]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Bug fixes in the openssl encrypted PEM key parsing.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 10 Oct 2012 18:11:28 +0000 (20:11 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 10 Oct 2012 18:11:28 +0000 (20:11 +0200)
lib/x509/privkey_openssl.c
tests/Makefile.am
tests/key-openssl.c [new file with mode: 0644]

index 6ef1410caac2e51f5cbd43a8b268f17f8e7c64b3..1c055ad97ae2797786c5e6cb176b72bc0ecfb142 100644 (file)
@@ -66,11 +66,17 @@ openssl_hash_password (const char *pass, gnutls_datum_t * key, gnutls_datum_t *
         {
           err = gnutls_hash (hash, pass, strlen (pass));
           if (err)
-            goto hash_err;
+            {
+              gnutls_assert();
+              goto hash_err;
+            }
         }
       err = gnutls_hash (hash, salt->data, 8);
       if (err)
-        goto hash_err;
+        {
+          gnutls_assert();
+          goto hash_err;
+        }
 
       gnutls_hash_deinit (hash, md5);
 
@@ -131,7 +137,7 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key,
   const char *pem_header = (void*)data->data;
   const char *pem_header_start = (void*)data->data;
   ssize_t pem_header_size;
-  int ret, err;
+  int ret;
   unsigned int i, iv_size, l;
 
   pem_header_size = data->size;
@@ -178,7 +184,7 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key,
   salt.size = iv_size;
   salt.data = gnutls_malloc (salt.size);
   if (!salt.data)
-    return GNUTLS_E_MEMORY_ERROR;
+    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
     
   for (i = 0; i < salt.size * 2; i++)
     {
@@ -231,35 +237,43 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key,
   enc_key.size = gnutls_cipher_get_key_size (cipher);
   enc_key.data = gnutls_malloc (enc_key.size);
   if (!enc_key.data)
-    goto out_b64;
+    {
+      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+      goto out_b64;
+    }
 
   key_data = gnutls_malloc (b64_data.size);
   if (!key_data)
-    goto out_enc_key;
+    {
+      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+      goto out_enc_key;
+    }
 
   while (1)
     {
       memcpy (key_data, b64_data.data, b64_data.size);
 
       ret = openssl_hash_password (password, &enc_key, &salt);
-      if (ret)
-        goto out;
+      if (ret < 0)
+        {
+          gnutls_assert();
+          goto out;
+        }
 
-      err = gnutls_cipher_init (&handle, cipher, &enc_key, &salt);
-      if (err)
+      ret = gnutls_cipher_init (&handle, cipher, &enc_key, &salt);
+      if (ret < 0)
         {
           gnutls_assert();
           gnutls_cipher_deinit (handle);
-          ret = err;
           goto out;
         }
 
-      err = gnutls_cipher_decrypt (handle, key_data, b64_data.size);
+      ret = gnutls_cipher_decrypt (handle, key_data, b64_data.size);
       gnutls_cipher_deinit (handle);
-      if (err)
+
+      if (ret < 0)
         {
           gnutls_assert();
-          ret = -err;
           goto out;
         }
 
@@ -278,7 +292,10 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key,
               keylen = 0;
 
               if (lenlen > 3)
-                goto fail;
+                {
+                  gnutls_assert();
+                  goto fail;
+                }
 
               while (lenlen)
                 {
@@ -290,28 +307,31 @@ gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key,
           keylen += ofs;
 
           /* If there appears to be more padding than required, fail */
-          if (b64_data.size - keylen >= blocksize)
-            goto fail;
+          if (b64_data.size - keylen > blocksize)
+            {
+              gnutls_assert();
+              goto fail;
+            }
 
           /* If the padding bytes aren't all equal to the amount of padding, fail */
           ofs = keylen;
           while (ofs < b64_data.size)
             {
               if (key_data[ofs] != b64_data.size - keylen)
-                goto fail;
+                {
+                  gnutls_assert();
+                  goto fail;
+                }
               ofs++;
             }
 
           key_datum.data = key_data;
           key_datum.size = keylen;
-          err =
+          ret =
               gnutls_x509_privkey_import (key, &key_datum,
                                           GNUTLS_X509_FMT_DER);
-          if (!err)
-            {
-              ret = 0;
-              goto out;
-            }
+          if (ret == 0)
+            goto out;
         }
     fail:
       ret = GNUTLS_E_DECRYPTION_FAILED;
index d0061c14b88ebdfcbbdc1fa40c5cdbec1861f0ef..b6c14bead6834ea2e559e61faa7e0a408975925e 100644 (file)
@@ -70,7 +70,7 @@ ctests = mini-deflate simple gc set_pkcs12_cred certder certuniqueid  \
         mini-loss-time mini-tdb mini-dtls-rehandshake mini-record \
         mini-termination mini-x509-cas mini-x509-2 pkcs12_simple \
         mini-emsgsize-dtls mini-handshake-timeout chainverify-unsorted \
-        mini-dtls-heartbeat mini-x509-callbacks
+        mini-dtls-heartbeat mini-x509-callbacks key-openssl
 
