[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-73-gcd4e453
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-73-gcd4e453 |
|
Date: |
Wed, 10 Oct 2012 18:12:44 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=cd4e45306cb0d60b1c9e42c56102675474ce5149
The branch, master has been updated
via cd4e45306cb0d60b1c9e42c56102675474ce5149 (commit)
via f16ef39ef0303b02d7fa590a37820440c466ce8d (commit)
from 80c4b5e316002b6b5d2ffaf22a22f8f8cce1a142 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cd4e45306cb0d60b1c9e42c56102675474ce5149
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Oct 10 20:12:27 2012 +0200
Increased maximum password len in PKCS #12.
commit f16ef39ef0303b02d7fa590a37820440c466ce8d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Oct 10 20:11:28 2012 +0200
Bug fixes in the openssl encrypted PEM key parsing.
-----------------------------------------------------------------------
Summary of changes:
lib/x509/pkcs12_encr.c | 29 +++++++----
lib/x509/privkey_openssl.c | 68 +++++++++++++++++---------
tests/Makefile.am | 2 +-
tests/key-openssl.c | 113 ++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 176 insertions(+), 36 deletions(-)
create mode 100644 tests/key-openssl.c
diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c
index 8c02b1e..ba4e39e 100644
--- a/lib/x509/pkcs12_encr.c
+++ b/lib/x509/pkcs12_encr.c
@@ -43,6 +43,8 @@ _pkcs12_check_pass (const char *pass, size_t plen)
return 0;
}
+#define MAX_PASS_LEN 128
+
/* ID should be:
* 3 for MAC
* 2 for IV
@@ -63,9 +65,10 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t
* salt,
bigint_t num_b1 = NULL, num_ij = NULL;
bigint_t mpi512 = NULL;
unsigned int pwlen;
- uint8_t hash[20], buf_b[64], buf_i[128], *p;
+ uint8_t hash[20], buf_b[64], buf_i[MAX_PASS_LEN*2+64], *p;
+ uint8_t d[64];
size_t cur_keylen;
- size_t n, m;
+ size_t n, m, p_size, i_size;
const uint8_t buf_512[] = /* 2^64 */
{ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -83,7 +86,7 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t
* salt,
else
pwlen = strlen (pw);
- if (pwlen > 63 / 2)
+ if (pwlen > MAX_PASS_LEN)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
@@ -103,12 +106,17 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const
uint8_t * salt,
}
/* Store salt and password in BUF_I */
+ p_size = ((pwlen/64)*64) + 64;
+
+ if (p_size > sizeof(buf_i)-64)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
p = buf_i;
for (i = 0; i < 64; i++)
*p++ = salt[i % salt_size];
if (pw)
{
- for (i = j = 0; i < 64; i += 2)
+ for (i = j = 0; i < p_size; i += 2)
{
*p++ = 0;
*p++ = pw[j];
@@ -117,7 +125,9 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const
uint8_t * salt,
}
}
else
- memset (p, 0, 64);
+ memset (p, 0, p_size);
+
+ i_size = 64+p_size;
for (;;)
{
@@ -127,12 +137,9 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const
uint8_t * salt,
gnutls_assert ();
goto cleanup;
}
- for (i = 0; i < 64; i++)
- {
- unsigned char lid = id & 0xFF;
- _gnutls_hash (&md, &lid, 1);
- }
- _gnutls_hash (&md, buf_i, pw ? 128 : 64);
+ memset(d, id & 0xff, 64);
+ _gnutls_hash (&md, d, 64);
+ _gnutls_hash (&md, buf_i, pw ? i_size : 64);
_gnutls_hash_deinit (&md, hash);
for (i = 1; i < iter; i++)
{
diff --git a/lib/x509/privkey_openssl.c b/lib/x509/privkey_openssl.c
index 6ef1410..1c055ad 100644
--- a/lib/x509/privkey_openssl.c
+++ b/lib/x509/privkey_openssl.c
@@ -66,11 +66,17 @@ openssl_hash_password (const char *pass, gnutls_datum_t *
key, gnutls_datum_t *
{
err = gnutls_hash (hash, pass, strlen (pass));
if (err)
- goto hash_err;
