8e1aafaab1
Allow NSS to use databases which have been updated from dbm to sql on an unpacked version of nss. (prevented pesign from working).
82 lines
3.8 KiB
Diff
82 lines
3.8 KiB
Diff
diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
|
|
--- ./lib/softoken/sftkpwd.c.orig 2021-06-10 05:33:12.000000000 -0700
|
|
+++ ./lib/softoken/sftkpwd.c 2021-07-01 14:04:34.068596942 -0700
|
|
@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
|
|
}
|
|
|
|
/* If we are using aes 256, we need to check authentication as well.*/
|
|
- if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
|
|
+ if ((type != CKT_INVALID_TYPE) &&
|
|
+ (cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
|
|
+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
|
|
SECItem signature;
|
|
unsigned char signData[SDB_MAX_META_DATA_LEN];
|
|
+ CK_RV crv;
|
|
|
|
/* if we get here from the old legacy db, there is clearly an
|
|
* error, don't return the plaintext */
|
|
@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
|
|
|
|
signature.data = signData;
|
|
signature.len = sizeof(signData);
|
|
- rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
|
|
+ rv = SECFailure;
|
|
+ /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
|
|
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
|
|
&signature);
|
|
- if (rv != SECSuccess) {
|
|
- goto loser;
|
|
+ if (crv == CKR_OK) {
|
|
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
|
|
+ type, *plain, &signature);
|
|
}
|
|
- rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
|
|
- *plain, &signature);
|
|
if (rv != SECSuccess) {
|
|
- goto loser;
|
|
+ /* handle a bug where old versions of NSS misfiled the signature
|
|
+ * attribute on password update */
|
|
+ id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
|
|
+ signature.len = sizeof(signData);
|
|
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
|
|
+ &signature);
|
|
+ if (crv != CKR_OK) {
|
|
+ rv = SECFailure;
|
|
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
+ goto loser;
|
|
+ }
|
|
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
|
|
+ type, *plain, &signature);
|
|
}
|
|
}
|
|
|
|
@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
|
|
unsigned int i;
|
|
for (i = 0; i < privAttrCount; i++) {
|
|
// Read the old attribute in the clear.
|
|
+ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
|
|
CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
|
|
CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
|
|
if (crv != CKR_OK) {
|
|
@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
|
|
plainText.data = privAttr.pValue;
|
|
plainText.len = privAttr.ulValueLen;
|
|
if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
|
|
- iterationCount, id, privAttr.type,
|
|
+ iterationCount, sdbId, privAttr.type,
|
|
&plainText, &result) != SECSuccess) {
|
|
return CKR_GENERAL_ERROR;
|
|
}
|
|
@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
|
|
PORT_Memset(plainText.data, 0, plainText.len);
|
|
|
|
// Write the newly encrypted attributes out directly.
|
|
- CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
|
|
keydb->newKey = newKey;
|
|
keydb->newDefaultIterationCount = iterationCount;
|
|
- crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
|
|
+ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
|
|
keydb->newKey = NULL;
|
|
if (crv != CKR_OK) {
|
|
return crv;
|