summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/softoken/sftkpwd.c
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-06-26 23:32:13 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-06-26 23:32:13 +0200
commit4b188510af097627f117482dfc7c3d308c845385 (patch)
tree133fbe3ef3eb0f7ce6b151db1ed86bfd9c4abb60 /security/nss/lib/softoken/sftkpwd.c
parentfbc2eaacd679f0c484993ffe23d786fd06da22c3 (diff)
downloadUXP-4b188510af097627f117482dfc7c3d308c845385.tar
UXP-4b188510af097627f117482dfc7c3d308c845385.tar.gz
UXP-4b188510af097627f117482dfc7c3d308c845385.tar.lz
UXP-4b188510af097627f117482dfc7c3d308c845385.tar.xz
UXP-4b188510af097627f117482dfc7c3d308c845385.zip
Revert "Update NSS to 3.41.1 (custom)"
This reverts commit fbc2eaacd679f0c484993ffe23d786fd06da22c3.
Diffstat (limited to 'security/nss/lib/softoken/sftkpwd.c')
-rw-r--r--security/nss/lib/softoken/sftkpwd.c193
1 files changed, 33 insertions, 160 deletions
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index 745e724f0..9834d3ba0 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -34,14 +34,6 @@
#include "secerr.h"
#include "softoken.h"
-const int NSS_DEFAULT_ITERATION_COUNT =
-#ifdef DEBUG
- 1000
-#else
- 60000
-#endif
- ;
-
/******************************************************************
*
* Key DB password handling functions
@@ -140,7 +132,7 @@ const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = {
* to data in cipherText, if cipherText is freed, cipherValue will be invalid.
*/
static SECStatus
-sftkdb_decodeCipherText(const SECItem *cipherText, sftkCipherValue *cipherValue)
+sftkdb_decodeCipherText(SECItem *cipherText, sftkCipherValue *cipherValue)
{
PLArenaPool *arena = NULL;
SFTKDBEncryptedDataInfo edi;
@@ -233,8 +225,7 @@ loser:
* with SECITEM_FreeItem by the caller.
*/
SECStatus
-sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText,
- SECItem **plain)
+sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain)
{
SECStatus rv;
sftkCipherValue cipherValue;
@@ -270,8 +261,7 @@ loser:
*/
SECStatus
sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
- int iterationCount, SECItem *plainText,
- SECItem **cipherText)
+ SECItem *plainText, SECItem **cipherText)
{
SECStatus rv;
sftkCipherValue cipherValue;
@@ -285,7 +275,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len);
param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt,
- iterationCount);
+ 1);
if (param == NULL) {
rv = SECFailure;
goto loser;
@@ -423,8 +413,7 @@ loser:
*/
SECStatus
sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
- int iterationCount, CK_OBJECT_HANDLE objectID,
- CK_ATTRIBUTE_TYPE attrType,
+ CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType,
SECItem *plainText, SECItem **signature)
{
SECStatus rv;
@@ -457,8 +446,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, prfLength);
/* initialize our pkcs5 parameter */
- param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt,
- iterationCount);
+ param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1);
if (param == NULL) {
rv = SECFailure;
goto loser;
@@ -503,7 +491,7 @@ loser:
* and sftkdb_DecryptAttribute calls.
*/
static void
-sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount)
+sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey)
{
unsigned char *data;
int len;
@@ -519,7 +507,6 @@ sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount)
len = keydb->passwordKey.len;
keydb->passwordKey.data = passKey->data;
keydb->passwordKey.len = passKey->len;
- keydb->defaultIterationCount = iterationCount;
passKey->data = data;
passKey->len = len;
SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock));
@@ -673,90 +660,6 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keydb)
return (crv == CKR_OK) ? SECSuccess : SECFailure;
}
-/* pull out the common final part of checking a password */
-SECStatus
-sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key,
- const char *pw, SECItem *value,
- PRBool *tokenRemoved);
-
-/*
- * check to see if we have the NULL password set.
- * We special case the NULL password so that if you have no password set, you
- * don't do thousands of hash rounds. This allows us to startup and get
- * webpages without slowdown in normal mode.