+ {
+ gnutls_assert();
+ goto hash_err;
+ }
}
err = gnutls_hash (hash, salt->data, 8);
if (err)
- goto hash_err;
+ {
+ gnutls_assert();
+ goto hash_err;
+ }
gnutls_hash_deinit (hash, md5);
@@ -131,7 +137,7 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t
key,
const char *pem_header = (void*)data->data;
const char *pem_header_start = (void*)data->data;
ssize_t pem_header_size;
- int ret, err;
+ int ret;
unsigned int i, iv_size, l;
pem_header_size = data->size;
@@ -178,7 +184,7 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t
key,
salt.size = iv_size;
salt.data = gnutls_malloc (salt.size);
if (!salt.data)
- return GNUTLS_E_MEMORY_ERROR;
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
for (i = 0; i < salt.size * 2; i++)
{
@@ -231,35 +237,43 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t
key,
enc_key.size = gnutls_cipher_get_key_size (cipher);
enc_key.data = gnutls_malloc (enc_key.size);
if (!enc_key.data)
- goto out_b64;
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto out_b64;
+ }
key_data = gnutls_malloc (b64_data.size);
if (!key_data)
- goto out_enc_key;
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto out_enc_key;
+ }
while (1)
{
memcpy (key_data, b64_data.data, b64_data.size);
ret = openssl_hash_password (password, &enc_key, &salt);
- if (ret)
- goto out;
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto out;
+ }
- err = gnutls_cipher_init (&handle, cipher, &enc_key, &salt);
- if (err)
+ ret = gnutls_cipher_init (&handle, cipher, &enc_key, &salt);
+ if (ret < 0)
{
gnutls_assert();
gnutls_cipher_deinit (handle);
- ret = err;
goto out;
}
- err = gnutls_cipher_decrypt (handle, key_data, b64_data.size);
+ ret = gnutls_cipher_decrypt (handle, key_data, b64_data.size);
gnutls_cipher_deinit (handle);
- if (err)
+
+ if (ret < 0)
{
gnutls_assert();
- ret = -err;
goto out;
}
@@ -278,7 +292,10 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t
key,
keylen = 0;
if (lenlen > 3)
- goto fail;
+ {
+ gnutls_assert();
+ goto fail;
+ }
while (lenlen)
{
@@ -290,28 +307,31 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t
key,
keylen += ofs;
/* If there appears to be more padding than required, fail */
- if (b64_data.size - keylen >= blocksize)
- goto fail;
+ if (b64_data.size - keylen > blocksize)
+ {
+ gnutls_assert();
+ goto fail;
+ }
/* If the padding bytes aren't all equal to the amount of padding,
fail */
ofs = keylen;
while (ofs < b64_data.size)
{
if (key_data[ofs] != b64_data.size - keylen)
- goto fail;
+ {
+ gnutls_assert();
+ goto fail;
+ }
ofs++;
}
key_datum.data = key_data;
key_datum.size = keylen;
- err =
+ ret =
gnutls_x509_privkey_import (key, &key_datum,
GNUTLS_X509_FMT_DER);
- if (!err)
- {
- ret = 0;
- goto out;
- }
+ if (ret == 0)
+ goto out;
}
fail:
ret = GNUTLS_E_DECRYPTION_FAILED;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d0061c1..b6c14be 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -70,7 +70,7 @@ ctests = mini-deflate simple gc set_pkcs12_cred certder
certuniqueid \
mini-loss-time mini-tdb mini-dtls-rehandshake mini-record \
mini-termination mini-x509-cas mini-x509-2 pkcs12_simple \
mini-emsgsize-dtls mini-handshake-timeout chainverify-unsorted \
- mini-dtls-heartbeat mini-x509-callbacks
+ mini-dtls-heartbeat mini-x509-callbacks key-openssl
if ENABLE_OCSP
ctests += ocsp
diff --git a/tests/key-openssl.c b/tests/key-openssl.c
new file mode 100644
index 0000000..9d2ef9d
--- /dev/null
+++ b/tests/key-openssl.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2008-2012 Free Software Foundation, Inc.
