diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-06-24 06:57:02 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-06-24 06:57:02 +0000 |
commit | 3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56 (patch) | |
tree | 0bfc409084019852ab6e21b01c9ee7f2fa6b1067 | |
parent | 703714d0f45ccf3ff890a9492261d1ba3b0a0855 (diff) | |
download | gnutls-3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56.tar.gz |
Passwords in PKCS5 and PKCS12 are now restricted to ASCII ones.
-rw-r--r-- | includes/gnutls/x509.h | 5 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 2 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 1 | ||||
-rw-r--r-- | lib/gnutls_errors_int.h | 1 | ||||
-rw-r--r-- | lib/x509/pkcs12.c | 5 | ||||
-rw-r--r-- | lib/x509/pkcs12.h | 6 | ||||
-rw-r--r-- | lib/x509/pkcs12_encr.c | 28 | ||||
-rw-r--r-- | lib/x509/pkcs5.c | 7 |
8 files changed, 44 insertions, 11 deletions
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index dae971fbc4..78ccee76ba 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -277,7 +277,7 @@ typedef struct gnutls_pkcs12_bag_int* gnutls_pkcs12_bag; int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12); void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12); int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, - gnutls_x509_crt_fmt format, const char* password, unsigned int flags); + gnutls_x509_crt_fmt format, unsigned int flags); int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, int indx, gnutls_pkcs12_bag bag); int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char* pass); @@ -289,7 +289,8 @@ typedef enum gnutls_pkcs12_bag_type { GNUTLS_BAG_PKCS8_KEY, GNUTLS_BAG_CERTIFICATE, GNUTLS_BAG_CRL, - GNUTLS_BAG_ENCRYPTED=10 + GNUTLS_BAG_ENCRYPTED=10, + GNUTLS_BAG_UNKNOWN=20 } gnutls_pkcs12_bag_type; gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx); diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 0d232b617e..3b8159452c 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -42,6 +42,8 @@ #include "x509/x509.h" #include "x509/mpi.h" +void gnutls_certificate_free_crls(gnutls_certificate_credentials sc); + /** * gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials structure * @sc: is an &gnutls_certificate_credentials structure. diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index e8c9101204..f96d60a406 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -137,6 +137,7 @@ static gnutls_error_entry error_algorithms[] = { ERROR_ENTRY("The hash algorithm is unknown.", GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), ERROR_ENTRY("The PKCS structure's content type is unknown.", GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), ERROR_ENTRY("The PKCS structure's Bag type is unknown.", GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), + ERROR_ENTRY("The password given contains invalid characters.", GNUTLS_E_INVALID_PASSWORD, 1), {0, 0, 0, 0} }; diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index 9795d80240..f15e7cbf86 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -112,6 +112,7 @@ #define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96 #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97 #define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98 +#define GNUTLS_E_INVALID_PASSWORD -99 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250 diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 9c39c1766e..fe938faa65 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -155,7 +155,6 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12) * @pkcs12: The structure to store the parsed PKCS12. * @data: The DER or PEM encoded PKCS12. * @format: One of DER or PEM - * @password: the password that will be used to decrypt the structure * @flags: an ORed sequence of gnutls_privkey_pkcs8_flags * * This function will convert the given DER or PEM encoded PKCS12 @@ -167,7 +166,7 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12) * **/ int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, - gnutls_x509_crt_fmt format, const char* password, unsigned int flags) + gnutls_x509_crt_fmt format, unsigned int flags) { int result = 0, need_free = 0; gnutls_datum _data = { data->data, data->size }; @@ -246,7 +245,7 @@ static int _oid2bag( const char* oid) if (strcmp(oid, BAG_CRL)==0) return GNUTLS_BAG_CRL; - return GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE; + return GNUTLS_BAG_UNKNOWN; } diff --git a/lib/x509/pkcs12.h b/lib/x509/pkcs12.h index 9604eefa44..e82563f234 100644 --- a/lib/x509/pkcs12.h +++ b/lib/x509/pkcs12.h @@ -10,7 +10,8 @@ typedef enum gnutls_pkcs12_bag_type { GNUTLS_BAG_PKCS8_KEY, GNUTLS_BAG_CERTIFICATE, GNUTLS_BAG_CRL, - GNUTLS_BAG_ENCRYPTED=10 + GNUTLS_BAG_ENCRYPTED=10, + GNUTLS_BAG_UNKNOWN=20 } gnutls_pkcs12_bag_type; #define MAX_BAG_ELEMENTS 32 @@ -32,7 +33,7 @@ typedef struct gnutls_pkcs12_bag_int *gnutls_pkcs12_bag; int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12); void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12); int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, - gnutls_x509_crt_fmt format, const char* password, unsigned int flags); + gnutls_x509_crt_fmt format, unsigned int flags); int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, int indx, gnutls_pkcs12_bag bag); @@ -47,3 +48,4 @@ _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const int _gnutls_x509_decrypt_pkcs7_encrypted_data( const gnutls_datum* data, const char* password, gnutls_datum* dec); int _pkcs12_decode_safe_contents( const gnutls_datum* content, gnutls_pkcs12_bag bag); +int _pkcs12_check_pass( const char* pass, size_t plen); diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index 8c7a6146c5..f8f232050b 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -7,6 +7,23 @@ #include <gcrypt.h> #include <gnutls_errors.h> +#include <ctype.h> + +/* Returns 0 if the password is ok, or a negative error + * code instead. + */ +int _pkcs12_check_pass( const char* pass, size_t plen) +{ +const unsigned char* p = pass; +int i; + + for (i=0;i<plen;i++) { + if ( p[i] < 128) continue; + return GNUTLS_E_INVALID_PASSWORD; + } + + return 0; +} int _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const char *pw, @@ -22,10 +39,15 @@ _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const cur_keylen = 0; pwlen = strlen (pw); - if (pwlen > 63/2 || salt_size > 8) - { + if (pwlen > 63/2 || salt_size > 8) { + gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; - } + } + + if ((rc=_pkcs12_check_pass( pw, pwlen)) < 0) { + gnutls_assert(); + return rc; + } /* Store salt and password in BUF_I */ p = buf_i; diff --git a/lib/x509/pkcs5.c b/lib/x509/pkcs5.c index 4a7d56af1d..a0e088f47d 100644 --- a/lib/x509/pkcs5.c +++ b/lib/x509/pkcs5.c @@ -19,10 +19,11 @@ /* XXX what about namespace? */ -#include <defines.h> +#include <gnutls_int.h> #ifdef ENABLE_PKI +#include <pkcs12.h> #include <gcrypt.h> #include "pkcs5.h" @@ -83,6 +84,10 @@ _gnutls_pkcs5_pbkdf2 (int PRF, if (dkLen == 0) return PKCS5_INVALID_DERIVED_KEY_LENGTH; + if ((rc=_pkcs12_check_pass( P, Plen)) < 0) { + return rc; + } + /* * * Steps: |