diff options
author | Simon Josefsson <jas@mocca.josefsson.org> | 2007-05-26 23:30:14 +0200 |
---|---|---|
committer | Simon Josefsson <jas@mocca.josefsson.org> | 2007-05-26 23:30:14 +0200 |
commit | 3354d8ead88afcd2088c2638fb2383c4d726ff26 (patch) | |
tree | 6eadfba60c0323b0964798a680b8f3563a5d9163 | |
parent | 1e0952521755982fdb09cd0f10f739bc98bbe12c (diff) | |
download | gnutls-3354d8ead88afcd2088c2638fb2383c4d726ff26.tar.gz |
(decode_pkcs8_key): If ASN.1 decoding fails after decrypting an
already properly decoded value, assume it is due to a bad password
rather than ASN.1 error. Reported by Nate Nielsen
<nielsen-list@memberwebs.com>. (From 1.6.x branch.)
-rw-r--r-- | lib/x509/privkey_pkcs8.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 19c7ef1838..76143abc9b 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -739,6 +739,25 @@ decode_pkcs8_key (const gnutls_datum_t * raw_key, if (result < 0) { + /* We've gotten this far. In the real world it's almost certain + * that we're dealing with a good file, but wrong password. + * Sadly like 90% of random data is somehow valid DER for the + * a first small number of bytes, so no easy way to guarantee. */ + if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND || + result == GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND || + result == GNUTLS_E_ASN1_DER_ERROR || + result == GNUTLS_E_ASN1_VALUE_NOT_FOUND || + result == GNUTLS_E_ASN1_GENERIC_ERROR || + result == GNUTLS_E_ASN1_VALUE_NOT_VALID || + result == GNUTLS_E_ASN1_TAG_ERROR || + result == GNUTLS_E_ASN1_TAG_IMPLICIT || + result == GNUTLS_E_ASN1_TYPE_ANY_ERROR || + result == GNUTLS_E_ASN1_SYNTAX_ERROR || + result == GNUTLS_E_ASN1_DER_OVERFLOW) + { + result = GNUTLS_E_DECRYPTION_FAILED; + } + gnutls_assert (); goto error; } |