openssl_hash_password: normalize the password prior to use

1 files changed, 29 insertions, 14 deletions

diff --git a/lib/x509/privkey_openssl.c b/lib/x509/privkey_openssl.c
index 563ab99de6..643b3788f7 100644
--- a/lib/x509/privkey_openssl.c
+++ b/lib/x509/privkey_openssl.c
@@ -34,38 +34,50 @@
 #include <random.h>
 
 static int
-openssl_hash_password(const char *pass, gnutls_datum_t * key,
+openssl_hash_password(const char *_password, gnutls_datum_t * key,
 		      gnutls_datum_t * salt)
 {
 	unsigned char md5[16];
 	digest_hd_st hd;
 	unsigned int count = 0;
-	int err;
+	int ret;
+	char *password = NULL;
+
+	if (_password != NULL) {
+		gnutls_datum_t pout;
+		ret = _gnutls_utf8_password_normalize(_password, strlen(_password), &pout);
+		if (ret < 0)
+			return gnutls_assert_val(ret);
+
+		password = (char*)pout.data;
+	}
 
 	while (count < key->size) {
-		err = _gnutls_hash_init(&hd, mac_to_entry(GNUTLS_MAC_MD5));
-		if (err) {
+		ret = _gnutls_hash_init(&hd, mac_to_entry(GNUTLS_MAC_MD5));
+		if (ret < 0) {
 			gnutls_assert();
-			return err;
+			goto cleanup;
 		}
+
 		if (count) {
-			err = _gnutls_hash(&hd, md5, sizeof(md5));
-			if (err) {
+			ret = _gnutls_hash(&hd, md5, sizeof(md5));
+			if (ret < 0) {
 			      hash_err:
 				_gnutls_hash_deinit(&hd, NULL);
 				gnutls_assert();
-				return err;
+				goto cleanup;
 			}
 		}
-		if (pass) {
-			err = _gnutls_hash(&hd, pass, strlen(pass));
-			if (err) {
+
+		if (password) {
+			ret = _gnutls_hash(&hd, password, strlen(password));
+			if (ret < 0) {
 				gnutls_assert();
 				goto hash_err;
 			}
 		}
-		err = _gnutls_hash(&hd, salt->data, 8);
-		if (err) {
+		ret = _gnutls_hash(&hd, salt->data, 8);
+		if (ret < 0) {
 			gnutls_assert();
 			goto hash_err;
 		}
@@ -80,8 +92,11 @@ openssl_hash_password(const char *pass, gnutls_datum_t * key,
 		memcpy(&key->data[count], md5, sizeof(md5));
 		count += sizeof(md5);
 	}
+	ret = 0;
 
-	return 0;
+ cleanup:
+	gnutls_free(password);
+	return ret;
 }
 
 struct pem_cipher {