From 202f6ad8d89765da2525c07a419a5c8b22d8ca95 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Wed, 4 Feb 2015 12:20:52 +0000
Subject: [PATCH] Add pwlen argument to openconnect_hash_yubikey_password()

We're going to want to use this with strings which aren't necessarily
NUL-terminated, for the Yubikey password workaround.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 gnutls.c               | 5 +++--
 openconnect-internal.h | 3 ++-
 openssl.c              | 5 +++--
 yubikey.c              | 3 ++-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/gnutls.c b/gnutls.c
index 6754b426..3f79a22c 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2545,14 +2545,15 @@ static P11KitPin *p11kit_pin_callback(const char *pin_source, P11KitUri *pin_uri
 
 #ifdef HAVE_LIBPCSCLITE
 int openconnect_hash_yubikey_password(struct openconnect_info *vpninfo,
-				      const char *password, const void *ident, int id_len)
+				      const char *password, int pwlen,
+				      const void *ident, int id_len)
 {
 	unsigned char U[SHA1_SIZE];
 	gnutls_hmac_hd_t dgst;
 	int ret = -EIO;
 	int i, j;
 
-	if (gnutls_hmac_init(&dgst, GNUTLS_MAC_SHA1, password, strlen(password)))
+	if (gnutls_hmac_init(&dgst, GNUTLS_MAC_SHA1, password, pwlen))
 		return -EIO;
 
 	if (gnutls_hmac(dgst, ident, id_len))
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 89186fa3..c126a3e7 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -839,7 +839,8 @@ int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 int openconnect_yubikey_chalresp(struct openconnect_info *vpninfo,
 				 const void *challenge, int chall_len, void *result);
 int openconnect_hash_yubikey_password(struct openconnect_info *vpninfo,
-				      const char *password, const void *ident, int id_len);
+				      const char *password, int pwlen,
+				      const void *ident, int id_len);
 int hotp_hmac(struct openconnect_info *vpninfo, const void *challenge);
 #if defined(OPENCONNECT_OPENSSL)
 #define openconnect_https_connected(_v) ((_v)->https_ssl)
diff --git a/openssl.c b/openssl.c
index 0434e783..3e2cb11b 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1647,9 +1647,10 @@ int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 
 #ifdef HAVE_LIBPCSCLITE
 int openconnect_hash_yubikey_password(struct openconnect_info *vpninfo,
-				      const char *password, const void *ident, int id_len)
+				      const char *password, int pwlen,
+				      const void *ident, int id_len)
 {
-	if (!PKCS5_PBKDF2_HMAC_SHA1(password, strlen(password), ident, id_len, 1000, 16,
+	if (!PKCS5_PBKDF2_HMAC_SHA1(password, pwlen, ident, id_len, 1000, 16,
 				    vpninfo->yubikey_pwhash))
 		return -EIO;
 
diff --git a/yubikey.c b/yubikey.c
index e55c486a..8e976e64 100644
--- a/yubikey.c
+++ b/yubikey.c
@@ -217,7 +217,8 @@ static int select_yubioath_applet(struct openconnect_info *vpninfo,
 
 			/* XXX: What charset is the password in? Assuming UTF-8 because that's
 			   the only sane option, but see http://forum.yubico.com/viewtopic.php?f=26&t=1601 */
-			ret = openconnect_hash_yubikey_password(vpninfo, o._value, applet_id, id_len);
+			ret = openconnect_hash_yubikey_password(vpninfo, o._value, strlen(o._value),
+								applet_id, id_len);
 			if (ret)
 				return ret;