Bug 1585189 - Changed the algorithm used to encrypt NSS database entries, from 3DES to AES256.

Our NSS DB uses 3DES internally to encrypt their entries.
This patch changes the default algorithm for AES256 to increase the security.
This patch also adds code to use AES Wrap in the future. It also adds an integrity
check to the AES256 CBC. The change only affects sqlite databases.

bob

Differential Revision: https://phabricator.services.mozilla.com/D54589

1 files changed, 6 insertions, 3 deletions

diff --git a/lib/softoken/lgglue.c b/lib/softoken/lgglue.c
index 8cfb4ec56..461e9a3cd 100644
--- a/lib/softoken/lgglue.c
+++ b/lib/softoken/lgglue.c
@@ -205,7 +205,8 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText,
         iterationCount = 1;
     }
 
-    rv = sftkdb_EncryptAttribute(arena, key, iterationCount,
+    rv = sftkdb_EncryptAttribute(arena, handle, sdb, key, iterationCount,
+                                 CK_INVALID_HANDLE, CKT_INVALID_TYPE,
                                  plainText, cipherText);
     PZ_Unlock(handle->passwordLock);
 
@@ -227,7 +228,7 @@ sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText)
         return SECFailure;
     }
 
-    /* if we aren't th handle, try the other handle */
+    /* if we aren't the key handle, try the other handle */
     oldKey = handle->oldKey;
     if (handle->type != SFTK_KEYDB_TYPE) {
         handle = handle->peerDB;
@@ -244,7 +245,9 @@ sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText)
         /* PORT_SetError */
         return SECFailure;
     }
-    rv = sftkdb_DecryptAttribute(oldKey ? oldKey : &handle->passwordKey,
+    rv = sftkdb_DecryptAttribute(NULL, oldKey ? oldKey : &handle->passwordKey,
+                                 CK_INVALID_HANDLE,
+                                 CKT_INVALID_TYPE,
                                  cipherText, plainText);
     PZ_Unlock(handle->passwordLock);