Passwords in PKCS5 and PKCS12 are now restricted to ASCII ones.

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2003-06-24 06:57:02 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2003-06-24 06:57:02 +0000
commit: 3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56 (patch)
tree: 0bfc409084019852ab6e21b01c9ee7f2fa6b1067
parent: 703714d0f45ccf3ff890a9492261d1ba3b0a0855 (diff)
download: gnutls-3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56.tar.gz
8 files changed, 44 insertions, 11 deletions
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index dae971fbc4..78ccee76ba 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -277,7 +277,7 @@ typedef struct gnutls_pkcs12_bag_int* gnutls_pkcs12_bag;
 int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12);
 void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12);
 int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data,
-	gnutls_x509_crt_fmt format, const char* password, unsigned int flags);
+	gnutls_x509_crt_fmt format, unsigned int flags);
 int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, 
 	int indx, gnutls_pkcs12_bag bag);
 int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char* pass);
@@ -289,7 +289,8 @@ typedef enum gnutls_pkcs12_bag_type {
 	GNUTLS_BAG_PKCS8_KEY,
 	GNUTLS_BAG_CERTIFICATE,
 	GNUTLS_BAG_CRL,
-	GNUTLS_BAG_ENCRYPTED=10
+	GNUTLS_BAG_ENCRYPTED=10,
+	GNUTLS_BAG_UNKNOWN=20
 } gnutls_pkcs12_bag_type;
 
 gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx);
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 0d232b617e..3b8159452c 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -42,6 +42,8 @@
 #include "x509/x509.h"
 #include "x509/mpi.h"
 
+void gnutls_certificate_free_crls(gnutls_certificate_credentials sc);
+
 /**
   * gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials structure
   * @sc: is an &gnutls_certificate_credentials structure.
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index e8c9101204..f96d60a406 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -137,6 +137,7 @@ static gnutls_error_entry error_algorithms[] = {
         ERROR_ENTRY("The hash algorithm is unknown.", GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1),
         ERROR_ENTRY("The PKCS structure's content type is unknown.", GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1),
         ERROR_ENTRY("The PKCS structure's Bag type is unknown.", GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1),
+        ERROR_ENTRY("The password given contains invalid characters.", GNUTLS_E_INVALID_PASSWORD, 1),
 	{0, 0, 0, 0}
 };
 
diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h
index 9795d80240..f15e7cbf86 100644
--- a/lib/gnutls_errors_int.h
+++ b/lib/gnutls_errors_int.h
@@ -112,6 +112,7 @@
 #define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96
 #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97
 #define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98
+#define GNUTLS_E_INVALID_PASSWORD -99
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250
 
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 9c39c1766e..fe938faa65 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -155,7 +155,6 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12)
   * @pkcs12: The structure to store the parsed PKCS12.
   * @data: The DER or PEM encoded PKCS12.
   * @format: One of DER or PEM
-  * @password: the password that will be used to decrypt the structure
   * @flags: an ORed sequence of gnutls_privkey_pkcs8_flags
   *
   * This function will convert the given DER or PEM encoded PKCS12
@@ -167,7 +166,7 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12)
   *
   **/
 int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data,
-	gnutls_x509_crt_fmt format, const char* password, unsigned int flags)
+	gnutls_x509_crt_fmt format, unsigned int flags)
 {
 	int result = 0, need_free = 0;
 	gnutls_datum _data = { data->data, data->size };
@@ -246,7 +245,7 @@ static int _oid2bag( const char* oid)
 	if (strcmp(oid, BAG_CRL)==0) 
 		return GNUTLS_BAG_CRL;
 	
-	return GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE;
+	return GNUTLS_BAG_UNKNOWN;
 
