Bug 1490: Cannot use unencrypted client certificate file (.pfx/.p12 f…

…ormat)

https://winscp.net/tracker/1490

+ Test certificate files

(cherry picked from commit 56ed4a9)

Source commit: 81f7349129d5e50a52e85bc267b533f134b53296

libs/openssl/crypto/pkcs12/p12_key.c

@@ -77,6 +77,32 @@ void h__dump(unsigned char *p, int len);
 # define min(a,b) ((a) < (b) ? (a) : (b))
 #endif
 
+#if defined(WINSCP) && defined(PBE_UNICODE)
+#undef PKCS12_key_gen_uni
+
+int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
+                       int saltlen, int id, int iter, int n,
+                       unsigned char *out, const EVP_MD *md_type);
+
+int PKCS12_key_gen_wrap(unsigned char *pass, int passlen, unsigned char *salt,
+                        int saltlen, int id, int iter, int n,
+                        unsigned char *out, const EVP_MD *md_type)
+{
+    if (pass == NULL)
+    {
+        // noop
+    }
+    // PKCS12_key_gen_uni cannot handle -1 length (contrary to PKCS12_key_gen_asc).
+    // OPENSSL_asc2uni adds the trailing \0 to the length,
+    // even if input ascii password length does not include it.
+    else if (passlen < 0)
+    {
+        passlen = (wcslen((wchar_t*)pass) * sizeof(wchar_t)) + sizeof(wchar_t);
+    }
+    return PKCS12_key_gen_uni(pass, passlen, salt, saltlen, id, iter, n, out, md_type);
+}
+#endif
+
 int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
                        int saltlen, int id, int iter, int n,
                        unsigned char *out, const EVP_MD *md_type)

libs/openssl/crypto/pkcs12/p12_kiss.c

@@ -114,8 +114,13 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
         )) {
         if (PKCS12_verify_mac(p12, NULL, 0))
             pass = NULL;
+        #if defined(WINSCP) && defined(PBE_UNICODE)
+        else if (PKCS12_verify_mac(p12, "\0", -1))
+            pass = "\0"; // two NULLs
+        #else
         else if (PKCS12_verify_mac(p12, "", 0))
             pass = "";
+        #endif
         else {
             PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_MAC_VERIFY_FAILURE);
             goto err;

libs/openssl/crypto/pkcs12/p12_mutl.c

@@ -93,15 +93,6 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
     md_size = EVP_MD_size(md_type);
     if (md_size < 0)
         return 0;
-    #if defined(WINSCP) && defined(PBE_UNICODE)
-    if (passlen < 0)
-    {
-      // PKCS12_key_gen_uni cannot handle -1 length (contrary to PKCS12_key_gen_asc).
-      // OPENSSL_asc2uni adds the trailing \0 to the length,
-      // even if input ascii password length does not include it.
-      passlen = (wcslen((wchar_t*)pass) * sizeof(wchar_t)) + sizeof(wchar_t);
-    }
-    #endif
     if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
                         md_size, key, md_type)) {
         PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);

libs/openssl/crypto/pkcs12/pkcs12.h

@@ -89,6 +89,9 @@ extern "C" {
 # ifdef PBE_UNICODE
 #  define PKCS12_key_gen PKCS12_key_gen_uni
 #  define PKCS12_add_friendlyname PKCS12_add_friendlyname_uni
+#  ifdef WINSCP
+#   define PKCS12_key_gen_uni PKCS12_key_gen_wrap
+#  endif
 # else
 #  define PKCS12_key_gen PKCS12_key_gen_asc
 #  define PKCS12_add_friendlyname PKCS12_add_friendlyname_asc