diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-11-26 08:35:26 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-03-04 08:54:09 +0100 |
commit | 39a61e69b88252dca8aa7d61146b0b2397d1710c (patch) | |
tree | 7e5137a219778990498fd3c1aa20610ce82c9e07 | |
parent | e3a2ba75474eebffe14b4bab1a34a1c2012a3888 (diff) |
OSSL_STORE: restore diagnostics on decrypt error; provide password hints
Fixes #13493
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13525)
-rw-r--r-- | crypto/encode_decode/decoder_lib.c | 17 | ||||
-rw-r--r-- | crypto/pkcs12/p12_decr.c | 4 | ||||
-rw-r--r-- | crypto/store/store_result.c | 6 | ||||
-rw-r--r-- | providers/implementations/encode_decode/decode_der2key.c | 8 |
4 files changed, 24 insertions, 11 deletions
diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 6503b46d63..635a656216 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -13,6 +13,7 @@ #include <openssl/provider.h> #include <openssl/evperr.h> #include <openssl/ecerr.h> +#include <openssl/pkcs12err.h> #include <openssl/x509err.h> #include <openssl/trace.h> #include "internal/passphrase.h" @@ -511,7 +512,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) BIO *bio = data->bio; long loc; size_t i; - int err, ok = 0; + int err, lib, reason, ok = 0; /* For recursions */ struct decoder_process_data_st new_data; const char *data_type = NULL; @@ -750,14 +751,16 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) * errors, so we preserve them in the error queue and stop. */ err = ERR_peek_last_error(); - if ((ERR_GET_LIB(err) == ERR_LIB_EVP - && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM) + lib = ERR_GET_LIB(err); + reason = ERR_GET_REASON(err); + if ((lib == ERR_LIB_EVP + && reason == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM) #ifndef OPENSSL_NO_EC - || (ERR_GET_LIB(err) == ERR_LIB_EC - && ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP) + || (lib == ERR_LIB_EC && reason == EC_R_UNKNOWN_GROUP) #endif - || (ERR_GET_LIB(err) == ERR_LIB_X509 - && ERR_GET_REASON(err) == X509_R_UNSUPPORTED_ALGORITHM)) + || (lib == ERR_LIB_X509 && reason == X509_R_UNSUPPORTED_ALGORITHM) + || (lib == ERR_LIB_PKCS12 + && reason == PKCS12_R_PKCS12_CIPHERFINAL_ERROR)) goto end; } diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 3571ac571a..0f1c00aaca 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -81,7 +81,9 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, if (!EVP_CipherFinal_ex(ctx, out + i, &i)) { OPENSSL_free(out); out = NULL; - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PKCS12_CIPHERFINAL_ERROR); + ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PKCS12_CIPHERFINAL_ERROR, + passlen == 0 ? "empty password" + : "maybe wrong password"); goto err; } outlen += i; diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 64b0e814b3..d41d7d9b94 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -564,8 +564,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, } pass = tpass; if (!PKCS12_verify_mac(p12, pass, strlen(pass))) { - ERR_raise(ERR_LIB_OSSL_STORE, - OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC); + ERR_raise_data(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, + strlen(pass) == 0 ? "empty password" : + "maybe wrong password"); goto p12_end; } } diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 09601fc335..c8a467fb5b 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -260,6 +260,7 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, EVP_PKEY *pkey = NULL; void *key = NULL; int orig_selection = selection; + int dec_err; int ok = 0; /* @@ -319,8 +320,13 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, der = new_der; der_len = new_der_len; } - RESET_ERR_MARK(); + /* decryption errors are fatal and should be reported */ + dec_err = ERR_peek_last_error(); + if (ERR_GET_LIB(dec_err) == ERR_LIB_PROV + && ERR_GET_REASON(dec_err) == PROV_R_BAD_DECRYPT) + goto end; + RESET_ERR_MARK(); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { derp = der; pkey = evp_privatekey_from_binary(ctx->desc->evp_type, NULL, |