[PATCH 1/3] gnutls: Handle empty (but not NULL) passwords on PKCS#12 certs
Kevin Cernekee
cernekee at gmail.com
Mon Mar 31 23:09:14 EDT 2014
GnuTLS can accept PKCS#12 certs with either empty or NULL passwords[1],
but unlike OpenSSL[2], both options need to be tried separately.
[1] https://gitorious.org/gnutls/gnutls/commit/7c4c21c0e84a539558e3e1689d8a7b8a2c4c0056
[2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a331a305e9c9c5353bd42db6dbda78a418285708
Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
gnutls.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/gnutls.c b/gnutls.c
index 36164db..7400d17 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -345,7 +345,15 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo,
pass = vpninfo->cert_password;
while ((err = gnutls_pkcs12_verify_mac(p12, pass)) == GNUTLS_E_MAC_VERIFY_FAILED) {
- if (pass)
+ if (!pass) {
+ /* OpenSSL's PKCS12_parse() code will try both NULL and "" automatically,
+ * but GnuTLS requires two separate attempts. */
+ err = gnutls_pkcs12_verify_mac(p12, "");
+ if (err != GNUTLS_E_MAC_VERIFY_FAILED) {
+ pass = strdup("");
+ break;
+ }
+ } else
vpn_progress(vpninfo, PRG_ERR,
_("Failed to decrypt PKCS#12 certificate file\n"));
free(pass);
--
1.7.9.5
More information about the openconnect-devel
mailing list