From 4b188510af097627f117482dfc7c3d308c845385 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 26 Jun 2019 23:32:13 +0200 Subject: Revert "Update NSS to 3.41.1 (custom)" This reverts commit fbc2eaacd679f0c484993ffe23d786fd06da22c3. --- security/nss/lib/nss/nss.h | 4 +- security/nss/lib/softoken/legacydb/keydb.c | 33 +---- security/nss/lib/softoken/lgglue.c | 12 +- security/nss/lib/softoken/pkcs11.c | 4 +- security/nss/lib/softoken/sftkdb.c | 4 +- security/nss/lib/softoken/sftkdb.h | 1 - security/nss/lib/softoken/sftkdbti.h | 7 +- security/nss/lib/softoken/sftkpwd.c | 193 +++++------------------------ 8 files changed, 45 insertions(+), 213 deletions(-) (limited to 'security') diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 0a235941f..49c545ecc 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -22,10 +22,10 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.41.1" _NSS_CUSTOMIZED +#define NSS_VERSION "3.41" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 41 -#define NSS_VPATCH 1 +#define NSS_VPATCH 0 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c index c8c4d07ba..b4aa7754b 100644 --- a/security/nss/lib/softoken/legacydb/keydb.c +++ b/security/nss/lib/softoken/legacydb/keydb.c @@ -1213,8 +1213,6 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data) unsigned char one = 1; SECItem *epw = NULL; SECItem *encParam; - int iterLen = 0; - int saltLen; SECStatus rv; param.salt = *salt; @@ -1223,17 +1221,6 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data) param.iter.len = 1; edi.encryptedData = *data; - iterLen = salt->len > 1 ? salt->data[salt->len - 1] : 2; - saltLen = (salt->len - iterLen) - 1; - /* if the resulting saltLen is a sha hash length, then assume that - * the iteration count is tacked on the end of the buffer */ - if ((saltLen == SHA1_LENGTH) || (saltLen == SHA256_LENGTH) || (saltLen == SHA384_LENGTH) || (saltLen == SHA224_LENGTH) || - (saltLen == SHA512_LENGTH)) { - param.iter.data = &salt->data[saltLen]; - param.iter.len = iterLen; - param.salt.len = saltLen; - } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { return NULL; @@ -1283,23 +1270,9 @@ nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt) if (rv != SECSuccess) { goto loser; } - /* if the iteration count isn't one, tack it at the end of the salt */ - if (!((param.iter.len == 1) && (param.iter.data[0] == 1))) { - int total_len = param.salt.len + param.iter.len + 1; - salt->data = PORT_Alloc(total_len); - if (salt->data == NULL) { - goto loser; - } - PORT_Memcpy(salt->data, param.salt.data, param.salt.len); - PORT_Memcpy(&salt->data[param.salt.len], param.iter.data, - param.iter.len); - salt->data[total_len - 1] = param.iter.len; - salt->len = total_len; - } else { - rv = SECITEM_CopyItem(NULL, salt, ¶m.salt); - if (rv != SECSuccess) { - goto loser; - } + rv = SECITEM_CopyItem(NULL, salt, ¶m.salt); + if (rv != SECSuccess) { + goto loser; } pwe = SECITEM_DupItem(&edi.encryptedData); diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c index 67f17943b..94f054129 100644 --- a/security/nss/lib/softoken/lgglue.c +++ b/security/nss/lib/softoken/lgglue.c @@ -171,8 +171,6 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText, { SFTKDBHandle *handle = sdb->app_private; SECStatus rv; - SECItem *key; - int iterationCount; if (handle == NULL) { return SECFailure; @@ -194,15 +192,9 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText, /* PORT_SetError */ return SECFailure; } - if (handle->newKey) { - key = handle->newKey; - iterationCount = handle->newDefaultIterationCount; - } else { - key = &handle->passwordKey; - iterationCount = handle->defaultIterationCount; - } - rv = sftkdb_EncryptAttribute(arena, key, iterationCount, + rv = sftkdb_EncryptAttribute(arena, + handle->newKey ? handle->newKey : &handle->passwordKey, plainText, cipherText); PZ_Unlock(handle->passwordLock); diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 7dd4f7ee9..34f25a9d0 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -617,7 +617,7 @@ sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb) pwenabled = PR_FALSE; if (sftkdb_HasPasswordSet(keydb) == SECSuccess) { PRBool tokenRemoved = PR_FALSE; - SECStatus rv = sftkdb_CheckPasswordNull(keydb, &tokenRemoved); + SECStatus rv = sftkdb_CheckPassword(keydb, "", &tokenRemoved); if (tokenRemoved) { sftk_CloseAllSessions(slot, PR_FALSE); } @@ -3812,7 +3812,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, PZ_Unlock(slot->slotLock); tokenRemoved = PR_FALSE; - rv = sftkdb_CheckPasswordNull(handle, &tokenRemoved); + rv = sftkdb_CheckPassword(handle, "", &tokenRemoved); if (tokenRemoved) { sftk_CloseAllSessions(slot, PR_FALSE); } diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index 21796bbbb..409c910f4 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -530,7 +530,6 @@ sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle, goto loser; } rv = sftkdb_SignAttribute(arena, &keyHandle->passwordKey, - keyHandle->defaultIterationCount, objectID, template[i].type, &plainText, &signText); PZ_Unlock(keyHandle->passwordLock); @@ -664,7 +663,6 @@ sftk_ExtractTemplate(PLArenaPool *arena, SFTKObject *object, break; } rv = sftkdb_EncryptAttribute(arena, &handle->passwordKey, - handle->defaultIterationCount, &plainText, &cipherText); PZ_Unlock(handle->passwordLock); if (rv == SECSuccess) { @@ -2761,7 +2759,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix, (sftkdb_HasPasswordSet(*keyDB) == SECSuccess) ? PR_TRUE : PR_FALSE; /* if the password on the key db is NULL, kick off our update * chain of events */ - sftkdb_CheckPasswordNull((*keyDB), &tokenRemoved); + sftkdb_CheckPassword((*keyDB), "", &tokenRemoved); } else { /* we don't have a key DB, update the certificate DB now */ sftkdb_Update(*certDB, NULL); diff --git a/security/nss/lib/softoken/sftkdb.h b/security/nss/lib/softoken/sftkdb.h index e30f3a237..a47c89670 100644 --- a/security/nss/lib/softoken/sftkdb.h +++ b/security/nss/lib/softoken/sftkdb.h @@ -25,7 +25,6 @@ CK_RV sftkdb_closeDB(SFTKDBHandle *handle); SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb); SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved); -SECStatus sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved); SECStatus sftkdb_PWCached(SFTKDBHandle *keydb); SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb); SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb); diff --git a/security/nss/lib/softoken/sftkdbti.h b/security/nss/lib/softoken/sftkdbti.h index 22655de56..7b1db4560 100644 --- a/security/nss/lib/softoken/sftkdbti.h +++ b/security/nss/lib/softoken/sftkdbti.h @@ -13,9 +13,7 @@ struct SFTKDBHandleStr { PRInt32 ref; CK_OBJECT_HANDLE type; SECItem passwordKey; - int defaultIterationCount; SECItem *newKey; - int newDefaultIterationCount; SECItem *oldKey; SECItem *updatePasswordKey; PZLock *passwordLock; @@ -41,10 +39,9 @@ struct SFTKDBHandleStr { SECStatus sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plainText); SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, - int iterationCount, SECItem *plainText, - SECItem **cipherText); + SECItem *plainText, SECItem **cipherText); SECStatus sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, - int iterationCount, CK_OBJECT_HANDLE objectID, + CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType, SECItem *plainText, SECItem **sigText); SECStatus sftkdb_VerifyAttribute(SECItem *passKey, diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c index 745e724f0..9834d3ba0 100644 --- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -34,14 +34,6 @@ #include "secerr.h" #include "softoken.h" -const int NSS_DEFAULT_ITERATION_COUNT = -#ifdef DEBUG - 1000 -#else - 60000 -#endif - ; - /****************************************************************** * * Key DB password handling functions @@ -140,7 +132,7 @@ const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = { * to data in cipherText, if cipherText is freed, cipherValue will be invalid. */ static SECStatus -sftkdb_decodeCipherText(const