From cdd6696025b997646497b85cc0db6b27db12f92b Mon Sep 17 00:00:00 2001
From: Huw Jones <huw@huwcbjones.co.uk>
Date: Tue, 13 Oct 2020 05:14:19 +0100
Subject: crypto._PassphraseHelper: pass non-callable passphrase using callback
 (#947)

* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945

Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
 callback

* Update changelog to document bug fix
---
 CHANGELOG.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'CHANGELOG.rst')

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2ba1f7f..5df0a05 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -38,7 +38,10 @@ Changes:
 - Make verification callback optional in ``Context.set_verify``.
   If omitted, OpenSSL's default verification is used.
   `#933 <https://github.com/pyca/pyopenssl/pull/933>`_
-
+- Fixed a bug that could truncate or cause a zero-length key error due to a
+  null byte in private key passphrase in ``OpenSSL.crypto.load_privatekey``
+  and ``OpenSSL.crypto.dump_privatekey``.
+  `#947 <https://github.com/pyca/pyopenssl/pull/947>`_
 
 19.1.0 (2019-11-18)
 -------------------
-- 
cgit v1.2.1