From 0ca219575ad7059235a5edb91cf834fc70be9c53 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Dec 2021 17:36:37 +0100 Subject: [PATCH] mbedtls_pk_parse_key: don't allocate if not needed mbedtls_pk_parse_key() makes a temporary copy of the key when it calls pk_parse_key_pkcs8_encrypted_der(), because that function requires a writable buffer. pk_parse_key_pkcs8_encrypted_der() always rejects an empty password, so skip calling it in that case, which allows us to skip the allocation as well. Signed-off-by: Gilles Peskine --- ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt | 3 +++ library/pkparse.c | 1 + 2 files changed, 4 insertions(+) create mode 100644 ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt diff --git a/ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt b/ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt new file mode 100644 index 000000000..9d7a32ea0 --- /dev/null +++ b/ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt @@ -0,0 +1,3 @@ +Changes + * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a + temporary variable on the heap. Suggested by Sergey Kanatov in #5304. diff --git a/library/pkparse.c b/library/pkparse.c index b2d3bb074..22dab3ad7 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -1343,6 +1343,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, * error */ #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) + if( pwdlen != 0 ) { unsigned char *key_copy;