Skip to content

Fix issues in pass_util.cc password handling#3032

Merged
justsmth merged 2 commits intoaws:mainfrom
justsmth:cleanup-pass_util
Mar 18, 2026
Merged

Fix issues in pass_util.cc password handling#3032
justsmth merged 2 commits intoaws:mainfrom
justsmth:cleanup-pass_util

Conversation

@justsmth
Copy link
Contributor

@justsmth justsmth commented Feb 24, 2026
edited
Loading

Description of changes:

Addresses multiple issues in tool-openssl/pass_util.cc and the Password class:

  • Ensured all temporary buffers holding passwords are properly cleansed, including the buf stack buffer in ExtractPasswordFromStream and a std::string replaced with Password for secure clearing.
  • Fixed fd: parsing to use strtoul instead of atoi, avoiding undefined behavior on overflow.
  • Removed incorrect rejection of colons in pass: passwords, matching OpenSSL behavior.
  • Fixed off-by-one in password length limits for pass: and env: sources.
  • Minor hardening: fixed same_file initialization, replaced unsigned subtraction with overflow-safe comparison in ExtractDirectPassword.

Call-outs:

  • Behavioral change: pass:a:b was previously rejected and now succeeds with password a:b.

Testing:

All existing PassUtilTest tests pass. Updated DirectPasswordEdgeCases to cover passwords containing colons.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@justsmth justsmth requested a review from a team as a code owner February 24, 2026 14:01
@codecov-commenter
Copy link

codecov-commenter commented Feb 24, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 88.23529% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.18%. Comparing base (107e67d) to head (e963dc1).

Files with missing lines Patch % Lines
tool-openssl/pass_util.cc 84.61% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3032      +/-   ##
==========================================
- Coverage   78.19%   78.18%   -0.01%     
==========================================
  Files         689      689              
  Lines      121822   121825       +3     
  Branches    16995    16994       -1     
==========================================
- Hits        95254    95251       -3     
- Misses      25684    25690       +6     
  Partials      884      884

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

sgmenda
sgmenda previously approved these changes Mar 6, 2026
View reviewed changes
@justsmth justsmth force-pushed the cleanup-pass_util branch from a9dc9a4 to fa53272 Compare March 17, 2026 13:29
@justsmth justsmth requested a review from sgmenda March 17, 2026 13:30
@justsmth justsmth force-pushed the cleanup-pass_util branch from fa53272 to e963dc1 Compare March 17, 2026 14:15
WillChilds-Klein
WillChilds-Klein approved these changes Mar 17, 2026
View reviewed changes
@justsmth justsmth merged commit efb6ba9 into aws:main Mar 18, 2026
452 of 456 checks passed
@justsmth justsmth deleted the cleanup-pass_util branch March 18, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

@samuel40791765 samuel40791765 samuel40791765 approved these changes

@nhatnghiho nhatnghiho Awaiting requested review from nhatnghiho

@sgmenda sgmenda Awaiting requested review from sgmenda

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@justsmth @codecov-commenter @WillChilds-Klein @samuel40791765 @sgmenda