Inadeqate input validation and a reference leak in crypto.{load, dump}_privatekey
Bug #499628 reported by
Ziga Seilnacht
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pyOpenSSL |
Fix Committed
|
Undecided
|
Unassigned | ||
Bug Description
crpto.load_
- they don't raise an error if a passphrase is specified with a serialization format that doesn't support encryption
- they truncate long passphrases supplied via callback
- they either overwrite the error raised by the passphrase (load_privatekey) callback or forget to cleanup OpenSSL's error stack in that case (dump_privatekey)
- they forget to decref the passphrase returned by the callback
- they are missing a few NULL checks
I'll submit a branch with the fixes.
Related branches
lp:~zseil/pyopenssl/privatekey-callback-fixes
- Jean-Paul Calderone: Pending requested
-
Diff: 385 lines (+197/-66)2 files modifiedsrc/crypto/crypto.c (+91/-66)
test/test_crypto.py (+106/-0)
Revision history for this message
| Jean-Paul Calderone (exarkun) wrote | #1 |
| Changed in pyopenssl: | |
| status: | New → Fix Committed |
To post a comment you must log in.
Thanks. Fixed in r161.