From f8575d6b7807c953fa4693f1588535ce35d88548 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Thu, 1 Oct 2015 08:32:54 +0200 Subject: [PATCH] Return error if password is not empty and row is not password protected [Problem] If old scheme row is not password protected and the user tries to read it with non empty password it will get reencrypted with this password. [Solution] Throw an authentication exception if password is not empty and row is not password protected. [Verification] Run ckm-tests-internal -t ENCRYPTION_SCHEME_TEST/T120_Read_wrong_pass Change-Id: I44b270dbbefd043b6efb9371f0d7a81c1b234b31 --- src/manager/service/crypto-logic.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/manager/service/crypto-logic.cpp b/src/manager/service/crypto-logic.cpp index c7b8786..6fe6e4e 100644 --- a/src/manager/service/crypto-logic.cpp +++ b/src/manager/service/crypto-logic.cpp @@ -208,13 +208,19 @@ void CryptoLogic::decryptRow(const Password &password, DB::Row &row) if ((row.encryptionScheme & ENCR_PASSWORD) && password.empty()) { ThrowErr(Exc::AuthenticationFailed, - "DB row is password protected, but given password is " - "empty."); + "DB row is password protected, but given password is empty."); + } + + if(!(row.encryptionScheme & ENCR_PASSWORD) && !password.empty()) { + ThrowErr(Exc::AuthenticationFailed, + "DB row is not password protected, but given password is not empty."); } if ((row.encryptionScheme & ENCR_APPKEY) && !haveKey(row.ownerLabel)) { - ThrowErr(Exc::AuthenticationFailed, "Missing application key for ", - row.ownerLabel, " label."); + ThrowErr(Exc::AuthenticationFailed, + "Missing application key for ", + row.ownerLabel, + " label."); } decBase64(crow.iv); -- 2.7.4