commit 8785a75e2f0c44f1585b563d8043c64c6489acaa Author: Neel Chauhan neel@neelc.org Date: Mon Nov 16 09:35:23 2020 -0800

Give a descriptive error message with "tor-gencert --create-identity-key" --- changes/bug40189 | 4 ++++ src/tools/tor-gencert.c | 15 +++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/changes/bug40189 b/changes/bug40189 new file mode 100644 index 0000000000..0c3c8ae2f3 --- /dev/null +++ b/changes/bug40189 @@ -0,0 +1,4 @@ + o Major bugfixes (signing key): + - In the tor-gencert utility, give an informative error message if the + passphrase given in `--create-identity-key` is too short. Fixes bug + 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan. diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c index e4f6530b46..e7561654c7 100644 --- a/src/tools/tor-gencert.c +++ b/src/tools/tor-gencert.c @@ -248,6 +248,8 @@ generate_key(int bits) return rsa; }

+#define MIN_PASSPHRASE_LEN 4 + /** Try to read the identity key from <b>identity_key_file</b>. If no such * file exists and create_identity_key is set, make a new identity key and * store it. Return 0 on success, nonzero on failure. @@ -288,11 +290,16 @@ load_identity_key(void) * the terminal. */ if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - passphrase, (int)passphrase_len, + passphrase, (int) passphrase_len, NULL, NULL)) { - log_err(LD_GENERAL, "Couldn't write identity key to %s", - identity_key_file); - crypto_openssl_log_errors(LOG_ERR, "Writing identity key"); + if ((int) passphrase_len < MIN_PASSPHRASE_LEN) { + log_err(LD_GENERAL, "Passphrase empty or too short. Passphrase needs " + "to be at least %d characters.", MIN_PASSPHRASE_LEN); + } else { + log_err(LD_GENERAL, "Couldn't write identity key to %s", + identity_key_file); + crypto_openssl_log_errors(LOG_ERR, "Writing identity key"); + } abort_writing_to_file(open_file); return 1; }