 if ENABLE_OCSP
 ctests += ocsp
diff --git a/tests/key-openssl.c b/tests/key-openssl.c
new file mode 100644 (file)
index 0000000..9d2ef9d
--- /dev/null
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2008-2012 Free Software Foundation, Inc.
+ *
+ * Author: David Marín Carreño
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+
+#include "utils.h"
+
+static void
+tls_log_func (int level, const char *str)
+{
+  fprintf (stderr, "%s |<%d>| %s", "crq_key_id", level, str);
+}
+
+const char key1[] = 
+"-----BEGIN RSA PRIVATE KEY-----\n"
+"Proc-Type: 4,ENCRYPTED\n"
+"DEK-Info: DES-EDE3-CBC,82B2F7684A1713F8\n"
+"\n"
+"1zzOuu89dfFc2UkFCtSJBsBeEFxV8wE84OSxoWu4aYkPhl1LR08BchaTbjeLTP0b\n"
+"t961vVpva0ekJkwGDEgmqlGjmhJq9y2sJfq7IeYa8OdTilfGrG1xeJ1QGBi6SCfR\n"
+"s/PhkMxwGBtrZ2Z7bEcLT5dQKmKRqsthnClQggmngvk7zX7bPk0hKQKvf+FDxt6x\n"
+"hzEaF3k9juU6vAVVSakrZ4QDqk9MUuTGHx0ksTDcC4EESS0l3Ybuum/rAzR4lQKR\n"
+"4OLmAeYBDl+l/PSMllfd5x/z1YXYoiAbkpT4ix0lyZJgHrvrYIeUtJk2ODiMHezL\n"
+"9BbK7EobtOGmrDLUNVX5BpdaExkWMGkioqzs2QqD/VkKu8RcNSsHVGqkdWKuhzXo\n"
+"wcczQ+RiHckN2uy/zApubEWZNLPeDQ499kaF+QdZ+h4RM6E1r1Gu+A==\n"
+"-----END RSA PRIVATE KEY-----\n";
+
+const char key2[] = 
+"-----BEGIN RSA PRIVATE KEY-----\n"
+"Proc-Type: 4,ENCRYPTED\n"
+"DEK-Info: AES-128-CBC,2A57FF97B701B3F760145D7446929481\n"
+"\n"
+"mGAPhSw48wZBnkHOhfMDg8yL2IBgMuTmeKE4xoHi7T6isHBNfkqMd0iJ+DJP/OKb\n"
+"t+7lkKjj/xQ7w/bOBvBxlfRe4MW6+ejCdAFD9XSolW6WN6CEJPMI4UtmOK5inqcC\n"
+"8l2l54f/VGrVN9uavU3KlXCjrd3Jp9B0Mu4Zh/UU4+EWs9rJAZfLIn+vHZ3OHetx\n"
+"g74LdV7nC7lt/fjxc1caNIfgHs40dUt9FVrnJvAtkcNMtcjX/D+L8ZrLgQzIWFcs\n"
+"WAbUZj7Me22mCli3RPET7Je37K59IzfWgbWFCGaNu3X02g5xtCfdcn/Uqy9eofH0\n"
+"YjKRhpgXPeGJCkoRqDeUHQNPpVP5HrzDZMVK3E4DC03C8qvgsYvuwYt3KkbG2fuA\n"
+"F3bDyqlxSOm7uxF/K3YzI44v8/D8GGnLBTpN+ANBdiY=\n"
+"-----END RSA PRIVATE KEY-----\n";
+
+void
+doit (void)
+{
+  gnutls_x509_privkey_t pkey;
+  int ret;
+  gnutls_datum_t key;
+
+  ret = gnutls_global_init ();
+  if (ret < 0)
+    fail ("gnutls_global_init: %d\n", ret);
+
+  gnutls_global_set_log_function (tls_log_func);
+  if (debug)
+    gnutls_global_set_log_level (4711);
+
+  ret = gnutls_x509_privkey_init (&pkey);
+  if (ret < 0)
+     fail ("gnutls_x509_privkey_init: %d\n", ret);
+
+  key.data = (void*)key1;
+  key.size = sizeof(key1);
+  ret = gnutls_x509_privkey_import_openssl (pkey, &key, "123456");
+  if (ret < 0)
+    {
+      fail ("gnutls_x509_privkey_import_openssl (key1): %s\n", gnutls_strerror(ret)) ;
+    }
+  gnutls_x509_privkey_deinit (pkey);
+
+  ret = gnutls_x509_privkey_init (&pkey);
+  if (ret < 0)
+     fail ("gnutls_x509_privkey_init: %d\n", ret);
+
+  key.data = (void*)key2;
+  key.size = sizeof(key2);
+  ret = gnutls_x509_privkey_import_openssl (pkey, &key, "a123456");
+  if (ret < 0)
+    {
+      fail ("gnutls_x509_privkey_import_openssl (key2): %s\n", gnutls_strerror(ret)) ;
+    }
+  gnutls_x509_privkey_deinit (pkey);
+
+
+  gnutls_global_deinit ();
+}