gnutls-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-24-gefadaaf

From: Nikos Mavrogiannopoulos
Subject: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-24-gefadaaf
Date: Sat, 25 Aug 2012 13:39:06 +0000 
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=efadaaf31d58d1264797ac77c70a710569fe8f01

The branch, master has been updated
       via  efadaaf31d58d1264797ac77c70a710569fe8f01 (commit)
       via  95a922c2a8b75e6eddbcc688c0d719d0b07ee395 (commit)
       via  2ec96fecc191d4b21430ef8f63f254f92c5e538e (commit)
      from  12e1a91a6b1e743bee721c887c620d9e8421cb27 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit efadaaf31d58d1264797ac77c70a710569fe8f01
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Aug 25 15:38:14 2012 +0200

    Changes in password handling of certtool.
    
    Ask password when required and only if the '--password' option is not given.
    If the '--password' option is given during key generation then assume the 
PKCS #8 format.

commit 95a922c2a8b75e6eddbcc688c0d719d0b07ee395
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Aug 25 15:37:17 2012 +0200

    Prevent the usage of strlen() on null values.

commit 2ec96fecc191d4b21430ef8f63f254f92c5e538e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Aug 25 15:20:38 2012 +0200

    doc update

-----------------------------------------------------------------------

Summary of changes:
 lib/gnutls_privkey.c     |    3 ++
 lib/x509/privkey_pkcs8.c |   12 +++++++-
 src/certtool-common.c    |   64 ++++++++++++++++++++++++++++++----------------
 src/certtool-common.h    |    2 +
 src/certtool.c           |   31 ++++++----------------
 5 files changed, 65 insertions(+), 47 deletions(-)

diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index ae41faf..abb7649 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -844,6 +844,9 @@ gnutls_privkey_decrypt_data (gnutls_privkey_t key,
  * This function will import the given private key to the abstract
  * #gnutls_privkey_t structure. 
  *
+ * The supported formats are typical X.509, PKCS #8 and the openssl
+ * format.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  *
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index d5b0243..2ccb5f9 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -1613,6 +1613,10 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn,
   cipher_hd_st ch;
   int ch_init = 0;
   int key_size;
+  unsigned int pass_len = 0;
+  
+  if (password)
+    pass_len = strlen(password);
 
   data_size = 0;
   result = asn1_read_value (pkcs8_asn, root, NULL, &data_size);
@@ -1661,7 +1665,7 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn,
     case PBES2_AES_192:
     case PBES2_AES_256:
 
-      result = _gnutls_pbkdf2_sha1 (password, strlen (password),
+      result = _gnutls_pbkdf2_sha1 (password, pass_len,
                                     kdf_params->salt, kdf_params->salt_size,
                                     kdf_params->iter_count, key, key_size);
 
@@ -1916,8 +1920,12 @@ generate_key (schema_id schema,
               struct pbe_enc_params *enc_params, gnutls_datum_t * key)
 {
   unsigned char rnd[2];
+  unsigned int pass_len = 0;
   int ret;
 
+  if (password)
+    pass_len = strlen(password);
+
   ret = _gnutls_rnd (GNUTLS_RND_RANDOM, rnd, 2);
   if (ret < 0)
     {
@@ -1991,7 +1999,7 @@ generate_key (schema_id schema,
     case PBES2_AES_192:
     case PBES2_AES_256:
 
-      ret = _gnutls_pbkdf2_sha1 (password, strlen (password),
+      ret = _gnutls_pbkdf2_sha1 (password, pass_len,
                                  kdf_params->salt, kdf_params->salt_size,
                                  kdf_params->iter_count,
                                  key->data, kdf_params->key_size);
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 3bf6536..a07fe02 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -102,46 +102,57 @@ load_secret_key (int mand, common_info_st * info)
   return &key;
 }
 
+const char* get_password(common_info_st * cinfo, unsigned int *flags, int 
confirm)
+{
+  if (cinfo->null_password)
+    {
+      if (flags) *flags |= GNUTLS_PKCS_NULL_PASSWORD;
+      return NULL;
+    }
+  else if (cinfo->password)
+    {
+      if (cinfo->password[0] == 0 && flags)
+        *flags |= GNUTLS_PKCS_PLAIN;
+      return cinfo->password;
+    }
+  else
+    {
+      if (confirm)
+        return get_confirmed_pass (true);
+      else
+        return get_pass ();
+    }
+}
+
 static gnutls_privkey_t _load_privkey(gnutls_datum_t *dat, common_info_st * 
info)
 {
 int ret;
 gnutls_privkey_t key;
-gnutls_x509_privkey_t xkey;
-
-  ret = gnutls_x509_privkey_init (&xkey);
-  if (ret < 0)
-    error (EXIT_FAILURE, 0, "x509_privkey_init: %s", gnutls_strerror (ret));
+unsigned int flags = 0;
+const char* pass;
 
   ret = gnutls_privkey_init (&key);
   if (ret < 0)
     error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
 