- */
-SECStatus
-sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved)
-{
- /* just like sftkdb_CheckPassowd, we get the salt and value, and
- * create a dbkey */
- SECStatus rv;
- SECItem salt, value;
- unsigned char saltData[SDB_MAX_META_DATA_LEN];
- unsigned char valueData[SDB_MAX_META_DATA_LEN];
- SECItem key;
- SDB *db;
- CK_RV crv;
- sftkCipherValue cipherValue;
-
- cipherValue.param = NULL;
- cipherValue.arena = NULL;
-
- if (keydb == NULL) {
- return SECFailure;
- }
-
- db = sftk_getPWSDB(keydb);
- if (db == NULL) {
- return SECFailure;
- }
-
- key.data = NULL;
- key.len = 0;
-
- /* get the entry from the database */
- salt.data = saltData;
- salt.len = sizeof(saltData);
- value.data = valueData;
- value.len = sizeof(valueData);
- crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
- if (crv != CKR_OK) {
- rv = SECFailure;
- goto done;
- }
-
- /* get our intermediate key based on the entry salt value */
- rv = sftkdb_passwordToKey(keydb, &salt, "", &key);
- if (rv != SECSuccess) {
- goto done;
- }
-
- /* First get the cipher type */
- rv = sftkdb_decodeCipherText(&value, &cipherValue);
- if (rv != SECSuccess) {
- goto done;
- }
-
- if (cipherValue.param->iter != 1) {
- rv = SECFailure;
- goto done;
- }
-
- rv = sftkdb_finishPasswordCheck(keydb, &key, "", &value, tokenRemoved);
-
-done:
- if (key.data) {
- PORT_ZFree(key.data, key.len);
- }
- if (cipherValue.param) {
- nsspkcs5_DestroyPBEParameter(cipherValue.param);
- }
- if (cipherValue.arena) {
- PORT_FreeArena(cipherValue.arena, PR_FALSE);
- }
- return rv;
-}
-
#define SFTK_PW_CHECK_STRING "password-check"
#define SFTK_PW_CHECK_LEN 14
@@ -771,6 +674,7 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
unsigned char saltData[SDB_MAX_META_DATA_LEN];
unsigned char valueData[SDB_MAX_META_DATA_LEN];
SECItem key;
+ SECItem *result = NULL;
SDB *db;
CK_RV crv;
@@ -806,30 +710,8 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
goto done;
}
- rv = sftkdb_finishPasswordCheck(keydb, &key, pw, &value, tokenRemoved);
-
-done:
- if (key.data) {
- PORT_ZFree(key.data, key.len);
- }
- return rv;
-}
-
-/* we need to pass iterationCount in case we are updating a new database
- * and from an old one. */
-SECStatus
-sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
- SECItem *value, PRBool *tokenRemoved)
-{
- SECItem *result = NULL;
- SECStatus rv;
- int iterationCount = NSS_DEFAULT_ITERATION_COUNT;
-
- if (*pw == 0) {
- iterationCount = 1;
- }
/* decrypt the entry value */
- rv = sftkdb_DecryptAttribute(key, value, &result);
+ rv = sftkdb_DecryptAttribute(&key, &value, &result);
if (rv != SECSuccess) {
goto done;
}
@@ -870,7 +752,7 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
* as well as changing which database is returned from
* SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword()
* and sftkdb_HasPasswordSet()) */
- keydb->updatePasswordKey = SECITEM_DupItem(key);
+ keydb->updatePasswordKey = SECITEM_DupItem(&key);
PZ_Unlock(keydb->passwordLock);
if (keydb->updatePasswordKey == NULL) {
/* PORT_Error set by SECITEM_DupItem */
@@ -905,7 +787,7 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
* are good to go */
goto done;
}
- sftkdb_CheckPasswordNull(keydb, tokenRemoved);
+ sftkdb_CheckPassword(keydb, "", tokenRemoved);
/*
* Important 'NULL' code here. At this point either we
@@ -939,15 +821,15 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
PZ_Unlock(keydb->passwordLock);
}
/* load the keys, so the keydb can parse it's key set */
- sftkdb_switchKeys(keydb, key, iterationCount);
+ sftkdb_switchKeys(keydb, &key);
/* we need to update, do it now */
if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update) {
/* update the peer certdb if it exists */
if (keydb->peerDB) {
- sftkdb_Update(keydb->peerDB, key);
+ sftkdb_Update(keydb->peerDB, &key);
}
- sftkdb_Update(keydb, key);
+ sftkdb_Update(keydb, &key);
}
} else {
rv = SECFailure;
@@ -955,6 +837,9 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
}
done:
+ if (key.data) {
+ PORT_ZFree(key.data, key.len);
+ }
if (result) {
SECITEM_FreeItem(result, PR_TRUE);
}
@@ -972,7 +857,7 @@ sftkdb_PWCached(SFTKDBHandle *keydb)
static CK_RV
sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
- CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount)
+ CK_OBJECT_HANDLE id, SECItem *newKey)
{
CK_ATTRIBUTE authAttrs[] = {
{ CKA_MODULUS, NULL, 0 },
@@ -1052,7 +937,7 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
plainText.data = authAttrs[i].pValue;
plainText.len = authAttrs[i].ulValueLen;
- rv = sftkdb_SignAttribute(arena, newKey, iterationCount, id,
+ rv = sftkdb_SignAttribute(arena, newKey, id,
