OpenSSL 3.0 password prompt errors
Matt Caswell
matt at openssl.org
Tue Nov 30 14:08:57 UTC 2021
On 30/11/2021 13:16, pepone.onrez wrote:
> Getting some problems with OpenSSL 3.0, I have passwordError function,
> to check if the last error was due to an invalid password and allow the
> user to retry.
>
>
> bool
> passwordError()
> {
> unsigned long error = ERR_peek_error();
> unsigned long lib = ERR_GET_LIB(error);
> unsigned long reason = ERR_GET_REASON(error);
> cerr << "error: " << error << endl;
> cerr << "lib: " << lib << endl;
> cerr << "reason: " << reason << endl;
> ERR_print_errors_fp(stdout);
> return (reason == PEM_R_BAD_BASE64_DECODE ||
> reason == PEM_R_BAD_DECRYPT ||
> reason == PEM_R_BAD_PASSWORD_READ ||
> reason == PEM_R_PROBLEMS_GETTING_PASSWORD ||
> reason == PKCS12_R_MAC_VERIFY_FAILURE);
> }
>
> When I test with an invalid password I get
>
> error: 587686001
> lib: 70
> reason: 483441
> error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
That is really screwy output. Something is getting corrupted somewhere.
"70" is not a valid error library and a reason code of 483441 is clearly
wrong (reason codes are typically fairly small). Error 587686001 does
correspond to the hex value 23076071 - but this is not an error value I
would expect to see OpenSSL emitting.
Could there be memory corruption occurring?? Perhaps run this through
valgrind or similar and see if there are any hints.
Matt
>
>
> the description seems to match PKCS12_R_MAC_VERIFY_FAILURE but the
> reason value doesn't
>
> include/openssl/pkcs12err.h
> 39:# define PKCS12_R_MAC_VERIFY_FAILURE 113
>
> Any ideas what I might be doing wrong here? this worked fine with 1.1.1
> before
>
> Cheers,
> Jose
More information about the openssl-users
mailing list