The branch master has been updated via 39a61e69b88252dca8aa7d61146b0b2397d1710c (commit) from e3a2ba75474eebffe14b4bab1a34a1c2012a3888 (commit)
- Log ----------------------------------------------------------------- commit 39a61e69b88252dca8aa7d61146b0b2397d1710c Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Thu Nov 26 08:35:26 2020 +0100 OSSL_STORE: restore diagnostics on decrypt error; provide password hints Fixes #13493 Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13525) ----------------------------------------------------------------------- Summary of changes: crypto/encode_decode/decoder_lib.c | 17 ++++++++++------- crypto/pkcs12/p12_decr.c | 4 +++- crypto/store/store_result.c | 6 ++++-- .../implementations/encode_decode/decode_der2key.c | 8 +++++++- 4 files changed, 24 insertions(+), 11 deletions(-) diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 6503b46d63..635a656216 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -13,6 +13,7 @@ #include <openssl/provider.h> #include <openssl/evperr.h> #include <openssl/ecerr.h> +#include <openssl/pkcs12err.h> #include <openssl/x509err.h> #include <openssl/trace.h> #include "internal/passphrase.h" @@ -511,7 +512,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) BIO *bio = data->bio; long loc; size_t i; - int err, ok = 0; + int err, lib, reason, ok = 0; /* For recursions */ struct decoder_process_data_st new_data; const char *data_type = NULL; @@ -750,14 +751,16 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) * errors, so we preserve them in the error queue and stop. */ err = ERR_peek_last_error(); - if ((ERR_GET_LIB(err) == ERR_LIB_EVP - && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM) + lib = ERR_GET_LIB(err); + reason = ERR_GET_REASON(err); + if ((lib == ERR_LIB_EVP + && reason == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM) #ifndef OPENSSL_NO_EC - || (ERR_GET_LIB(err) == ERR_LIB_EC - && ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP) + || (lib == ERR_LIB_EC && reason == EC_R_UNKNOWN_GROUP) #endif - || (ERR_GET_LIB(err) == ERR_LIB_X509 - && ERR_GET_REASON(err) == X509_R_UNSUPPORTED_ALGORITHM)) + || (lib == ERR_LIB_X509 && reason == X509_R_UNSUPPORTED_ALGORITHM) + || (lib == ERR_LIB_PKCS12 + && reason == PKCS12_R_PKCS12_CIPHERFINAL_ERROR)) goto end; } diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 3571ac571a..0f1c00aaca 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -81,7 +81,9 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, if (!EVP_CipherFinal_ex(ctx, out + i, &i)) { OPENSSL_free(out); out = NULL; - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PKCS12_CIPHERFINAL_ERROR); + ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PKCS12_CIPHERFINAL_ERROR, + passlen == 0 ? "empty password" + : "maybe wrong password"); goto err; } outlen += i; diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 64b0e814b3..d41d7d9b94 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -564,8 +564,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, } pass = tpass; if (!PKCS12_verify_mac(p12, pass, strlen(pass))) { - ERR_raise(ERR_LIB_OSSL_STORE, - OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC); + ERR_raise_data(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, + strlen(pass) == 0 ? "empty password" : + "maybe wrong password"); goto p12_end; } } diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 09601fc335..c8a467fb5b 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -260,6 +260,7 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, EVP_PKEY *pkey = NULL; void *key = NULL; int orig_selection = selection; + int dec_err; int ok = 0; /* @@ -319,8 +320,13 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, der = new_der; der_len = new_der_len; } - RESET_ERR_MARK(); + /* decryption errors are fatal and should be reported */ + dec_err = ERR_peek_last_error(); + if (ERR_GET_LIB(dec_err) == ERR_LIB_PROV + && ERR_GET_REASON(dec_err) == PROV_R_BAD_DECRYPT) + goto end; + RESET_ERR_MARK(); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { derp = der; pkey = evp_privatekey_from_binary(ctx->desc->evp_type, NULL,