SECItem *cipherText, sftkCipherValue *cipherValue) +sftkdb_decodeCipherText(SECItem *cipherText, sftkCipherValue *cipherValue) { PLArenaPool *arena = NULL; SFTKDBEncryptedDataInfo edi; @@ -233,8 +225,7 @@ loser: * with SECITEM_FreeItem by the caller. */ SECStatus -sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, - SECItem **plain) +sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain) { SECStatus rv; sftkCipherValue cipherValue; @@ -270,8 +261,7 @@ loser: */ SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, - int iterationCount, SECItem *plainText, - SECItem **cipherText) + SECItem *plainText, SECItem **cipherText) { SECStatus rv; sftkCipherValue cipherValue; @@ -285,7 +275,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len); param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt, - iterationCount); + 1); if (param == NULL) { rv = SECFailure; goto loser; @@ -423,8 +413,7 @@ loser: */ SECStatus sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, - int iterationCount, CK_OBJECT_HANDLE objectID, - CK_ATTRIBUTE_TYPE attrType, + CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType, SECItem *plainText, SECItem **signature) { SECStatus rv; @@ -457,8 +446,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, RNG_GenerateGlobalRandomBytes(saltData, prfLength); /* initialize our pkcs5 parameter */ - param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, - iterationCount); + param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1); if (param == NULL) { rv = SECFailure; goto loser; @@ -503,7 +491,7 @@ loser: * and sftkdb_DecryptAttribute calls. */ static void -sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount) +sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey) { unsigned char *data; int len; @@ -519,7 +507,6 @@ sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount) len = keydb->passwordKey.len; keydb->passwordKey.data = passKey->data; keydb->passwordKey.len = passKey->len; - keydb->defaultIterationCount = iterationCount; passKey->data = data; passKey->len = len; SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock)); @@ -673,90 +660,6 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keydb) return (crv == CKR_OK) ? SECSuccess : SECFailure; } -/* pull out the common final part of checking a password */ -SECStatus -sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, - const char *pw, SECItem *value, - PRBool *tokenRemoved); - -/* - * check to see if we have the NULL password set. - * We special case the NULL password so that if you have no password set, you - * don't do thousands of hash rounds. This allows us to startup and get - * webpages without slowdown in normal mode. - */ -SECStatus -sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved) -{ - /* just like sftkdb_CheckPassowd, we get the salt and value, and - * create a dbkey */ - SECStatus rv; - SECItem salt, value; - unsigned char saltData[SDB_MAX_META_DATA_LEN]; - unsigned char valueData[SDB_MAX_META_DATA_LEN]; - SECItem key; - SDB *db; - CK_RV crv; - sftkCipherValue cipherValue; - - cipherValue.param = NULL; - cipherValue.arena = NULL; - - if (keydb == NULL) { - return SECFailure; - } - - db = sftk_getPWSDB(keydb); - if (db == NULL) { - return SECFailure; - } - - key.data = NULL; - key.len = 0; - - /* get the entry from the database */ - salt.data = saltData; - salt.len = sizeof(saltData); - value.data = valueData; - value.len = sizeof(valueData); - crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); - if (crv != CKR_OK) { - rv = SECFailure; - goto done; - } - - /* get our intermediate key based on the entry salt value */ - rv = sftkdb_passwordToKey(keydb, &salt, "", &key); - if (rv != SECSuccess) { - goto done; - } - - /* First get the cipher type */ - rv = sftkdb_decodeCipherText(&value, &cipherValue); - if (rv != SECSuccess) { - goto done; - } - - if (cipherValue.param->iter != 1) { - rv = SECFailure; - goto done; - } - - rv = sftkdb_finishPasswordCheck(keydb, &key, "", &value, tokenRemoved); - -done: - if (key.data) { - PORT_ZFree(key.data, key.len); - } - if (cipherValue.param) { - nsspkcs5_DestroyPBEParameter(cipherValue.param); - } - if (cipherValue.arena) { - PORT_FreeArena(cipherValue.arena, PR_FALSE); - } - return rv; -} - #define SFTK_PW_CHECK_STRING "password-check" #define SFTK_PW_CHECK_LEN 14 @@ -771,6 +674,7 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) unsigned char saltData[SDB_MAX_META_DATA_LEN]; unsigned char valueData[SDB_MAX_META_DATA_LEN]; SECItem key; + SECItem *result = NULL; SDB *db; CK_RV crv; @@ -806,30 +710,8 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) goto done; } - rv = sftkdb_finishPasswordCheck(keydb, &key, pw, &value, tokenRemoved); - -done: - if (key.data) { - PORT_ZFree(key.data, key.len); - } - return rv; -} - -/* we need to pass iterationCount in case we are updating a new database - * and from an old one. */ -SECStatus -sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, - SECItem *value, PRBool *tokenRemoved) -{ - SECItem *result = NULL; - SECStatus rv; - int iterationCount = NSS_DEFAULT_ITERATION_COUNT; - - if (*pw == 0) { - iterationCount = 1; - } /* decrypt the entry value */ - rv = sftkdb_DecryptAttribute(key, value, &result); + rv = sftkdb_DecryptAttribute(&key, &value, &result); if (rv != SECSuccess) { goto done; } @@ -870,7 +752,7 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, * as well as changing which database is returned from * SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword() * and sftkdb_HasPasswordSet()) */ - keydb->updatePasswordKey = SECITEM_DupItem(key); + keydb->updatePasswordKey = SECITEM_DupItem(&key); PZ_Unlock(keydb->passwordLock); if (keydb->updatePasswordKey == NULL) { /* PORT_Error set by SECITEM_DupItem */ @@ -905,7 +787,7 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, * are good to go */ goto done; } - sftkdb_CheckPasswordNull(keydb, tokenRemoved); + sftkdb_CheckPassword(keydb, "", tokenRemoved); /* * Important 'NULL' code here. At this point either we @@ -939,15 +821,15 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, PZ_Unlock(keydb->passwordLock); } /* load the keys, so the keydb can parse it's key set */ - sftkdb_switchKeys(keydb, key, iterationCount); + sftkdb_switchKeys(keydb, &key); /* we need to update, do it now */ if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update) { /* update the peer certdb if it exists */ if (keydb->peerDB) { - sftkdb_Update(keydb->peerDB, key); + sftkdb_Update(keydb->peerDB, &key); } - sftkdb_Update(keydb, key); + sftkdb_Update(keydb, &key); } } else { rv = SECFailure; @@ -955,6 +837,9 @@ sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, } done: + if (key.data) { + PORT_ZFree(key.data, key.len); + } if (result) { SECITEM_FreeItem(result, PR_TRUE); } @@ -972,7 +857,7 @@ sftkdb_PWCached(SFTKDBHandle *keydb) static CK_RV sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, - CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount) + CK_OBJECT_HANDLE id, SECItem *newKey) { CK_ATTRIBUTE authAttrs[] = { { CKA_MODULUS, NULL, 0 }, @@ -1052,7 +937,7 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, plainText.data = authAttrs[i].pValue; plainText.len = authAttrs[i].ulValueLen; - rv = sftkdb_SignAttribute(arena, newKey, iterationCount, id, + rv = sftkdb_SignAttribute(arena, newKey, id, authAttrs[i].type, &plainText, &signText); if (rv != SECSuccess) { return CKR_GENERAL_ERROR; @@ -1069,7 +954,7 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, static CK_RV sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, - CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount) + CK_OBJECT_HANDLE id, SECItem *newKey) { CK_RV crv = CKR_OK; CK_RV crv2; @@ -1156,8 +1041,7 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, plainText.data = first[i].pValue; plainText.len = first[i].ulValueLen; - rv = sftkdb_EncryptAttribute(arena, newKey, iterationCount, - &plainText, &result); + rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result); if (rv != SECSuccess) { return CKR_GENERAL_ERROR; } @@ -1172,7 +1056,6 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, */ id &= SFTK_OBJ_ID_MASK; keydb->newKey = newKey; - keydb->newDefaultIterationCount = iterationCount; crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count); keydb->newKey = NULL; @@ -1180,8 +1063,8 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, } static CK_RV -sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id, - SECItem *newKey, int iterationCount) +sftk_convertAttributes(SFTKDBHandle *handle, + CK_OBJECT_HANDLE id, SECItem *newKey) { CK_RV crv = CKR_OK; PLArenaPool *arena = NULL; @@ -1195,14 +1078,13 @@ sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id, /* * first handle the MACS */ - crv = sftk_updateMacs(arena, handle, id, newKey, iterationCount); + crv = sftk_updateMacs(arena, handle, id, newKey); if (crv != CKR_OK) { goto loser; } if (handle->type == SFTK_KEYDB_TYPE) { - crv = sftk_updateEncrypted(arena, handle, id, newKey, - iterationCount); + crv = sftk_updateEncrypted(arena, handle, id, newKey); if (crv != CKR_OK) { goto loser; } @@ -1224,7 +1106,7 @@ loser: */ CK_RV sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template, - CK_ULONG count, SECItem *newKey, int iterationCount) + CK_ULONG count, SECItem *newKey) { SDBFind *find = NULL; CK_ULONG idCount = SFTK_MAX_IDS; @@ -1240,8 +1122,7 @@ sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template, while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) { crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount); for (i = 0; (crv == CKR_OK) && (i < idCount); i++) { - crv = sftk_convertAttributes(handle, ids[i], newKey, - iterationCount); + crv = sftk_convertAttributes(handle, ids[i], newKey); } } crv2 = sftkdb_FindObjectsFinal(handle, find); @@ -1266,7 +1147,6 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, SFTKDBHandle *certdb; unsigned char saltData[SDB_MAX_META_DATA_LEN]; unsigned char valueData[SDB_MAX_META_DATA_LEN]; - int iterationCount = NSS_DEFAULT_ITERATION_COUNT; CK_RV crv; SDB *db; @@ -1302,10 +1182,6 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, RNG_GenerateGlobalRandomBytes(salt.data, salt.len); } - if (newPin && *newPin == 0) { - iterationCount = 1; - } - rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey); if (rv != SECSuccess) { goto loser; @@ -1314,7 +1190,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, /* * convert encrypted entries here. */ - crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey, iterationCount); + crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey); if (crv != CKR_OK) { rv = SECFailure; goto loser; @@ -1326,15 +1202,13 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, CK_OBJECT_CLASS myClass = CKO_NETSCAPE_TRUST; objectType.pValue = &myClass; - crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey, - iterationCount); + crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey); if (crv != CKR_OK) { rv = SECFailure; goto loser; } myClass = CKO_PUBLIC_KEY; - crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey, - iterationCount); + crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey); if (crv != CKR_OK) { rv = SECFailure; goto loser; @@ -1344,8 +1218,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING; plainText.len = SFTK_PW_CHECK_LEN; - rv = sftkdb_EncryptAttribute(NULL, &newKey, iterationCount, - &plainText, &result); + rv = sftkdb_EncryptAttribute(NULL, &newKey, &plainText, &result); if (rv != SECSuccess) { goto loser; } @@ -1364,7 +1237,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, keydb->newKey = NULL; - sftkdb_switchKeys(keydb, &newKey, iterationCount); + sftkdb_switchKeys(keydb, &newKey); loser: if (newKey.data) { @@ -1389,7 +1262,7 @@ sftkdb_ClearPassword(SFTKDBHandle *keydb) SECItem oldKey; oldKey.data = NULL; oldKey.len = 0; - sftkdb_switchKeys(keydb, &oldKey, 1); + sftkdb_switchKeys(keydb, &oldKey); if (oldKey.data) { PORT_ZFree(oldKey.data, oldKey.len); } -- cgit v1.2.3