Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Return -1 from our PEM password callback

Apparently, contrary to its documentation, this is how OpenSSL now
wants us to report an error.

Fixes bug 26116; bugfix on 0.2.5.16.
Nick Mathewson 7 years ago
parent
033e4723f3
commit
881f7157f6
2 changed files with 13 additions and 1 deletions
Split View Show Diff Stats
  1. 7 0
      changes/bug26116
  2. 6 1
      src/common/crypto.c

+ 7 - 0
changes/bug26116
View File 

@@ -0,0 +1,7 @@
 
+  o Minor bugfixes (compatibility, openssl):
 
+    - Work around a change in OpenSSL 1.1.1 where
 
+      return values that would previously indicate "no password" now
 
+      indicate an empty password. Without this workaround, Tor instances
 
+      running with OpenSSL 1.1.1 would accept descriptors that other Tor
 
+      instances would reject. Fixes bug 26116; bugfix on 0.2.5.16.
 
+

+ 6 - 1
src/common/crypto.c
View File 

@@ -653,7 +653,12 @@ pem_no_password_cb(char *buf, int size, int rwflag, void *u)
 
   (void)size;
 
   (void)rwflag;
 
   (void)u;
 
-  return 0;
 
+  /* The openssl documentation says that a callback "must" return 0 if an
 
+   * error occurred.  But during the 1.1.1 series (commit c82c3462267afdbbaa5
 
+   * they changed the interpretation so that 0 indicates an empty password and
 
+   * -1 indicates an error. We want to reject any encrypted PEM buffers, so we
 
+   * return -1.  This will work on older OpenSSL versions and LibreSSL too. */
 
+  return -1;
 
 }
 
 
 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>