In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length

levitte · levitte · commit 36d2517a97f6 · 2018-05-12T10:22:22.000+02:00
Fixes #4716 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #6173) (cherry picked from commit c82c346)
diff --git a/CHANGES b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
 
+  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+     now allow empty (zero character) pass phrases.
+     [Richard Levitte]
+
   *) Certificate time validation (X509_cmp_time) enforces stricter
      compliance with RFC 5280. Fractional seconds and timezone offsets
      are no longer allowed.
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -408,7 +408,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
         keylen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);
     else
         keylen = callback(buf, PEM_BUFSIZE, 0, u);
-    if (keylen <= 0) {
+    if (keylen < 0) {
         PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ);
         return 0;
     }
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
@@ -124,7 +124,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
         klen = cb(psbuf, PEM_BUFSIZE, 0, u);
     else
         klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
-    if (klen <= 0) {
+    if (klen < 0) {
         PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
         X509_SIG_free(p8);
         return NULL;
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
@@ -59,7 +59,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
             klen = cb(psbuf, PEM_BUFSIZE, 0, u);
         else
             klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
-        if (klen <= 0) {
+        if (klen < 0) {
             PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ);
             X509_SIG_free(p8);
             goto err;
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
@@ -685,7 +685,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
             inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
         else
             inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
-        if (inlen <= 0) {
+        if (inlen < 0) {
             PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
             goto err;
         }

Original file line number	Diff line number	Diff line change
`@@ -408,7 +408,7 @@ int PEM_do_header(EVP_CIPHER_INFO cipher, unsigned char data, long *plen,`
`408`	`408`	`keylen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);`
`409`	`409`	`else`
`410`	`410`	`keylen = callback(buf, PEM_BUFSIZE, 0, u);`
`411`		`- if (keylen <= 0) {`
	`411`	`+ if (keylen < 0) {`
`412`	`412`	`PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ);`
`413`	`413`	`return 0;`
`414`	`414`	`}`
Original file line number	Diff line number	Diff line change
`@@ -685,7 +685,7 @@ static EVP_PKEY do_PVK_body(const unsigned char *in,`
`685`	`685`	`inlen = cb(psbuf, PEM_BUFSIZE, 0, u);`
`686`	`686`	`else`
`687`	`687`	`inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);`
`688`		`- if (inlen <= 0) {`
	`688`	`+ if (inlen < 0) {`
`689`	`689`	`PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);`
`690`	`690`	`goto err;`
`691`	`691`	`}`