x509: fix return error code for failed decryption without key

Decrypting an encrypted private key previously returned
GNUTLS_E_DECRYPTION_FAILED when no password was supplied.  This changed when
decryption via pin callbacks was added in d31b89de.

That change should have included a check for callback existence in order to
preserve the error path of the no-password case.

This adds the check and a test for the previous behavior.
Resolves bug #1321

Signed-off-by: Craig Gallek <cgallek@gmail.com>

diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 3aa088ecff005fb944dbee3b9e0910f4394f2033..d1ba65c90fa0613e45f4594950710870260af159 100644 (file)
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -779,7 +779,8 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
                                                                       data,
                                                                       password);
 
-                               if (ret == GNUTLS_E_DECRYPTION_FAILED && password == NULL) {
+                               if (ret == GNUTLS_E_DECRYPTION_FAILED && password == NULL &&
+                                               (key->pin.cb || _gnutls_pin_func)) {
                                        /* use the callback if any */
                                        memset(pin, 0, GNUTLS_PKCS11_MAX_PIN_LEN);
                                        ret = _gnutls_retrieve_pin(&key->pin, "key:", "", 0, pin, sizeof(pin));

diff --git a/tests/key-openssl.c b/tests/key-openssl.c
index 10c1514fb6686f3a44c6858a1fdc9f8629e36a17..3903f97c7bcf266808e6e7de34e5129ab09651a2 100644 (file)
--- a/tests/key-openssl.c
+++ b/tests/key-openssl.c
@@ -181,6 +181,21 @@ void doit(void)
        }
        gnutls_x509_privkey_deinit(pkey);
 
+       /* GNUTLS_E_DECRYPTION_FAILED with neither password nor pin */
+       ret = gnutls_x509_privkey_init(&pkey);
+       if (ret < 0)
+               fail("gnutls_x509_privkey_init: %d\n", ret);
+
+       key.data = (void *) key1;
+       key.size = sizeof(key1);
+       ret = gnutls_x509_privkey_import2(pkey, &key, GNUTLS_X509_FMT_PEM,
+                                         NULL, 0);
+       if (ret != GNUTLS_E_DECRYPTION_FAILED) {
+               fail("gnutls_x509_privkey_import2 (expect decrypt fail): %s\n",
+                    gnutls_strerror(ret));
+       }
+       gnutls_x509_privkey_deinit(pkey);
+
        /*
         * Pin callback passwords will only be used if the password supplied to
         * gnutls_x509_privkey_import2 in NULL.  Consider possible combinations