]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
gnutls_x509_privkey_import2: better behavior when provided with an unencrypted file
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 25 Jun 2015 13:01:17 +0000 (15:01 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 25 Jun 2015 13:01:20 +0000 (15:01 +0200)
That is, it will attempt to decode it first as plain file prior to
trying all encrypted options.

lib/x509/privkey.c

index 5892846d8d32c9751a46e406de60a710e7d1558e..dd791157db91e1f93395876353b672b7ef979a74 100644 (file)
@@ -654,9 +654,30 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 {
        int ret = 0;
        char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
+       unsigned head_enc = 1;
 
-       if (password == NULL && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) {
+       if (format == GNUTLS_X509_FMT_PEM) {
+               unsigned size;
+               char *ptr = memmem(data->data, data->size, "-----BEGIN ", sizeof("-----BEGIN ")-1);
+               if (ptr != NULL) {
+                       ptr += sizeof("-----BEGIN ")-1;
+                       size = data->size - ((ptrdiff_t)ptr - (ptrdiff_t)data->data);
+
+                       if (size > sizeof(PEM_KEY_RSA)) {
+                               if (memcmp(ptr, PEM_KEY_RSA, sizeof(PEM_KEY_RSA)-1) == 0 ||
+                                   memcmp(ptr, PEM_KEY_ECC, sizeof(PEM_KEY_ECC)-1) == 0 ||
+                                   memcmp(ptr, PEM_KEY_DSA, sizeof(PEM_KEY_DSA)-1) == 0) {
+                                       head_enc = 0;
+                               }
+                       }
+               }
+       }
+
+       if (head_enc == 0 || (password == NULL && !(flags & GNUTLS_PKCS_NULL_PASSWORD))) {
                ret = gnutls_x509_privkey_import(key, data, format);
+               if (ret >= 0)
+                       return ret;
+
                if (ret < 0) {
                        gnutls_assert();
                }