cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Simplify password check in pem_read_buffer()

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2013-07-09 16:35:23 +02:00
parent 791eed3f33
commit 7d4e5b739e
2 changed files with 8 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
include/polarssl/pem.h
View File

@ -84,8 +84,9 @@ void pem_init( pem_context *ctx );
* POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is * POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
* the length to skip) * the length to skip)
* *
* \note Checks password correctness by verifying if the decrypted * \note Attempts to check password correctness by verifying if
* text looks like a RSAPrivateKey or ECPrivateKey structure * the decrypted text starts with an ASN.1 sequence of
* appropriate length
* *
* \return 0 on success, ior a specific PEM error code * \return 0 on success, ior a specific PEM error code
*/ */

19
library/pem.c
View File

@ -333,21 +333,12 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
#endif /* POLARSSL_AES_C */ #endif /* POLARSSL_AES_C */
/* /*
* The result should look like RSAPrivateKey or ECPrivateKey * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
* We use the following heuristic: * length bytes (allow 4 to be sure) in all known use cases.
* len must be more than 6 *
* byte 1 must be 0x30 (SEQUENCE tag) * Use that as heurisitic to try detecting password mismatchs.
* then allow for one to 3 length bytes
* then we must have 0x02 0x01 (INTEGER tag + length, for version)
* version must be less than 4 (leaves some room)
*/ */
if( ! ( len > 6 && buf[0] == 0x30 && ( if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
( buf[1] <= 0x7f && /* 1 length byte */
buf[2] == 0x02 && buf[3] == 0x01 && buf[4] < 4 ) ||
( buf[1] == 0x81 && /* 2 length bytes */
buf[3] == 0x02 && buf[4] == 0x01 && buf[5] < 4 ) ||
( buf[1] == 0x82 && /* 2 length bytes */
buf[4] == 0x02 && buf[5] == 0x01 && buf[6] < 4 ) ) ) )
{ {
polarssl_free( buf ); polarssl_free( buf );
return( POLARSSL_ERR_PEM_PASSWORD_MISMATCH ); return( POLARSSL_ERR_PEM_PASSWORD_MISMATCH );