From: Tomas Mraz Date: Tue, 28 Dec 2021 11:46:31 +0000 (+0100) Subject: try_pkcs12(): Correct handling of NUL termination of passphrases X-Git-Tag: openssl-3.2.0-alpha1~3155 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1dfef929e43ebfa3a7f1108317f75747f92effb6;p=thirdparty%2Fopenssl.git try_pkcs12(): Correct handling of NUL termination of passphrases Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17320) --- diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 3f21c904f4e..893828ee3ed 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -525,7 +525,7 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, if (p12 != NULL) { char *pass = NULL; - char tpass[PEM_BUFSIZE]; + char tpass[PEM_BUFSIZE + 1]; size_t tpass_len; EVP_PKEY *pkey = NULL; X509 *cert = NULL; @@ -547,17 +547,23 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, OSSL_PARAM_END }; - if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len, + if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1, + &tpass_len, pw_params, 0, &ctx->pwdata)) { ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR); goto p12_end; } pass = tpass; - if (!PKCS12_verify_mac(p12, pass, strlen(pass))) { + /* + * ossl_pw_get_passphrase() does not NUL terminate but + * we must do it for PKCS12_parse() + */ + pass[tpass_len] = '\0'; + if (!PKCS12_verify_mac(p12, pass, tpass_len)) { ERR_raise_data(ERR_LIB_OSSL_STORE, OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, - strlen(pass) == 0 ? "empty password" : + tpass_len == 0 ? "empty password" : "maybe wrong password"); goto p12_end; }