1416265 - pk11wrap: Recover backward compatibility of PBES2 AES with older NSS releases

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Daiki Ueno [:ueno]]

Attachment: pk11wrap-faulty-aes.patch

Since bug 1268141, we changed the PKCS #5 decoder to use fixed key length for AES-CBC-Pad as defined in RFC 8018.  However, it turned out that this change prevents reading AES encrypted files created with older NSS releases.

In the older NSS releases, the key length was determined from PBKDF2-params.  However, the embedded key length value was always 32; that means AES encryption was always AES-256-CBC, even when the algorithm ID is AES-128-CBC or AES-192-CBC.

Considering those, the attached patch recover the backward compatibility in the following way:

- if the underlying encryption scheme is AES-CBC-Pad
  - if the key length encoded in PBKDF2-params is NOT 32, then that means the file is created with newer NSS or other tools; determine the key length from the algorithm ID
  - if the key length encoded in PBKDF2-params is 32, then the file is encrypted with AES-256-CBC anyway

I haven't (yet) come up with the test case for this; will attach it later.

Comment 1

[Daiki Ueno [:ueno]]

Attachment: pk11wrap-faulty-aes-v2.patch

Added a test case.

Comment 2

[Daiki Ueno [:ueno]]

Thank you for the review, landed as: https://bugzilla.mozilla.org/show_bug.cgi?id=1399867