auth-nonascii test fails or segfaults depending on system environment
David Woodhouse
dwmw2 at infradead.org
Mon Aug 14 07:03:44 PDT 2017
On Mon, 2017-08-14 at 15:36 +0200, Nikos Mavrogiannopoulos wrote:
> On Mon, Aug 14, 2017 at 2:36 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> >
> > I actually had a fix for that lying around in my tree for a while; have
> > finally pushed it now. Thanks!
> >
> > I note that the auth-nonascii test still fails on Ubuntu 16.04, as even
> > in the trivial case of the default UTF-8 (in my case en_GB) locale,
> > GnuTLS won't open the file:
> >
> > Using certificate file ./certs/user-key-nonascii-password.p12
> > Failed to process PKCS#12 file: The given password contains invalid characters.
>
> Works ok here with 3.5.x. However note that you are using PKCS#12 with
> AES, meaning that you are using PKCS#5 which is not well defined with
> other than ASCII passwords. I think versions before 3.5.x will refuse
> to accept such passwords as I considered that to be the safe approach
> with the under-defined standard.
Hm, I should probably expand my auth-nonascii test to cover all the
various file format/PBDKF variants that the basic one does. Or just
change the password in the basic tests.
> In later versions gnutls will follow:
> https://tools.ietf.org/html/draft-mavrogiannopoulos-pkcs5-passwords-01
> (you're co-author :)
Note that OpenSSL 1.1 is still broken in fairly much the same way you
describe there. It's just that the trigger changed from "is in a non-
ISO8859-1 locale" to "is in a locale which is neither ISO8859-1 nor
UTF-8". (And in fact current OpenSSL when running in an ISO8859-1
locale will screw up on some passwords and treat them as UTf-8.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4938 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170814/e7368d19/attachment.bin>
More information about the openconnect-devel
mailing list