Bug 1830: Cannot use TLS/SSL client certificate

https://winscp.net/tracker/1830

Source commit: e68f669cfabe932d634a54193f99e42dafdf383a

libs/openssl/Makefile

@@ -21,7 +21,7 @@ CFLAG= \
     -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 \
     -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_NO_ENGINE -DOPENSSL_NO_DYNAMIC_ENGINE \
     -DOPENSSL_DISABLE_OLD_DES_SUPPORT -DNO_CHMOD -DOPENSSL_NO_DGRAM -DDOPENSSL_NO_EC_NISTP_64_GCC_128 \
-    -DOPENSSL_NO_WHIRLPOOL -DPBE_UNICODE -DWINSCP -DMK1MF_BUILD -DMK1MF_PLATFORM_BC_NT \
+    -DOPENSSL_NO_WHIRLPOOL -DWINSCP -DMK1MF_BUILD -DMK1MF_PLATFORM_BC_NT \
     -DOPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
 LIB_CFLAG=
 

libs/openssl/crypto/evp/evp_pbe.c

@@ -104,15 +104,7 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
     if (!pass)
         passlen = 0;
     else if (passlen == -1)
-    {
-    #if defined(WINSCP) && defined(PBE_UNICODE)
-        // OPENSSL_asc2uni adds the trailing \0 to the length,
-        // even if input ascii password length does not include it
-        passlen = (wcslen((const wchar_t*)pass) * sizeof(wchar_t)) + sizeof(wchar_t);
-    #else
         passlen = strlen(pass);
-    #endif
-    }
 
     if (cipher_nid == -1)
         cipher = NULL;

libs/openssl/crypto/pkcs12/p12_key.c

@@ -27,32 +27,6 @@ void h__dump(unsigned char *p, int len);
 # define min(a,b) ((a) < (b) ? (a) : (b))
 #endif
 
-#if defined(WINSCP) && defined(PBE_UNICODE)
-#undef PKCS12_key_gen_uni
-
-int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
-                       int saltlen, int id, int iter, int n,
-                       unsigned char *out, const EVP_MD *md_type);
-
-int PKCS12_key_gen_wrap(unsigned char *pass, int passlen, unsigned char *salt,
-                        int saltlen, int id, int iter, int n,
-                        unsigned char *out, const EVP_MD *md_type)
-{
-    if (pass == NULL)
-    {
-        // noop
-    }
-    // PKCS12_key_gen_uni cannot handle -1 length (contrary to PKCS12_key_gen_asc).
-    // OPENSSL_asc2uni adds the trailing \0 to the length,
-    // even if input ascii password length does not include it.
-    else if (passlen < 0)
-    {
-        passlen = (wcslen((wchar_t*)pass) * sizeof(wchar_t)) + sizeof(wchar_t);
-    }
-    return PKCS12_key_gen_uni(pass, passlen, salt, saltlen, id, iter, n, out, md_type);
-}
-#endif
-
 int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
                        int saltlen, int id, int iter, int n,
                        unsigned char *out, const EVP_MD *md_type)

libs/openssl/crypto/pkcs12/p12_kiss.c

@@ -57,21 +57,11 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
      * password are two different things...
      */
 
-    if (!pass ||
-        (!pass[0]
-        #if defined(WINSCP) && defined(PBE_UNICODE)
-        && !pass[1]
-        #endif
-        )) {
+    if (!pass || !*pass) {
         if (PKCS12_verify_mac(p12, NULL, 0))
             pass = NULL;
-        #if defined(WINSCP) && defined(PBE_UNICODE)
-        else if (PKCS12_verify_mac(p12, "\0", -1))
-            pass = "\0"; // two NULLs
-        #else
         else if (PKCS12_verify_mac(p12, "", 0))
             pass = "";
-        #endif
         else {
             PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_MAC_VERIFY_FAILURE);
             goto err;

source/core/Common.cpp

@@ -3282,17 +3282,10 @@ void __fastcall ParseCertificate(const UnicodeString & Path,
 
   if (Pkcs12 != NULL)
   {
-    // Modeled after OPENSSL_asc2uni (reversed bitness to what UnicodeString/wchar_t use)
-    std::vector<char> Buf;
-    Buf.resize(Passphrase.Length() * sizeof(wchar_t) + sizeof(wchar_t));
-    for (int Index = 0; Index <= Passphrase.Length(); Index++)
-    {
-      Buf[(Index * 2)] = (Passphrase.c_str()[Index] >> 8);
-      Buf[(Index * 2) + 1] = (Passphrase.c_str()[Index] & 0x00FF);
-    }
+    UTF8String PassphraseUtf(Passphrase);
 
     bool Result =
-      (PKCS12_parse(Pkcs12, &Buf[0], &PrivateKey, &Certificate, NULL) == 1);
+      (PKCS12_parse(Pkcs12, PassphraseUtf.c_str(), &PrivateKey, &Certificate, NULL) == 1);
     PKCS12_free(Pkcs12);
 
     if (!Result)