[Openvpn-devel,v3,16/21] Add message when decoding PKCS12 file fails.

Message ID 20211019183127.614175-17-arne@rfc2549.org
State Accepted
Headers show
Series OpenSSL 3.0 improvements for OpenVPN | expand

Commit Message

Arne Schwabe Oct. 19, 2021, 6:31 p.m. UTC
Currently we never display the OpenSSL error stack when decoding a
PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure
might not be a wrong password but can actually be an unsupported
encoding, seeing the error stack is really helpful (example from OpenSSL 3.0):

error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global  default library context, Algorithm (RC2-40-CBC : 0), Properties ()

to pinpoint the issue

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Gert Doering Oct. 21, 2021, 6:24 a.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

"That was an easy one" :-) - error reporting is always useful, and
the code change is trivial enough.  Tested with "wrong password" only,
which now prints:

2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
2021-10-21 08:24:01 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2021-10-21 08:24:01 SIGUSR1[soft,private-key-password-failure] received, process restarting

Your patch has been applied to the master branch.

commit 6ac4e63c577986ec11eae3519fe8516e8ca8ac0f
Author: Arne Schwabe
Date:   Tue Oct 19 20:31:22 2021 +0200

     Add message when decoding PKCS12 file fails.

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20211019183127.614175-17-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
Gert Doering May 18, 2022, 9:37 a.m. UTC | #2
Hi,

decided in the community meeting today that this should also be
cherry-picked to 2.5 - I have not actually tested with a pkcs12 file,
just run the basic compile/client test cycle (and the patch is
trivial enough).

commit 1f54811e92c89fe07d7cea8339e928980bfe0536 (HEAD -> release/2.5)
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Tue Oct 19 20:31:22 2021 +0200

    Add message when decoding PKCS12 file fails.

gert

On Thu, Oct 21, 2021 at 08:24:46AM +0200, Gert Doering wrote:
> Acked-by: Gert Doering <gert@greenie.muc.de>
> 
> "That was an easy one" :-) - error reporting is always useful, and
> the code change is trivial enough.  Tested with "wrong password" only,
> which now prints:
> 
> 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
> 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
> 2021-10-21 08:24:01 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
> 2021-10-21 08:24:01 SIGUSR1[soft,private-key-password-failure] received, process restarting
> 
> Your patch has been applied to the master branch.
> 
> commit 6ac4e63c577986ec11eae3519fe8516e8ca8ac0f
> Author: Arne Schwabe
> Date:   Tue Oct 19 20:31:22 2021 +0200
> 
>      Add message when decoding PKCS12 file fails.
> 
>      Signed-off-by: Arne Schwabe <arne@rfc2549.org>
>      Acked-by: Gert Doering <gert@greenie.muc.de>
>      Message-Id: <20211019183127.614175-17-arne@rfc2549.org>
>      URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html
>      Signed-off-by: Gert Doering <gert@greenie.muc.de>
> 
> 
> --
> kind regards,
> 
> Gert Doering
> 
> 
> 
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8ec96e66c..d93292700 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -831,6 +831,8 @@  tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
         ca = NULL;
         if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
         {
+            crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password "
+                               "or unsupported/legacy encryption");
 #ifdef ENABLE_MANAGEMENT
             if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
             {