 }
 
diff --git a/lib/x509/pkcs12.h b/lib/x509/pkcs12.h
index 9604eefa44..e82563f234 100644
--- a/lib/x509/pkcs12.h
+++ b/lib/x509/pkcs12.h
@@ -10,7 +10,8 @@ typedef enum gnutls_pkcs12_bag_type {
 	GNUTLS_BAG_PKCS8_KEY,
 	GNUTLS_BAG_CERTIFICATE,
 	GNUTLS_BAG_CRL,
-	GNUTLS_BAG_ENCRYPTED=10
+	GNUTLS_BAG_ENCRYPTED=10,
+	GNUTLS_BAG_UNKNOWN=20
 } gnutls_pkcs12_bag_type;
 
 #define MAX_BAG_ELEMENTS 32
@@ -32,7 +33,7 @@ typedef struct gnutls_pkcs12_bag_int *gnutls_pkcs12_bag;
 int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12);
 void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12);
 int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data,
-	gnutls_x509_crt_fmt format, const char* password, unsigned int flags);
+	gnutls_x509_crt_fmt format, unsigned int flags);
 
 int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, 
 	int indx, gnutls_pkcs12_bag bag);
@@ -47,3 +48,4 @@ _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const
 int _gnutls_x509_decrypt_pkcs7_encrypted_data( const gnutls_datum* data,
         const char* password, gnutls_datum* dec);
 int _pkcs12_decode_safe_contents( const gnutls_datum* content, gnutls_pkcs12_bag bag);
+int _pkcs12_check_pass( const char* pass, size_t plen);
diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c
index 8c7a6146c5..f8f232050b 100644
--- a/lib/x509/pkcs12_encr.c
+++ b/lib/x509/pkcs12_encr.c
@@ -7,6 +7,23 @@
 
 #include <gcrypt.h>
 #include <gnutls_errors.h>
+#include <ctype.h>
+
+/* Returns 0 if the password is ok, or a negative error
+ * code instead.
+ */
+int _pkcs12_check_pass( const char* pass, size_t plen) 
+{
+const unsigned char* p = pass;
+int i;
+
+	for (i=0;i<plen;i++) {
+		if ( p[i] < 128) continue;
+		return GNUTLS_E_INVALID_PASSWORD;
+	}
+	
+	return 0;
+}
 
 int 
 _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const char *pw,
@@ -22,10 +39,15 @@ _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const
 
   cur_keylen = 0;
   pwlen = strlen (pw);
-  if (pwlen > 63/2 || salt_size > 8)
-    {
+  if (pwlen > 63/2 || salt_size > 8) {
+      gnutls_assert();
       return GNUTLS_E_INVALID_REQUEST;
-    }
+  }
+
+  if ((rc=_pkcs12_check_pass( pw, pwlen)) < 0) {
+  	gnutls_assert();
+  	return rc;
+  }
 
   /* Store salt and password in BUF_I */
   p = buf_i;
diff --git a/lib/x509/pkcs5.c b/lib/x509/pkcs5.c
index 4a7d56af1d..a0e088f47d 100644
--- a/lib/x509/pkcs5.c
+++ b/lib/x509/pkcs5.c
@@ -19,10 +19,11 @@
 
 /* XXX what about namespace? */
 
-#include <defines.h>
+#include <gnutls_int.h>
 
 #ifdef ENABLE_PKI
 
+#include <pkcs12.h>
 #include <gcrypt.h>
 #include "pkcs5.h"
 
@@ -83,6 +84,10 @@ _gnutls_pkcs5_pbkdf2 (int PRF,
   if (dkLen == 0)
     return PKCS5_INVALID_DERIVED_KEY_LENGTH;
 
+  if ((rc=_pkcs12_check_pass( P, Plen)) < 0) {
+  	return rc;
+  }
+
   /*
    *
    *  Steps:
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2003-06-24 06:57:02 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2003-06-24 06:57:02 +0000
commit	3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56 (patch)
tree	0bfc409084019852ab6e21b01c9ee7f2fa6b1067
parent	703714d0f45ccf3ff890a9492261d1ba3b0a0855 (diff)
download	gnutls-3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56.tar.gz