[openssh-commits] [openssh] 01/01: upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrase

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Oct 9 16:45:52 AEDT 2018 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit edbb6febccee084d212fdc0cb05b40cb1c646ab1
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Oct 9 05:42:23 2018 +0000

    upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrase
    
    is specified as "incorrect passphrase" instead of trying to choose between
    that and "invalid format".
    
    libcrypto can return ASN1 parsing errors rather than the expected
    decrypt error in certain infrequent cases when trying to decrypt/parse
    PEM private keys when supplied with an invalid passphrase.
    
    Report and repro recipe from Thomas Deutschmann in bz#2901
    
    ok markus@
    
    OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
---
 sshkey.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/sshkey.c b/sshkey.c
index 63c01ea6..e1e882b7 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.70 2018/09/14 04:17:44 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.71 2018/10/09 05:42:23 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -3936,7 +3936,16 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
 	clear_libcrypto_errors();
 	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
 	    (char *)passphrase)) == NULL) {
-		r = convert_libcrypto_error();
+	       /*
+		* libcrypto may return various ASN.1 errors when attempting
+		* to parse a key with an incorrect passphrase.
+		* Treat all format errors as "incorrect passphrase" if a
+		* passphrase was supplied.
+		*/
+		if (passphrase != NULL && *passphrase != '\0')
+			r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+		else
+			r = convert_libcrypto_error();
 		goto out;
 	}
 	if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list