Return error if password is not empty and row is not password protected

[Problem] If old scheme row is not password protected and the user tries to
read it with non empty password it will get reencrypted with this password.
[Solution] Throw an authentication exception if password is not empty and row
is not password protected.

[Verification] Run ckm-tests-internal -t ENCRYPTION_SCHEME_TEST/T120_Read_wrong_pass

Change-Id: I44b270dbbefd043b6efb9371f0d7a81c1b234b31

diff --git a/src/manager/service/crypto-logic.cpp b/src/manager/service/crypto-logic.cpp
index c7b8786..6fe6e4e 100644 (file)
--- a/src/manager/service/crypto-logic.cpp
+++ b/src/manager/service/crypto-logic.cpp
@@ -208,13 +208,19 @@ void CryptoLogic::decryptRow(const Password &password, DB::Row &row)
 
         if ((row.encryptionScheme & ENCR_PASSWORD) && password.empty()) {
             ThrowErr(Exc::AuthenticationFailed,
-              "DB row is password protected, but given password is "
-              "empty.");
+                     "DB row is password protected, but given password is empty.");
+        }
+
+        if(!(row.encryptionScheme & ENCR_PASSWORD) && !password.empty()) {
+            ThrowErr(Exc::AuthenticationFailed,
+                     "DB row is not password protected, but given password is not empty.");
         }
 
         if ((row.encryptionScheme & ENCR_APPKEY) && !haveKey(row.ownerLabel)) {
-            ThrowErr(Exc::AuthenticationFailed, "Missing application key for ",
-              row.ownerLabel, " label.");
+            ThrowErr(Exc::AuthenticationFailed,
+                     "Missing application key for ",
+                     row.ownerLabel,
+                     " label.");
         }
 
         decBase64(crow.iv);