tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 80b6054bb016aca0b18f8da79f23a859a804ef07
parent a1ce89a5543ce1d7e4afb49290761324b21540e8
Author: Alexander Færøy <ahf@torproject.org>
Date:   Wed,  3 Mar 2021 15:16:20 +0000

Merge remote-tracking branch 'tor-gitlab/mr/213'

Diffstat:

Achanges/bug40189 | 4++++


Msrc/tools/tor-gencert.c | 15+++++++++++----


2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/changes/bug40189 b/changes/bug40189
@@ -0,0 +1,4 @@
+  o Major bugfixes (signing key):
+    - In the tor-gencert utility, give an informative error message if the
+      passphrase given in `--create-identity-key` is too short. Fixes bug
+      40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.
diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c
@@ -248,6 +248,8 @@ generate_key(int bits)
   return rsa;
 }
 
+#define MIN_PASSPHRASE_LEN 4
+
 /** Try to read the identity key from <b>identity_key_file</b>.  If no such
  * file exists and create_identity_key is set, make a new identity key and
  * store it.  Return 0 on success, nonzero on failure.
@@ -288,11 +290,16 @@ load_identity_key(void)
      * the terminal. */
     if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key,
                                        NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
-                                       passphrase, (int)passphrase_len,
+                                       passphrase, (int) passphrase_len,
                                        NULL, NULL)) {
-      log_err(LD_GENERAL, "Couldn't write identity key to %s",
-              identity_key_file);
-      crypto_openssl_log_errors(LOG_ERR, "Writing identity key");
+      if ((int) passphrase_len < MIN_PASSPHRASE_LEN) {
+        log_err(LD_GENERAL, "Passphrase empty or too short. Passphrase needs "
+                "to be at least %d characters.", MIN_PASSPHRASE_LEN);
+      } else {
+        log_err(LD_GENERAL, "Couldn't write identity key to %s",
+                identity_key_file);
+        crypto_openssl_log_errors(LOG_ERR, "Writing identity key");
+      }
       abort_writing_to_file(open_file);
       return 1;
     }