+ *
+ * Author: David MarÃn Carreño
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+
+#include "utils.h"
+
+static void
+tls_log_func (int level, const char *str)
+{
+ fprintf (stderr, "%s |<%d>| %s", "crq_key_id", level, str);
+}
+
+const char key1[] =
+"-----BEGIN RSA PRIVATE KEY-----\n"
+"Proc-Type: 4,ENCRYPTED\n"
+"DEK-Info: DES-EDE3-CBC,82B2F7684A1713F8\n"
+"\n"
+"1zzOuu89dfFc2UkFCtSJBsBeEFxV8wE84OSxoWu4aYkPhl1LR08BchaTbjeLTP0b\n"
+"t961vVpva0ekJkwGDEgmqlGjmhJq9y2sJfq7IeYa8OdTilfGrG1xeJ1QGBi6SCfR\n"
+"s/PhkMxwGBtrZ2Z7bEcLT5dQKmKRqsthnClQggmngvk7zX7bPk0hKQKvf+FDxt6x\n"
+"hzEaF3k9juU6vAVVSakrZ4QDqk9MUuTGHx0ksTDcC4EESS0l3Ybuum/rAzR4lQKR\n"
+"4OLmAeYBDl+l/PSMllfd5x/z1YXYoiAbkpT4ix0lyZJgHrvrYIeUtJk2ODiMHezL\n"
+"9BbK7EobtOGmrDLUNVX5BpdaExkWMGkioqzs2QqD/VkKu8RcNSsHVGqkdWKuhzXo\n"
+"wcczQ+RiHckN2uy/zApubEWZNLPeDQ499kaF+QdZ+h4RM6E1r1Gu+A==\n"
+"-----END RSA PRIVATE KEY-----\n";
+
+const char key2[] =
+"-----BEGIN RSA PRIVATE KEY-----\n"
+"Proc-Type: 4,ENCRYPTED\n"
+"DEK-Info: AES-128-CBC,2A57FF97B701B3F760145D7446929481\n"
+"\n"
+"mGAPhSw48wZBnkHOhfMDg8yL2IBgMuTmeKE4xoHi7T6isHBNfkqMd0iJ+DJP/OKb\n"
+"t+7lkKjj/xQ7w/bOBvBxlfRe4MW6+ejCdAFD9XSolW6WN6CEJPMI4UtmOK5inqcC\n"
+"8l2l54f/VGrVN9uavU3KlXCjrd3Jp9B0Mu4Zh/UU4+EWs9rJAZfLIn+vHZ3OHetx\n"
+"g74LdV7nC7lt/fjxc1caNIfgHs40dUt9FVrnJvAtkcNMtcjX/D+L8ZrLgQzIWFcs\n"
+"WAbUZj7Me22mCli3RPET7Je37K59IzfWgbWFCGaNu3X02g5xtCfdcn/Uqy9eofH0\n"
+"YjKRhpgXPeGJCkoRqDeUHQNPpVP5HrzDZMVK3E4DC03C8qvgsYvuwYt3KkbG2fuA\n"
+"F3bDyqlxSOm7uxF/K3YzI44v8/D8GGnLBTpN+ANBdiY=\n"
+"-----END RSA PRIVATE KEY-----\n";
+
+void
+doit (void)
+{
+ gnutls_x509_privkey_t pkey;
+ int ret;
+ gnutls_datum_t key;
+
+ ret = gnutls_global_init ();
+ if (ret < 0)
+ fail ("gnutls_global_init: %d\n", ret);
+
+ gnutls_global_set_log_function (tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level (4711);
+
+ ret = gnutls_x509_privkey_init (&pkey);
+ if (ret < 0)
+ fail ("gnutls_x509_privkey_init: %d\n", ret);
+
+ key.data = (void*)key1;
+ key.size = sizeof(key1);
+ ret = gnutls_x509_privkey_import_openssl (pkey, &key, "123456");
+ if (ret < 0)
+ {
+ fail ("gnutls_x509_privkey_import_openssl (key1): %s\n",
gnutls_strerror(ret)) ;
+ }
+ gnutls_x509_privkey_deinit (pkey);
+
+ ret = gnutls_x509_privkey_init (&pkey);
+ if (ret < 0)
+ fail ("gnutls_x509_privkey_init: %d\n", ret);
+
+ key.data = (void*)key2;
+ key.size = sizeof(key2);
+ ret = gnutls_x509_privkey_import_openssl (pkey, &key, "a123456");
+ if (ret < 0)
+ {
+ fail ("gnutls_x509_privkey_import_openssl (key2): %s\n",
gnutls_strerror(ret)) ;
+ }
+ gnutls_x509_privkey_deinit (pkey);
+
+
+ gnutls_global_deinit ();
+}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-73-gcd4e453,
Nikos Mavrogiannopoulos <=