Blame SOURCES/nss-3.53-fix-private_key_mac.patch

5f43a7
diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
5f43a7
--- a/lib/softoken/sftkpwd.c
5f43a7
+++ b/lib/softoken/sftkpwd.c
5f43a7
@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
5f43a7
     *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
5f43a7
                                  PR_FALSE, NULL);
5f43a7
     if (*plain == NULL) {
5f43a7
         rv = SECFailure;
5f43a7
         goto loser;
5f43a7
     }
5f43a7
 
5f43a7
     /* If we are using aes 256, we need to check authentication as well.*/
5f43a7
-    if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
5f43a7
+    if ((type != CKT_INVALID_TYPE) && 
5f43a7
+	(cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
5f43a7
+        (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
5f43a7
         SECItem signature;
5f43a7
         unsigned char signData[SDB_MAX_META_DATA_LEN];
5f43a7
 
5f43a7
         /* if we get here from the old legacy db, there is clearly an
5f43a7
          * error, don't return the plaintext */
5f43a7
         if (handle == NULL) {
5f43a7
             rv = SECFailure;
5f43a7
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5f43a7
@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
5f43a7
         rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
5f43a7
                                           &signature);
5f43a7
         if (rv != SECSuccess) {
5f43a7
             goto loser;
5f43a7
         }
5f43a7
         rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
5f43a7
                                     *plain, &signature);
5f43a7
         if (rv != SECSuccess) {
5f43a7
-            goto loser;
5f43a7
+            /*  handle a bug where old versions of NSS misfiled the signature
5f43a7
+             *  attribute on password update */
5f43a7
+            id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
5f43a7
+            signature.len = sizeof(signData);
5f43a7
+            rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
5f43a7
+                                              &signature);
5f43a7
+            if (rv != SECSuccess) {
5f43a7
+                goto loser;
5f43a7
+            }
5f43a7
+            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
5f43a7
+                                        type, *plain, &signature);
5f43a7
         }
5f43a7
     }
5f43a7
 
5f43a7
 loser:
5f43a7
     if (cipherValue.param) {
5f43a7
         nsspkcs5_DestroyPBEParameter(cipherValue.param);
5f43a7
     }
5f43a7
     if (cipherValue.arena) {
5f43a7
@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena,
5f43a7
     };
5f43a7
     const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
5f43a7
 
5f43a7
     // We don't know what attributes this object has, so we update them one at a
5f43a7
     // time.
5f43a7
     unsigned int i;
5f43a7
     for (i = 0; i < privAttrCount; i++) {
5f43a7
         // Read the old attribute in the clear.
5f43a7
+        CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
5f43a7
         CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
5f43a7
         CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
5f43a7
         if (crv != CKR_OK) {
5f43a7
             continue;
5f43a7
         }
5f43a7
         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
5f43a7
             continue;
5f43a7
         }
5f43a7
@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena,
5f43a7
         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
5f43a7
             return CKR_GENERAL_ERROR;
5f43a7
         }
5f43a7
         SECItem plainText;
5f43a7
         SECItem *result;
5f43a7
         plainText.data = privAttr.pValue;
5f43a7
         plainText.len = privAttr.ulValueLen;
5f43a7
         if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
5f43a7
-                                    iterationCount, id, privAttr.type,
5f43a7
+                                    iterationCount, sdbId, privAttr.type,
5f43a7
                                     &plainText, &result) != SECSuccess) {
5f43a7
             return CKR_GENERAL_ERROR;
5f43a7
         }
5f43a7
         privAttr.pValue = result->data;
5f43a7
         privAttr.ulValueLen = result->len;
5f43a7
         // Clear sensitive data.
5f43a7
         PORT_Memset(plainText.data, 0, plainText.len);
5f43a7
 
5f43a7
         // Write the newly encrypted attributes out directly.
5f43a7
-        CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
5f43a7
         keydb->newKey = newKey;
5f43a7
         keydb->newDefaultIterationCount = iterationCount;
5f43a7
-        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
5f43a7
+        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
5f43a7
         keydb->newKey = NULL;
5f43a7
         if (crv != CKR_OK) {
5f43a7
             return crv;
5f43a7
         }
5f43a7
     }
5f43a7
 
5f43a7
     return CKR_OK;
5f43a7
 }