-  if (info->pkcs8)
+  ret = gnutls_privkey_import_x509_raw (key, dat, info->incert_format, NULL, 
0);
+  if (ret == GNUTLS_E_DECRYPTION_FAILED)
     {
-      const char *pass = get_pass ();
-      ret =
-        gnutls_x509_privkey_import_pkcs8 (xkey, dat, info->incert_format,
-                                          pass, 0);
+      pass = get_password (info, &flags, 0);
+      ret = gnutls_privkey_import_x509_raw (key, dat, info->incert_format, 
pass, flags);
     }
-  else
-    ret = gnutls_x509_privkey_import (xkey, dat, info->incert_format);
 
   if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
     {
       error (EXIT_FAILURE, 0,
              "import error: could not find a valid PEM header; "
-             "check if your key is PKCS #8 or PKCS #12 encoded");
+             "check if your key is PKCS #12 encoded");
     }
 
   if (ret < 0)
     error (EXIT_FAILURE, 0, "importing --load-privkey: %s: %s",
            info->privkey, gnutls_strerror (ret));
 
-  ret = gnutls_privkey_import_x509(key, xkey, 
GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
-  if (ret < 0)
-    error (EXIT_FAILURE, 0, "gnutls_privkey_import_x509: %s",
-           gnutls_strerror (ret));
-  
   return key;
 }
 
@@ -229,6 +240,8 @@ load_x509_private_key (int mand, common_info_st * info)
   int ret;
   gnutls_datum_t dat;
   size_t size;
+  unsigned int flags = 0;
+  const char* pass;
 
   if (!info->privkey && !mand)
     return NULL;
@@ -248,13 +261,20 @@ load_x509_private_key (int mand, common_info_st * info)
 
   if (info->pkcs8)
     {
-      const char *pass = get_pass ();
+      pass = get_password (info, &flags, 0);
       ret =
         gnutls_x509_privkey_import_pkcs8 (key, &dat, info->incert_format,
-                                          pass, 0);
+                                          pass, flags);
     }
   else
-    ret = gnutls_x509_privkey_import (key, &dat, info->incert_format);
+    {
+      ret = gnutls_x509_privkey_import2 (key, &dat, info->incert_format, NULL, 
0);
+      if (ret == GNUTLS_E_DECRYPTION_FAILED)
+        {
+          pass = get_password (info, &flags, 0);
+          ret = gnutls_x509_privkey_import2 (key, &dat, info->incert_format, 
pass, flags);
+        }
+    }
 
   free (dat.data);
 
@@ -262,7 +282,7 @@ load_x509_private_key (int mand, common_info_st * info)
     {
       error (EXIT_FAILURE, 0,
              "import error: could not find a valid PEM header; "
-             "check if your key is PKCS #8 or PKCS #12 encoded");
+             "check if your key is PKCS #12 encoded");
     }
 
   if (ret < 0)
diff --git a/src/certtool-common.h b/src/certtool-common.h
index a68e47b..cdfec62 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -88,6 +88,8 @@ print_dsa_pkey (FILE* outfile, gnutls_datum_t * x, 
gnutls_datum_t * y, gnutls_da
 
 FILE *safe_open_rw (const char *file, int privkey_op);
 
+const char* get_password(common_info_st * cinfo, unsigned int *flags, int 
confirm);
+
 extern unsigned char buffer[];
 extern const int buffer_size;
 
diff --git a/src/certtool.c b/src/certtool.c
index eab00f4..4e027ed 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -172,28 +172,6 @@ cipher_to_flags (const char *cipher)
   return -1;
 }
 
-static const char* get_password(common_info_st * cinfo, unsigned int *flags, 
int confirm)
-{
-  if (cinfo->null_password)
-    {
-      if (flags) *flags |= GNUTLS_PKCS_NULL_PASSWORD;
-      return NULL;
-    }
-  else if (cinfo->password)
-    {
-      if (cinfo->password[0] == 0 && flags)
-        *flags |= GNUTLS_PKCS_PLAIN;
-      return cinfo->password;
-    }
-  else
-    {
-      if (confirm)
-        return get_confirmed_pass (true);
-      else
-        return get_pass ();
-    }
-}
-
 
 static void
 print_private_key (common_info_st* cinfo, gnutls_x509_privkey_t key)
@@ -1027,7 +1005,14 @@ cmd_parser (int argc, char **argv)
     cinfo.pkcs_cipher = OPT_ARG(PKCS_CIPHER);
 
   if (HAVE_OPT(PASSWORD))
-    cinfo.password = OPT_ARG(PASSWORD);
+    {
+      cinfo.password = OPT_ARG(PASSWORD);
+      if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0)
+        {
+          fprintf(stderr, "Assuming PKCS #8 format...\n");
+          cinfo.pkcs8 = 1;
+        }
+    }
 
   if (HAVE_OPT(NULL_PASSWORD))
     {


hooks/post-receive
-- 
GNU gnutls
reply via email to
[Prev in Thread] Current Thread [Next in Thread]