Merge remote-tracking branch 'tor-gitlab/mr/213'

2025-02-25 07:07:52 +01:00 · 2021-03-03 15:16:20 +00:00 · 2021-03-03 15:16:20 +00:00 · 80b6054bb0
commit 80b6054bb0
parent a1ce89a554 8785a75e2f
2 changed files with 15 additions and 4 deletions
--- a/changes/bug40189
+++ b/changes/bug40189
@ -0,0 +1,4 @@
+  o Major bugfixes (signing key):
+    - In the tor-gencert utility, give an informative error message if the
+      passphrase given in `--create-identity-key` is too short. Fixes bug
+      40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@ -248,6 +248,8 @@ generate_key(int bits)
  return rsa;
 }

+#define MIN_PASSPHRASE_LEN 4
+
 /** Try to read the identity key from <b>identity_key_file</b>.  If no such
 * file exists and create_identity_key is set, make a new identity key and
 * store it.  Return 0 on success, nonzero on failure.
@ -288,11 +290,16 @@ load_identity_key(void)
     * the terminal. */
    if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key,
                                       NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
-                                       passphrase, (int)passphrase_len,
+                                       passphrase, (int) passphrase_len,
                                       NULL, NULL)) {
-      log_err(LD_GENERAL, "Couldn't write identity key to %s",
-              identity_key_file);
-      crypto_openssl_log_errors(LOG_ERR, "Writing identity key");
+      if ((int) passphrase_len < MIN_PASSPHRASE_LEN) {
+        log_err(LD_GENERAL, "Passphrase empty or too short. Passphrase needs "
+                "to be at least %d characters.", MIN_PASSPHRASE_LEN);
+      } else {
+        log_err(LD_GENERAL, "Couldn't write identity key to %s",
+                identity_key_file);
+        crypto_openssl_log_errors(LOG_ERR, "Writing identity key");
+      }
      abort_writing_to_file(open_file);
      return 1;
    }