authAttrs[i].type, &plainText, &signText);
if (rv != SECSuccess) {
return CKR_GENERAL_ERROR;
@@ -1069,7 +954,7 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
static CK_RV
sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
- CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount)
+ CK_OBJECT_HANDLE id, SECItem *newKey)
{
CK_RV crv = CKR_OK;
CK_RV crv2;
@@ -1156,8 +1041,7 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
plainText.data = first[i].pValue;
plainText.len = first[i].ulValueLen;
- rv = sftkdb_EncryptAttribute(arena, newKey, iterationCount,
- &plainText, &result);
+ rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result);
if (rv != SECSuccess) {
return CKR_GENERAL_ERROR;
}
@@ -1172,7 +1056,6 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
*/
id &= SFTK_OBJ_ID_MASK;
keydb->newKey = newKey;
- keydb->newDefaultIterationCount = iterationCount;
crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count);
keydb->newKey = NULL;
@@ -1180,8 +1063,8 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
}
static CK_RV
-sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id,
- SECItem *newKey, int iterationCount)
+sftk_convertAttributes(SFTKDBHandle *handle,
+ CK_OBJECT_HANDLE id, SECItem *newKey)
{
CK_RV crv = CKR_OK;
PLArenaPool *arena = NULL;
@@ -1195,14 +1078,13 @@ sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id,
/*
* first handle the MACS
*/
- crv = sftk_updateMacs(arena, handle, id, newKey, iterationCount);
+ crv = sftk_updateMacs(arena, handle, id, newKey);
if (crv != CKR_OK) {
goto loser;
}
if (handle->type == SFTK_KEYDB_TYPE) {
- crv = sftk_updateEncrypted(arena, handle, id, newKey,
- iterationCount);
+ crv = sftk_updateEncrypted(arena, handle, id, newKey);
if (crv != CKR_OK) {
goto loser;
}
@@ -1224,7 +1106,7 @@ loser:
*/
CK_RV
sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template,
- CK_ULONG count, SECItem *newKey, int iterationCount)
+ CK_ULONG count, SECItem *newKey)
{
SDBFind *find = NULL;
CK_ULONG idCount = SFTK_MAX_IDS;
@@ -1240,8 +1122,7 @@ sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template,
while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) {
crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount);
for (i = 0; (crv == CKR_OK) && (i < idCount); i++) {
- crv = sftk_convertAttributes(handle, ids[i], newKey,
- iterationCount);
+ crv = sftk_convertAttributes(handle, ids[i], newKey);
}
}
crv2 = sftkdb_FindObjectsFinal(handle, find);
@@ -1266,7 +1147,6 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
SFTKDBHandle *certdb;
unsigned char saltData[SDB_MAX_META_DATA_LEN];
unsigned char valueData[SDB_MAX_META_DATA_LEN];
- int iterationCount = NSS_DEFAULT_ITERATION_COUNT;
CK_RV crv;
SDB *db;
@@ -1302,10 +1182,6 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
RNG_GenerateGlobalRandomBytes(salt.data, salt.len);
}
- if (newPin && *newPin == 0) {
- iterationCount = 1;
- }
-
rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey);
if (rv != SECSuccess) {
goto loser;
@@ -1314,7 +1190,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
/*
* convert encrypted entries here.
*/
- crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey, iterationCount);
+ crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey);
if (crv != CKR_OK) {
rv = SECFailure;
goto loser;
@@ -1326,15 +1202,13 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
CK_OBJECT_CLASS myClass = CKO_NETSCAPE_TRUST;
objectType.pValue = &myClass;
- crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey,
- iterationCount);
+ crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey);
if (crv != CKR_OK) {
rv = SECFailure;
goto loser;
}
myClass = CKO_PUBLIC_KEY;
- crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey,
- iterationCount);
+ crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey);
if (crv != CKR_OK) {
rv = SECFailure;
goto loser;
@@ -1344,8 +1218,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING;
plainText.len = SFTK_PW_CHECK_LEN;
- rv = sftkdb_EncryptAttribute(NULL, &newKey, iterationCount,
- &plainText, &result);
+ rv = sftkdb_EncryptAttribute(NULL, &newKey, &plainText, &result);
if (rv != SECSuccess) {
goto loser;
}
@@ -1364,7 +1237,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
keydb->newKey = NULL;
- sftkdb_switchKeys(keydb, &newKey, iterationCount);
+ sftkdb_switchKeys(keydb, &newKey);
loser:
if (newKey.data) {
@@ -1389,7 +1262,7 @@ sftkdb_ClearPassword(SFTKDBHandle *keydb)
SECItem oldKey;
oldKey.data = NULL;
oldKey.len = 0;
- sftkdb_switchKeys(keydb, &oldKey, 1);
+ sftkdb_switchKeys(keydb, &oldKey);
if (oldKey.data) {
PORT_ZFree(oldKey.data, oldKey.len);
}