acvptool: handle negative sizeConstraint.
The NIST server has been updated and is now sending a sizeConstraint of
-1 to indicate that the large-upload process isn't needed. However, the
code was trying to put that in a uint64, which caused a parse error.
Change-Id: I9ee16918df13c229b0e889fa1248eb2e0a6a5fb2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41605
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/util/fipstools/acvp/acvptool/acvp.go b/util/fipstools/acvp/acvptool/acvp.go
index c539b3b..2753dd3 100644
--- a/util/fipstools/acvp/acvptool/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp.go
@@ -375,7 +375,9 @@
resultData := resultBuf.Bytes()
resultSize := uint64(len(resultData)) + 32 /* for framing overhead */
- if resultSize >= server.SizeLimit {
+ if server.SizeLimit > 0 && resultSize >= server.SizeLimit {
+ // The NIST ACVP server no longer requires the large-upload process,
+ // suggesting that it may no longer be needed.
log.Printf("Result is %d bytes, too much given server limit of %d bytes. Using large-upload process.", resultSize, server.SizeLimit)
largeRequestBytes, err := json.Marshal(acvp.LargeUploadRequest{
Size: resultSize,
diff --git a/util/fipstools/acvp/acvptool/acvp/acvp.go b/util/fipstools/acvp/acvptool/acvp/acvp.go
index 8e610c7..52d7488 100644
--- a/util/fipstools/acvp/acvptool/acvp/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp/acvp.go
@@ -39,8 +39,9 @@
// The keys of this map are strings like "acvp/v1/testSessions/1234" and the
// values are JWT access tokens.
PrefixTokens map[string]string
- // SizeLimit is the maximum number of bytes that the server can accept as an
- // upload before the large endpoint support must be used.
+ // SizeLimit is the maximum number of bytes that the server can accept
+ // as an upload before the large endpoint support must be used. Zero
+ // means that there is no limit.
SizeLimit uint64
// AccessToken is the top-level access token for the current session.
AccessToken string
@@ -274,7 +275,7 @@
var reply struct {
AccessToken string `json:"accessToken"`
LargeEndpointRequired bool `json:"largeEndpointRequired"`
- SizeLimit uint64 `json:"sizeConstraint"`
+ SizeLimit int64 `json:"sizeConstraint"`
}
if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{"password": server.totpFunc()}); err != nil {
@@ -287,10 +288,10 @@
server.AccessToken = reply.AccessToken
if reply.LargeEndpointRequired {
- if reply.SizeLimit == 0 {
+ if reply.SizeLimit <= 0 {
return errors.New("login indicated largeEndpointRequired but didn't provide a sizeConstraint")
}
- server.SizeLimit = reply.SizeLimit
+ server.SizeLimit = uint64(reply.SizeLimit)
}
return nil