From: Craig Gallek <cgallek@gmail.com>
Date: Sun, 27 Feb 2022 15:39:07 +0000 (-0500)
Subject: x509: fix return error code for failed decryption without key
X-Git-Tag: 3.7.4~13^2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=cd81b42afa3d14fbf4273cb3dbc48fe795909603;p=thirdparty%2Fgnutls.git

x509: fix return error code for failed decryption without key

Decrypting an encrypted private key previously returned
GNUTLS_E_DECRYPTION_FAILED when no password was supplied.  This changed when
decryption via pin callbacks was added in d31b89de.

That change should have included a check for callback existence in order to
preserve the error path of the no-password case.

This adds the check and a test for the previous behavior.
Resolves bug #1321

Signed-off-by: Craig Gallek <cgallek@gmail.com>
---

diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 3aa088ecff..d1ba65c90f 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -779,7 +779,8 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 								       data,
 								       password);
 
-				if (ret == GNUTLS_E_DECRYPTION_FAILED && password == NULL) {
+				if (ret == GNUTLS_E_DECRYPTION_FAILED && password == NULL &&
+						(key->pin.cb || _gnutls_pin_func)) {
 					/* use the callback if any */
 					memset(pin, 0, GNUTLS_PKCS11_MAX_PIN_LEN);
 					ret = _gnutls_retrieve_pin(&key->pin, "key:", "", 0, pin, sizeof(pin));
diff --git a/tests/key-openssl.c b/tests/key-openssl.c
index 10c1514fb6..3903f97c7b 100644
--- a/tests/key-openssl.c
+++ b/tests/key-openssl.c
@@ -181,6 +181,21 @@ void doit(void)
 	}
 	gnutls_x509_privkey_deinit(pkey);
 
+	/* GNUTLS_E_DECRYPTION_FAILED with neither password nor pin */
+	ret = gnutls_x509_privkey_init(&pkey);
+	if (ret < 0)
+		fail("gnutls_x509_privkey_init: %d\n", ret);
+
+	key.data = (void *) key1;
+	key.size = sizeof(key1);
+	ret = gnutls_x509_privkey_import2(pkey, &key, GNUTLS_X509_FMT_PEM,
+					  NULL, 0);
+	if (ret != GNUTLS_E_DECRYPTION_FAILED) {
+		fail("gnutls_x509_privkey_import2 (expect decrypt fail): %s\n",
+		     gnutls_strerror(ret));
+	}
+	gnutls_x509_privkey_deinit(pkey);
+
 	/*
 	 * Pin callback passwords will only be used if the password supplied to
 	 * gnutls_x509_privkey_import2 in NULL.  Consider possible combinations