[PATCH 1/3] gnutls: Handle empty (but not NULL) passwords on PKCS#12 certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



GnuTLS can accept PKCS#12 certs with either empty or NULL passwords[1],
but unlike OpenSSL[2], both options need to be tried separately.

[1] https://gitorious.org/gnutls/gnutls/commit/7c4c21c0e84a539558e3e1689d8a7b8a2c4c0056
[2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a331a305e9c9c5353bd42db6dbda78a418285708

Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
 gnutls.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/gnutls.c b/gnutls.c
index 36164db..7400d17 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -345,7 +345,15 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo,
 
 	pass = vpninfo->cert_password;
 	while ((err = gnutls_pkcs12_verify_mac(p12, pass)) == GNUTLS_E_MAC_VERIFY_FAILED) {
-		if (pass)
+		if (!pass) {
+			/* OpenSSL's PKCS12_parse() code will try both NULL and "" automatically,
+			 * but GnuTLS requires two separate attempts. */
+			err = gnutls_pkcs12_verify_mac(p12, "");
+			if (err != GNUTLS_E_MAC_VERIFY_FAILED) {
+				pass = strdup("");
+				break;
+			}
+		} else
 			vpn_progress(vpninfo, PRG_ERR,
 				     _("Failed to decrypt PKCS#12 certificate file\n"));
 		free(pass);
-- 
1.7.9.5




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux