mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-09 05:51:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

try_pkcs12(): Correct handling of NUL termination of passphrases

Browse Source 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
This commit is contained in:
Tomas Mraz 2021-12-28 12:46:31 +01:00
parent c7debe8111
commit 1dfef929e4
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
crypto/store/store_result.c
View File

@ -525,7 +525,7 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
if (p12 != NULL) {
char *pass = NULL;
char tpass[PEM_BUFSIZE];
char tpass[PEM_BUFSIZE + 1];
size_t tpass_len;
EVP_PKEY *pkey = NULL;
X509 *cert = NULL;
@ -547,17 +547,23 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
OSSL_PARAM_END
};
if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1,
&tpass_len,
pw_params, 0, &ctx->pwdata)) {
ERR_raise(ERR_LIB_OSSL_STORE,
OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
goto p12_end;
}
pass = tpass;
if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
/*
* ossl_pw_get_passphrase() does not NUL terminate but
* we must do it for PKCS12_parse()
*/
pass[tpass_len] = '\0';
if (!PKCS12_verify_mac(p12, pass, tpass_len)) {
ERR_raise_data(ERR_LIB_OSSL_STORE,
OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC,
strlen(pass) == 0 ? "empty password" :
tpass_len == 0 ? "empty password" :
"maybe wrong password");
goto p12_end;
}