From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 17 Aug 2015 23:06:02 +0000 (+0300)
Subject: BoringSSL: Fix PKCS12_parse() segfault when used without password
X-Git-Tag: hostap_2_5~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c07e7b43e91f8058b38e5534a53302f69d037dc8;p=thirdparty%2Fhostap.git

BoringSSL: Fix PKCS12_parse() segfault when used without password

Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e3f8401ba..8c2df224f 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2076,6 +2076,8 @@ static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
 	pkey = NULL;
 	cert = NULL;
 	certs = NULL;
+	if (!passwd)
+		passwd = "";
 	if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
 		tls_show_errors(MSG_DEBUG, __func__,
 				"Failed to parse PKCS12 file");