Closed Bug 1720226 Opened 3 years ago Closed 3 years ago

integrity checks in key4.db not happening on private components with AES_CBC

Categories

(NSS :: Libraries, defect, P1)

3.67

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rrelyea, Assigned: rrelyea)

References

Details

(Whiteboard: [nss-fx])

Attachments

(2 files)

When we added support for AES, we also added support for integrity checks on the encrypted components.

It turns out the code that verifies the integrity checks was broken in 2 ways:

  1. it wasn't accurately operating when AES was being used (the if statement wasn't actually triggering for AES_CBC because we were looking for AES in the wrong field).
  2. password update did not update the integrity checks in the correct location, meaning any database which AES encrypted keys, and which had their password updated will not be able to validate their keys.

While we found this in a previous rebase, the patch had not been pushed upstream.

The attached patch is for reference, a full patch (including test cases) will be submitted with phabriator.

Assignee: nobody → rrelyea
Status: NEW → ASSIGNED

Bob, can you please set severity for this? Thank you! : )

Priority: -- → P1
Whiteboard: [nss-fx]
Severity: -- → S2

When we added support for AES, we also added support for integrity checks on the encrypted components.

It turns out the code that verifies the integrity checks was broken in 2 ways:

1. it wasn't accurately operating when AES was being used (the if statement wasn't actually triggering for AES_CBC because we were looking for AES in the wrong field).
2. password update did not update the integrity checks in the correct location, meaning any database which AES encrypted keys, and which had their password updated will not be able to validate their keys.

While we found this in a previous rebase, the patch had not been pushed upstream.

The attached patch needs sqlite3 to run the tests.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.69
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: