Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt

Differential Revision: https://phabricator.services.mozilla.com/D101218

5 files changed, 70 insertions, 2 deletions

diff --git a/gtests/softoken_gtest/manifest.mn b/gtests/softoken_gtest/manifest.mn
index f146811ba..81545b2c5 100644
--- a/gtests/softoken_gtest/manifest.mn
+++ b/gtests/softoken_gtest/manifest.mn
@@ -33,4 +33,5 @@ EXTRA_LIBS = \
 	$(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)sqlite.$(LIB_SUFFIX) \
 	$(NULL)
diff --git a/gtests/softoken_gtest/softoken_gtest.cc b/gtests/softoken_gtest/softoken_gtest.cc
index 6fff252bd..59e98765c 100644
--- a/gtests/softoken_gtest/softoken_gtest.cc
+++ b/gtests/softoken_gtest/softoken_gtest.cc
@@ -14,6 +14,7 @@
 #include "databuffer.h"
 #include <fstream>
 #include <chrono>
+#include <sqlite3.h>
 using namespace std::chrono;
 
 #include "softoken_dh_vectors.h"
@@ -42,6 +43,61 @@ class SoftokenTest : public ::testing::Test {
   ScopedUniqueDirectory mNSSDBDir;
 };
 
+TEST_F(SoftokenTest, CheckDefaultPbkdf2Iterations) {
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
+
+  // Open key4.db and check encoded PBE algorithm and iteration count.
+  // Compare bytes against the expected values to avoid ASN.1 here.
+  std::string key_db = mNSSDBDir.GetPath() + "/key4.db";
+
+  sqlite3 *sql_db = NULL;
+  ASSERT_EQ(SQLITE_OK, sqlite3_open(key_db.c_str(), &sql_db));
+
+  char *query_str = sqlite3_mprintf("SELECT item2 FROM metaData;");
+  ASSERT_NE(nullptr, query_str);
+
+  sqlite3_stmt *statement = NULL;
+  ASSERT_EQ(SQLITE_OK,
+            sqlite3_prepare_v2(sql_db, query_str, -1, &statement, NULL));
+  ASSERT_EQ(SQLITE_ROW, sqlite3_step(statement));
+  unsigned int len = sqlite3_column_bytes(statement, 0);
+  const unsigned char *reader = sqlite3_column_text(statement, 0);
+
+  ASSERT_NE(nullptr, reader);
+  ASSERT_EQ(133U, len);
+
+  // pkcs5PBES2, pkcs5PBKDF2
+  const uint8_t pkcs5_with_pbkdf2[] = {
+      0x30, 0x81, 0x82, 0x30, 0x6E, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+      0xF7, 0x0D, 0x01, 0x05, 0x0D, 0x30, 0x61, 0x30, 0x42, 0x06, 0x09,
+      0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0C, 0x30, 0x35};
+  EXPECT_EQ(0, memcmp(reader, pkcs5_with_pbkdf2, sizeof(pkcs5_with_pbkdf2)));
+  reader += sizeof(pkcs5_with_pbkdf2);
+
+  // Skip over the 32B random salt
+  const uint8_t salt_prefix[] = {0x04, 0x20};
+  EXPECT_EQ(0, memcmp(reader, salt_prefix, sizeof(salt_prefix)));
+  reader += sizeof(salt_prefix) + 0x20;
+
+  // Expect 10000 iterations
+  const uint8_t iterations[] = {0x02, 0x02, 0x27, 0x10};
+  EXPECT_EQ(0, memcmp(reader, iterations, sizeof(iterations)));
+  reader += sizeof(iterations);
+
+  // hmacWithSHA256, aes256-CBC
+  const uint8_t oids[] = {0x02, 0x01, 0x20, 0x30, 0x0A, 0x06, 0x08,
+                          0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02,
+                          0x09, 0x30, 0x1B, 0x06, 0x09, 0x60, 0x86,
+                          0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A};
+  EXPECT_EQ(0, memcmp(reader, oids, sizeof(oids)));
+
+  EXPECT_EQ(SQLITE_OK, sqlite3_finalize(statement));
+  sqlite3_free(query_str);
+  sqlite3_close(sql_db);
+}
+
 TEST_F(SoftokenTest, ResetSoftokenEmptyPassword) {
   ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
   ASSERT_TRUE(slot);
diff --git a/gtests/softoken_gtest/softoken_gtest.gyp b/gtests/softoken_gtest/softoken_gtest.gyp
index c613a1ddd..f364dbe33 100644
--- a/gtests/softoken_gtest/softoken_gtest.gyp
+++ b/gtests/softoken_gtest/softoken_gtest.gyp
@@ -38,6 +38,7 @@
           'dependencies': [
             '<(DEPTH)/lib/nss/nss.gyp:nss3',
             '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+            '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
           ],
         }],
       ],
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
index a1a723fe8..5c4608a9b 100644
--- a/lib/softoken/sftkdb.c
+++ b/lib/softoken/sftkdb.c
@@ -2860,10 +2860,9 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
         case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */
             crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags,
                          noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
-
-#ifndef NSS_DISABLE_DBM
             legacy = PR_FALSE;
 
+#ifndef NSS_DISABLE_DBM
             /*
              * if we failed to open the DB's read only, use the old ones if
              * the exists.
diff --git a/tests/gtests/gtests.sh b/tests/gtests/gtests.sh
index 50c0410f0..4005a16a6 100755
--- a/tests/gtests/gtests.sh
+++ b/tests/gtests/gtests.sh
@@ -68,12 +68,23 @@ gtest_start()
     if [ "$i" = "mozpkix_gtest" ]; then
       EXTRA_ASAN_OPTIONS="detect_odr_violation=0"
     fi
+    # NSS CI sets a lower max for PBE iterations, otherwise cert.sh
+    # is very slow. Unset this maxiumum for softoken_gtest, as it
+    # needs to check the default value.
+    if [ "$i" = "softoken_gtest" ]; then
+      OLD_MAX_PBE_ITERATIONS=$NSS_MAX_MP_PBE_ITERATION_COUNT
+      unset NSS_MAX_MP_PBE_ITERATION_COUNT
+    fi
     echo "executing $i"
     ASAN_OPTIONS="$ASAN_OPTIONS:$EXTRA_ASAN_OPTIONS" "${BINDIR}/$i" \
                  "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
                  -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
                               --gtest_filter="${GTESTFILTER:-*}"
     html_msg $? 0 "$i run successfully"
+    if [ "$i" = "softoken_gtest" ]; then
+      export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS
+    fi
+
     echo "test output dir: ${GTESTREPORT}"
     echo "executing sed to parse the xml report"
     sed -f "${COMMON}/parsegtestreport.sed" "$GTESTREPORT" > "$PARSED_REPORT"