Closed
Bug 1720226
Opened 3 years ago
Closed 3 years ago
integrity checks in key4.db not happening on private components with AES_CBC
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.69
People
(Reporter: rrelyea, Assigned: rrelyea)
References
Details
(Whiteboard: [nss-fx])
Attachments
(2 files)
3.77 KB,
patch
|
Details | Diff | Splinter Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
When we added support for AES, we also added support for integrity checks on the encrypted components.
It turns out the code that verifies the integrity checks was broken in 2 ways:
- it wasn't accurately operating when AES was being used (the if statement wasn't actually triggering for AES_CBC because we were looking for AES in the wrong field).
- password update did not update the integrity checks in the correct location, meaning any database which AES encrypted keys, and which had their password updated will not be able to validate their keys.
While we found this in a previous rebase, the patch had not been pushed upstream.
The attached patch is for reference, a full patch (including test cases) will be submitted with phabriator.
Assignee | ||
Updated•3 years ago
|
Assignee: nobody → rrelyea
Status: NEW → ASSIGNED
Comment 1•3 years ago
|
||
Bob, can you please set severity for this? Thank you! : )
Priority: -- → P1
Whiteboard: [nss-fx]
Assignee | ||
Updated•3 years ago
|
Severity: -- → S2
Assignee | ||
Comment 2•3 years ago
|
||
When we added support for AES, we also added support for integrity checks on the encrypted components.
It turns out the code that verifies the integrity checks was broken in 2 ways:
1. it wasn't accurately operating when AES was being used (the if statement wasn't actually triggering for AES_CBC because we were looking for AES in the wrong field).
2. password update did not update the integrity checks in the correct location, meaning any database which AES encrypted keys, and which had their password updated will not be able to validate their keys.
While we found this in a previous rebase, the patch had not been pushed upstream.
The attached patch needs sqlite3 to run the tests.
Assignee | ||
Comment 3•3 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Updated•3 years ago
|
Target Milestone: --- → 3.69
You need to log in
before you can comment on or make changes to this bug.
Description
•