OSSL_STORE: restore diagnostics on decrypt error; provide password hints

author Dr. David von Oheimb <David.von.Oheimb@siemens.com>

Thu, 26 Nov 2020 07:35:26 +0000 (08:35 +0100)

committer Dr. David von Oheimb <dev@ddvo.net>

Thu, 4 Mar 2021 07:54:09 +0000 (08:54 +0100)
author Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Thu, 26 Nov 2020 07:35:26 +0000 (08:35 +0100)
committer Dr. David von Oheimb <dev@ddvo.net>
Thu, 4 Mar 2021 07:54:09 +0000 (08:54 +0100)
diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c

index 6503b46d63633d47a0b89c87c96a8da38bb8721f..635a656216cdd7d0c7cedf08ca2e57963185d14e 100644 (file)
--- a/crypto/encode_decode/decoder_lib.c
+++ b/crypto/encode_decode/decoder_lib.c
@@ -13,6 +13,7 @@
  #include <openssl/provider.h>
  #include <openssl/evperr.h>
  #include <openssl/ecerr.h>
+#include <openssl/pkcs12err.h>
  #include <openssl/x509err.h>
  #include <openssl/trace.h>
  #include "internal/passphrase.h"
@@ -511,7 +512,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg)
      BIO *bio = data->bio;
      long loc;
      size_t i;
-    int err, ok = 0;
+    int err, lib, reason, ok = 0;
      /* For recursions */
      struct decoder_process_data_st new_data;
      const char *data_type = NULL;
@@ -750,14 +751,16 @@ static int decoder_process(const OSSL_PARAM params[], void *arg)
           * errors, so we preserve them in the error queue and stop.
           */
          err = ERR_peek_last_error();
-        if ((ERR_GET_LIB(err) == ERR_LIB_EVP
-             && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM)
+        lib = ERR_GET_LIB(err);
+        reason = ERR_GET_REASON(err);
+        if ((lib == ERR_LIB_EVP
+             && reason == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM)
  #ifndef OPENSSL_NO_EC
-            || (ERR_GET_LIB(err) == ERR_LIB_EC
-                && ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP)
+            || (lib == ERR_LIB_EC && reason == EC_R_UNKNOWN_GROUP)
  #endif
-            || (ERR_GET_LIB(err) == ERR_LIB_X509
-                && ERR_GET_REASON(err) == X509_R_UNSUPPORTED_ALGORITHM))
+            || (lib == ERR_LIB_X509 && reason == X509_R_UNSUPPORTED_ALGORITHM)
+            || (lib == ERR_LIB_PKCS12
+                && reason == PKCS12_R_PKCS12_CIPHERFINAL_ERROR))
              goto end;
      }
  
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c

index 3571ac571a2222d7265e468460e66cfe40e4e467..0f1c00aaca3d7396835b55ac3bd55e0fea221108 100644 (file)
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -81,7 +81,9 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
      if (!EVP_CipherFinal_ex(ctx, out + i, &i)) {
          OPENSSL_free(out);
          out = NULL;
-        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
+        ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
+                       passlen == 0 ? "empty password"
+                       : "maybe wrong password");
          goto err;
      }
      outlen += i;
diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c

index 64b0e814b346553e09fdc43fbe84ff8473de9b60..d41d7d9b94519d5a48e91bd8dcb3ac0dcd686c97 100644 (file)
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -564,8 +564,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                  }
                  pass = tpass;
                  if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
-                    ERR_raise(ERR_LIB_OSSL_STORE,
-                              OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
+                    ERR_raise_data(ERR_LIB_OSSL_STORE,
+                                   OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC,
+                                   strlen(pass) == 0 ? "empty password" :
+                                   "maybe wrong password");
                      goto p12_end;
                  }
              }
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c

index 09601fc335e2a9dfb747fbf358b899f18876d339..c8a467fb5b3b2cdb2d2a320dd3d7e94cfd8fa787 100644 (file)
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -260,6 +260,7 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
      EVP_PKEY *pkey = NULL;
      void *key = NULL;
      int orig_selection = selection;
+    int dec_err;
      int ok = 0;
  
      /*
@@ -319,8 +320,13 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
              der = new_der;
              der_len = new_der_len;
          }
-        RESET_ERR_MARK();
+        /* decryption errors are fatal and should be reported */
+        dec_err = ERR_peek_last_error();
+        if (ERR_GET_LIB(dec_err) == ERR_LIB_PROV
+                && ERR_GET_REASON(dec_err) == PROV_R_BAD_DECRYPT)
+            goto end;
  
+        RESET_ERR_MARK();
          if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
              derp = der;
              pkey = evp_privatekey_from_binary(ctx->desc->evp_type, NULL,
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Thu, 26 Nov 2020 07:35:26 +0000 (08:35 +0100)
committer	Dr. David von Oheimb <dev@ddvo.net>
	Thu, 4 Mar 2021 07:54:09 +0000 (08:54 +0100)
crypto/encode_decode/decoder_lib.c		patch \| blob \| blame \| history
crypto/pkcs12/p12_decr.c		patch \| blob \| blame \| history
crypto/store/store_result.c		patch \| blob \| blame \| history
providers/implementations/encode_decode/decode_der2key.c		patch \| blob \| blame \| history