From 39a61e69b88252dca8aa7d61146b0b2397d1710c Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Thu, 26 Nov 2020 08:35:26 +0100
Subject: OSSL_STORE: restore diagnostics on decrypt error; provide password
 hints

Fixes #13493

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13525)
---
 providers/implementations/encode_decode/decode_der2key.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'providers/implementations/encode_decode')

diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
index 09601fc335..c8a467fb5b 100644
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -260,6 +260,7 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
     EVP_PKEY *pkey = NULL;
     void *key = NULL;
     int orig_selection = selection;
+    int dec_err;
     int ok = 0;
 
     /*
@@ -319,8 +320,13 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
             der = new_der;
             der_len = new_der_len;
         }
-        RESET_ERR_MARK();
+        /* decryption errors are fatal and should be reported */
+        dec_err = ERR_peek_last_error();
+        if (ERR_GET_LIB(dec_err) == ERR_LIB_PROV
+                && ERR_GET_REASON(dec_err) == PROV_R_BAD_DECRYPT)
+            goto end;
 
+        RESET_ERR_MARK();
         if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
             derp = der;
             pkey = evp_privatekey_from_binary(ctx->desc->evp_type, NULL,
-- 
cgit v1.2.3