diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2000-05-04 00:08:35 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2000-05-04 00:08:35 +0000 |
commit | a331a305e9c9c5353bd42db6dbda78a418285708 (patch) | |
tree | d43a47f9dc244b7e04ea05547286b42053cc587d /crypto/pkcs12 | |
parent | 316e6a66f2c4f28f8705636921825c467a5ceef3 (diff) | |
download | openssl-a331a305e9c9c5353bd42db6dbda78a418285708.zip openssl-a331a305e9c9c5353bd42db6dbda78a418285708.tar.gz openssl-a331a305e9c9c5353bd42db6dbda78a418285708.tar.bz2 |
Make PKCS#12 code handle missing passwords.
Add a couple of FAQs.
Diffstat (limited to 'crypto/pkcs12')
-rw-r--r-- | crypto/pkcs12/p12_key.c | 22 | ||||
-rw-r--r-- | crypto/pkcs12/p12_kiss.c | 18 | ||||
-rw-r--r-- | crypto/pkcs12/p12_mutl.c | 5 |
3 files changed, 31 insertions, 14 deletions
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index b364671..743b5bd 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -74,25 +74,30 @@ void h__dump (unsigned char *p, int len); #define min(a,b) ((a) < (b) ? (a) : (b)) #endif -int PKCS12_key_gen_asc (const char *pass, int passlen, unsigned char *salt, +int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type) { int ret; unsigned char *unipass; int uniplen; - if (!asc2uni (pass, &unipass, &uniplen)) { + if(!pass) { + unipass = NULL; + uniplen = 0; + } else if (!asc2uni(pass, &unipass, &uniplen)) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); return 0; } - ret = PKCS12_key_gen_uni (unipass, uniplen, salt, saltlen, + ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, id, iter, n, out, md_type); - memset(unipass, 0, uniplen); /* Clear password from memory */ - Free(unipass); + if(unipass) { + memset(unipass, 0, uniplen); /* Clear password from memory */ + Free(unipass); + } return ret; } -int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt, +int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type) { @@ -106,10 +111,12 @@ int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt, int tmpn = n; #endif +#if 0 if (!pass) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_PASSED_NULL_PARAMETER); return 0; } +#endif #ifdef DEBUG_KEYGEN fprintf(stderr, "KEYGEN DEBUG\n"); @@ -125,7 +132,8 @@ int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt, Ai = Malloc (u); B = Malloc (v + 1); Slen = v * ((saltlen+v-1)/v); - Plen = v * ((passlen+v-1)/v); + if(passlen) Plen = v * ((passlen+v-1)/v); + else Plen = 0; Ilen = Slen + Plen; I = Malloc (Ilen); Ij = BN_new(); diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index ee257ff..61c865b 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -106,11 +106,23 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, /* Check the mac */ - if (!PKCS12_verify_mac (p12, pass, -1)) - { + /* If password is zero length or NULL then try verifying both cases + * to determine which password is correct. The reason for this is that + * under PKCS#12 password based encryption no password and a zero length + * password are two different things... + */ + + if(!pass || !*pass) { + if(PKCS12_verify_mac(p12, NULL, 0)) pass = NULL; + else if(PKCS12_verify_mac(p12, "", 0)) pass = ""; + else { + PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE); + goto err; + } + } else if (!PKCS12_verify_mac(p12, pass, -1)) { PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE); goto err; - } + } if (!parse_pk12 (p12, pass, -1, pkey, cert, ca)) { diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 369257e..a335a7b 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -106,10 +106,7 @@ int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen) return 0; } if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) - || memcmp (mac, p12->mac->dinfo->digest->data, maclen)) { - PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_VERIFY_ERROR); - return 0; - } + || memcmp (mac, p12->mac->dinfo->digest->data, maclen)) return 0; return 1; } |