Google Git
Sign in
boringssl / boringssl / 9c256d1d7f2730d260c84eea2d9e97becd6dcc96^! / .
commit9c256d1d7f2730d260c84eea2d9e97becd6dcc96[log] [tgz]
authorAdam Langley <alangley@gmail.com>Wed Jun 10 15:12:39 2020 -0700
committerAdam Langley <agl@google.com>Thu Jun 11 20:41:51 2020 +0000
tree38f3c3133ac0d504ea22e8db93e9bff445dd24b5
parent0313b59d5f950a05f2269811732bbbf204059da5 [diff]
acvptool: handle negative sizeConstraint.

The NIST server has been updated and is now sending a sizeConstraint of
-1 to indicate that the large-upload process isn't needed. However, the
code was trying to put that in a uint64, which caused a parse error.

Change-Id: I9ee16918df13c229b0e889fa1248eb2e0a6a5fb2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41605
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/util/fipstools/acvp/acvptool/acvp.go b/util/fipstools/acvp/acvptool/acvp.go
index c539b3b..2753dd3 100644
--- a/util/fipstools/acvp/acvptool/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp.go

@@ -375,7 +375,9 @@
 
 			resultData := resultBuf.Bytes()
 			resultSize := uint64(len(resultData)) + 32 /* for framing overhead */
-			if resultSize >= server.SizeLimit {
+			if server.SizeLimit > 0 && resultSize >= server.SizeLimit {
+				// The NIST ACVP server no longer requires the large-upload process,
+				// suggesting that it may no longer be needed.
 				log.Printf("Result is %d bytes, too much given server limit of %d bytes. Using large-upload process.", resultSize, server.SizeLimit)
 				largeRequestBytes, err := json.Marshal(acvp.LargeUploadRequest{
 					Size: resultSize,

diff --git a/util/fipstools/acvp/acvptool/acvp/acvp.go b/util/fipstools/acvp/acvptool/acvp/acvp.go
index 8e610c7..52d7488 100644
--- a/util/fipstools/acvp/acvptool/acvp/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp/acvp.go

@@ -39,8 +39,9 @@
 	// The keys of this map are strings like "acvp/v1/testSessions/1234" and the
 	// values are JWT access tokens.
 	PrefixTokens map[string]string
-	// SizeLimit is the maximum number of bytes that the server can accept as an
-	// upload before the large endpoint support must be used.
+	// SizeLimit is the maximum number of bytes that the server can accept
+	// as an upload before the large endpoint support must be used. Zero
+	// means that there is no limit.
 	SizeLimit uint64
 	// AccessToken is the top-level access token for the current session.
 	AccessToken string
@@ -274,7 +275,7 @@
 	var reply struct {
 		AccessToken           string `json:"accessToken"`
 		LargeEndpointRequired bool   `json:"largeEndpointRequired"`
-		SizeLimit             uint64 `json:"sizeConstraint"`
+		SizeLimit             int64  `json:"sizeConstraint"`
 	}
 
 	if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{"password": server.totpFunc()}); err != nil {
@@ -287,10 +288,10 @@
 	server.AccessToken = reply.AccessToken
 
 	if reply.LargeEndpointRequired {
-		if reply.SizeLimit == 0 {
+		if reply.SizeLimit <= 0 {
 			return errors.New("login indicated largeEndpointRequired but didn't provide a sizeConstraint")
 		}
-		server.SizeLimit = reply.SizeLimit
+		server.SizeLimit = uint64(reply.SizeLimit)
 	}
 
 	return nil