summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2003-06-24 06:57:02 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2003-06-24 06:57:02 +0000
commit3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56 (patch)
tree0bfc409084019852ab6e21b01c9ee7f2fa6b1067
parent703714d0f45ccf3ff890a9492261d1ba3b0a0855 (diff)
downloadgnutls-3f1f7e4b0b506f64d9c9ac6a543bfb7de6e9fe56.tar.gz
Passwords in PKCS5 and PKCS12 are now restricted to ASCII ones.
-rw-r--r--includes/gnutls/x509.h5
-rw-r--r--lib/gnutls_cert.c2
-rw-r--r--lib/gnutls_errors.c1
-rw-r--r--lib/gnutls_errors_int.h1
-rw-r--r--lib/x509/pkcs12.c5
-rw-r--r--lib/x509/pkcs12.h6
-rw-r--r--lib/x509/pkcs12_encr.c28
-rw-r--r--lib/x509/pkcs5.c7
8 files changed, 44 insertions, 11 deletions
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index dae971fbc4..78ccee76ba 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -277,7 +277,7 @@ typedef struct gnutls_pkcs12_bag_int* gnutls_pkcs12_bag;
int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12);
void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12);
int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data,
- gnutls_x509_crt_fmt format, const char* password, unsigned int flags);
+ gnutls_x509_crt_fmt format, unsigned int flags);
int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12,
int indx, gnutls_pkcs12_bag bag);
int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char* pass);
@@ -289,7 +289,8 @@ typedef enum gnutls_pkcs12_bag_type {
GNUTLS_BAG_PKCS8_KEY,
GNUTLS_BAG_CERTIFICATE,
GNUTLS_BAG_CRL,
- GNUTLS_BAG_ENCRYPTED=10
+ GNUTLS_BAG_ENCRYPTED=10,
+ GNUTLS_BAG_UNKNOWN=20
} gnutls_pkcs12_bag_type;
gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx);
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 0d232b617e..3b8159452c 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -42,6 +42,8 @@
#include "x509/x509.h"
#include "x509/mpi.h"
+void gnutls_certificate_free_crls(gnutls_certificate_credentials sc);
+
/**
* gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials structure
* @sc: is an &gnutls_certificate_credentials structure.
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index e8c9101204..f96d60a406 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -137,6 +137,7 @@ static gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY("The hash algorithm is unknown.", GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1),
ERROR_ENTRY("The PKCS structure's content type is unknown.", GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1),
ERROR_ENTRY("The PKCS structure's Bag type is unknown.", GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1),
+ ERROR_ENTRY("The password given contains invalid characters.", GNUTLS_E_INVALID_PASSWORD, 1),
{0, 0, 0, 0}
};
diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h
index 9795d80240..f15e7cbf86 100644
--- a/lib/gnutls_errors_int.h
+++ b/lib/gnutls_errors_int.h
@@ -112,6 +112,7 @@
#define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96
#define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97
#define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98
+#define GNUTLS_E_INVALID_PASSWORD -99
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -250
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 9c39c1766e..fe938faa65 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -155,7 +155,6 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12)
* @pkcs12: The structure to store the parsed PKCS12.
* @data: The DER or PEM encoded PKCS12.
* @format: One of DER or PEM
- * @password: the password that will be used to decrypt the structure
* @flags: an ORed sequence of gnutls_privkey_pkcs8_flags
*
* This function will convert the given DER or PEM encoded PKCS12
@@ -167,7 +166,7 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12)
*
**/
int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data,
- gnutls_x509_crt_fmt format, const char* password, unsigned int flags)
+ gnutls_x509_crt_fmt format, unsigned int flags)
{
int result = 0, need_free = 0;
gnutls_datum _data = { data->data, data->size };
@@ -246,7 +245,7 @@ static int _oid2bag( const char* oid)
if (strcmp(oid, BAG_CRL)==0)
return GNUTLS_BAG_CRL;
- return GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE;
+ return GNUTLS_BAG_UNKNOWN;
}
diff --git a/lib/x509/pkcs12.h b/lib/x509/pkcs12.h
index 9604eefa44..e82563f234 100644
--- a/lib/x509/pkcs12.h
+++ b/lib/x509/pkcs12.h
@@ -10,7 +10,8 @@ typedef enum gnutls_pkcs12_bag_type {
GNUTLS_BAG_PKCS8_KEY,
GNUTLS_BAG_CERTIFICATE,
GNUTLS_BAG_CRL,
- GNUTLS_BAG_ENCRYPTED=10
+ GNUTLS_BAG_ENCRYPTED=10,
+ GNUTLS_BAG_UNKNOWN=20
} gnutls_pkcs12_bag_type;
#define MAX_BAG_ELEMENTS 32
@@ -32,7 +33,7 @@ typedef struct gnutls_pkcs12_bag_int *gnutls_pkcs12_bag;
int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12);
void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12);
int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data,
- gnutls_x509_crt_fmt format, const char* password, unsigned int flags);
+ gnutls_x509_crt_fmt format, unsigned int flags);
int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12,
int indx, gnutls_pkcs12_bag bag);
@@ -47,3 +48,4 @@ _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const
int _gnutls_x509_decrypt_pkcs7_encrypted_data( const gnutls_datum* data,
const char* password, gnutls_datum* dec);
int _pkcs12_decode_safe_contents( const gnutls_datum* content, gnutls_pkcs12_bag bag);
+int _pkcs12_check_pass( const char* pass, size_t plen);
diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c
index 8c7a6146c5..f8f232050b 100644
--- a/lib/x509/pkcs12_encr.c
+++ b/lib/x509/pkcs12_encr.c
@@ -7,6 +7,23 @@
#include <gcrypt.h>
#include <gnutls_errors.h>
+#include <ctype.h>
+
+/* Returns 0 if the password is ok, or a negative error
+ * code instead.
+ */
+int _pkcs12_check_pass( const char* pass, size_t plen)
+{
+const unsigned char* p = pass;
+int i;
+
+ for (i=0;i<plen;i++) {
+ if ( p[i] < 128) continue;
+ return GNUTLS_E_INVALID_PASSWORD;
+ }
+
+ return 0;
+}
int
_pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const char *pw,
@@ -22,10 +39,15 @@ _pkcs12_string_to_key (int id, const char *salt, int salt_size, int iter, const
cur_keylen = 0;
pwlen = strlen (pw);
- if (pwlen > 63/2 || salt_size > 8)
- {
+ if (pwlen > 63/2 || salt_size > 8) {
+ gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
- }
+ }
+
+ if ((rc=_pkcs12_check_pass( pw, pwlen)) < 0) {
+ gnutls_assert();
+ return rc;
+ }
/* Store salt and password in BUF_I */
p = buf_i;
diff --git a/lib/x509/pkcs5.c b/lib/x509/pkcs5.c
index 4a7d56af1d..a0e088f47d 100644
--- a/lib/x509/pkcs5.c
+++ b/lib/x509/pkcs5.c
@@ -19,10 +19,11 @@
/* XXX what about namespace? */
-#include <defines.h>
+#include <gnutls_int.h>
#ifdef ENABLE_PKI
+#include <pkcs12.h>
#include <gcrypt.h>
#include "pkcs5.h"
@@ -83,6 +84,10 @@ _gnutls_pkcs5_pbkdf2 (int PRF,
if (dkLen == 0)
return PKCS5_INVALID_DERIVED_KEY_LENGTH;
+ if ((rc=_pkcs12_check_pass( P, Plen)) < 0) {
+ return rc;
+ }
+
/*
*
* Steps: