+ "1wkmyi6n3z2pak1cj5yk6v6bv9w0m24skycya48iikab0mrr8931"))
+ (patches (search-patches "softhsm-fix-openssl3-tests.patch"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--disable-gost"))) ; TODO Missing the OpenSSL
base-commit: 60594711e944413ac0d18687cce6828707ca8ecf
--
2.39.2
guix-patches <at> gnu.org:bug#62878; Package guix-patches.
(Mon, 17 Apr 2023 09:19:02 GMT) Full text and rfc822 format available.Message #8 received at 62878 <at> debbugs.gnu.org (full text, mbox):
From: Andreas Enge <andreas <at> enge.fr> To: Timotej Lazar <timotej.lazar <at> araneo.si> Cc: 62878 <at> debbugs.gnu.org Subject: Re: [PATCH core-updates] gnu: openhsm: Fix test failure with openssl-3. Date: Mon, 17 Apr 2023 11:18:16 +0200
Hello Timotej, Am Sun, Apr 16, 2023 at 10:45:57AM +0200 schrieb Timotej Lazar: > * gnu/packages/patches/softhsm-fix-openssl3-tests.patch: Add patch from > Debian. > * gnu/packages/security-token.scm (softhsm): Use it. > * gnu/local.mk (dist_patch_DATA): Register it. thanks for your patch! Since this is security related, I would like to dig a bit deeper. That the package itself has a wrong homepage (maybe we could switch to https://www.opendnssec.org/softhsm/ at the same occasion?) does not help, nor that the software looks abandoned (last commit on https://github.com/opendnssec/SoftHSMv2 about a year ago, last release three years ago). But as I understand it, it is more of educational use than to provide actual security? Could you add a pointer to the source of the patch (at the top of the file, for instance)? I did not find it in the Debian package. And maybe add a copyright line for yourself. Andreas
guix-patches <at> gnu.org:bug#62878; Package guix-patches.
(Mon, 17 Apr 2023 20:16:02 GMT) Full text and rfc822 format available.Message #11 received at 62878 <at> debbugs.gnu.org (full text, mbox):
From: Timotej Lazar <timotej.lazar <at> araneo.si> To: Andreas Enge <andreas <at> enge.fr> Cc: 62878 <at> debbugs.gnu.org Subject: Re: [PATCH core-updates] gnu: openhsm: Fix test failure with openssl-3. Date: Mon, 17 Apr 2023 22:15:23 +0200
Hi, thanks for the fast review! Andreas Enge <andreas <at> enge.fr> [2023-04-17 11:18:16+0200]: > That the package itself has a wrong homepage (maybe we could > switch to https://www.opendnssec.org/softhsm/ at the same occasion?) Not exactly sure what you mean, the package already uses that URL for the homepage. The www.softhsm.org domain is just a CNAME for www.opendnssec.org. > last commit on https://github.com/opendnssec/SoftHSMv2 about a year > ago, last release three years ago That is true, and apparently there are no immediate plans for a new release¹. On the other hand, most major distros have it packaged, and looking at the issues/PRs the project still appears somewhat active. ¹ https://github.com/opendnssec/SoftHSMv2/issues/575#issuecomment-1101183308 > But as I understand it, it is more of educational use than to provide > actual security? I think the only use of this package in Guix proper is allowing some tests for sssd to run. I use sssd, but would be OK with dropping softhsm and skipping some of those tests. > Could you add a pointer to the source of the patch (at the top of the file, > for instance)? I did not find it in the Debian package. I took the patch off a mailing list. It turns out that the final version used by the Debian package is slightly different. I updated my patch to use that version and added a link to the source: https://sources.debian.org/patches/softhsm2/2.6.1-2.1/0003-fix-ftbfs-with-opensslv3.patch/ > And maybe add a copyright line for yourself. Done.
Timotej Lazar <timotej.lazar <at> araneo.si>
to control <at> debbugs.gnu.org.
(Mon, 17 Apr 2023 21:11:02 GMT) Full text and rfc822 format available.Andreas Enge <andreas <at> enge.fr>:Timotej Lazar <timotej.lazar <at> araneo.si>:Message #18 received at 62878-done <at> debbugs.gnu.org (full text, mbox):
From: Andreas Enge <andreas <at> enge.fr> To: Timotej Lazar <timotej.lazar <at> araneo.si> Cc: 62878-done <at> debbugs.gnu.org, 62913-done <at> debbugs.gnu.org Subject: Re: [PATCH core-updates] gnu: openhsm: Fix test failure with openssl-3. Date: Tue, 18 Apr 2023 22:05:20 +0200
Am Mon, Apr 17, 2023 at 10:15:23PM +0200 schrieb Timotej Lazar: > Not exactly sure what you mean, the package already uses that URL for > the homepage. The www.softhsm.org domain is just a CNAME for > www.opendnssec.org. Right, never mind! > > Could you add a pointer to the source of the patch (at the top of the file, > > for instance)? I did not find it in the Debian package. > I took the patch off a mailing list. It turns out that the final version > used by the Debian package is slightly different. I updated my patch to > use that version and added a link to the source: > https://sources.debian.org/patches/softhsm2/2.6.1-2.1/0003-fix-ftbfs-with-opensslv3.patch/ Great, thanks for the contribution! I have just pushed the patch. Andreas
Andreas Enge <andreas <at> enge.fr>:Timotej Lazar <timotej.lazar <at> araneo.si>:Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Wed, 17 May 2023 11:24:05 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.