You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
systemd/SOURCES/0601-openssl-add-log_openss...

461 lines
23 KiB

From 7ea93aa35e8a521d68f7fab44d46590210f637b2 Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@ieee.org>
Date: Fri, 4 Aug 2023 18:51:55 -0400
Subject: [PATCH] openssl: add log_openssl_errors()
Add a macro to log all errors in the openssl 'thread error queue'.
This consolidates all the openssl-generated errors to return -EIO and log at
debug level.
Also add a 'invalid' test in test-openssl, to allow manual verification that
the openssl error(s) are logged.
(cherry picked from commit 60696b22d96d0c27680400818672e16f8bb2d53b)
Related: RHEL-16182
---
src/shared/openssl-util.c | 175 +++++++++++++++++++++-----------------
src/test/test-openssl.c | 8 ++
2 files changed, 107 insertions(+), 76 deletions(-)
diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 313c1fc4ea..3d3d8090f8 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -6,6 +6,32 @@
#include "hexdecoct.h"
#if HAVE_OPENSSL
+/* For each error in the the Openssl thread error queue, log the provided message and the Openssl error
+ * string. If there are no errors in the Openssl thread queue, this logs the message with "No openssl
+ * errors." This logs at level debug. Returns -EIO (or -ENOMEM). */
+#define log_openssl_errors(fmt, ...) _log_openssl_errors(UNIQ, fmt, ##__VA_ARGS__)
+#define _log_openssl_errors(u, fmt, ...) \
+ ({ \
+ size_t UNIQ_T(MAX, u) = 512 /* arbitrary, but openssl doc states it must be >= 256 */; \
+ _cleanup_free_ char *UNIQ_T(BUF, u) = malloc(UNIQ_T(MAX, u)); \
+ !UNIQ_T(BUF, u) \
+ ? log_oom_debug() \
+ : __log_openssl_errors(u, UNIQ_T(BUF, u), UNIQ_T(MAX, u), fmt, ##__VA_ARGS__) \
+ ?: log_debug_errno(SYNTHETIC_ERRNO(EIO), fmt ": No openssl errors.", ##__VA_ARGS__); \
+ })
+#define __log_openssl_errors(u, buf, max, fmt, ...) \
+ ({ \
+ int UNIQ_T(R, u) = 0; \
+ for (;;) { \
+ unsigned long UNIQ_T(E, u) = ERR_get_error(); \
+ if (UNIQ_T(E, u) == 0) \
+ break; \
+ ERR_error_string_n(UNIQ_T(E, u), buf, max); \
+ UNIQ_T(R, u) = log_debug_errno(SYNTHETIC_ERRNO(EIO), fmt ": %s", ##__VA_ARGS__, buf); \
+ } \
+ UNIQ_T(R, u); \
+ })
+
int openssl_pkey_from_pem(const void *pem, size_t pem_size, EVP_PKEY **ret) {
assert(pem);
assert(ret);
@@ -17,7 +43,7 @@ int openssl_pkey_from_pem(const void *pem, size_t pem_size, EVP_PKEY **ret) {
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = PEM_read_PUBKEY(f, NULL, NULL, NULL);
if (!pkey)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to parse PEM.");
+ return log_openssl_errors("Failed to parse PEM");
*ret = TAKE_PTR(pkey);
@@ -74,23 +100,23 @@ int rsa_encrypt_bytes(
ctx = EVP_PKEY_CTX_new(pkey, NULL);
if (!ctx)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to allocate public key context");
+ return log_openssl_errors("Failed to allocate public key context");
if (EVP_PKEY_encrypt_init(ctx) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize public key context");
+ return log_openssl_errors("Failed to initialize public key context");
if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to configure PKCS#1 padding");
+ return log_openssl_errors("Failed to configure PKCS#1 padding");
if (EVP_PKEY_encrypt(ctx, NULL, &l, decrypted_key, decrypted_key_size) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size");
+ return log_openssl_errors("Failed to determine encrypted key size");
b = malloc(l);
if (!b)
return -ENOMEM;
if (EVP_PKEY_encrypt(ctx, b, &l, decrypted_key, decrypted_key_size) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size");
+ return log_openssl_errors("Failed to determine encrypted key size");
*ret_encrypt_key = TAKE_PTR(b);
*ret_encrypt_key_size = l;
@@ -139,53 +165,53 @@ int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
if (!ctx)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_PKEY_CTX");
_cleanup_(BN_freep) BIGNUM *bn_n = BN_bin2bn(n, n_size, NULL);
if (!bn_n)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create BIGNUM for RSA n.");
+ return log_openssl_errors("Failed to create BIGNUM for RSA n");
_cleanup_(BN_freep) BIGNUM *bn_e = BN_bin2bn(e, e_size, NULL);
if (!bn_e)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create BIGNUM for RSA e.");
+ return log_openssl_errors("Failed to create BIGNUM for RSA e");
#if OPENSSL_VERSION_MAJOR >= 3
if (EVP_PKEY_fromdata_init(ctx) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize EVP_PKEY_CTX.");
+ return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
_cleanup_(OSSL_PARAM_BLD_freep) OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
if (!bld)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new OSSL_PARAM_BLD");
if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, bn_n))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set RSA OSSL_PKEY_PARAM_RSA_N.");
+ return log_openssl_errors("Failed to set RSA OSSL_PKEY_PARAM_RSA_N");
if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, bn_e))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set RSA OSSL_PKEY_PARAM_RSA_E.");
+ return log_openssl_errors("Failed to set RSA OSSL_PKEY_PARAM_RSA_E");
_cleanup_(OSSL_PARAM_freep) OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
if (!params)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to build RSA OSSL_PARAM.");
+ return log_openssl_errors("Failed to build RSA OSSL_PARAM");
if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create RSA EVP_PKEY.");
+ return log_openssl_errors("Failed to create RSA EVP_PKEY");
#else
_cleanup_(RSA_freep) RSA *rsa_key = RSA_new();
if (!rsa_key)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new RSA");
if (!RSA_set0_key(rsa_key, bn_n, bn_e, NULL))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set RSA n/e.");
+ return log_openssl_errors("Failed to set RSA n/e");
/* rsa_key owns these now, don't free */
TAKE_PTR(bn_n);
TAKE_PTR(bn_e);
pkey = EVP_PKEY_new();
if (!pkey)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_PKEY");
if (!EVP_PKEY_assign_RSA(pkey, rsa_key))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to assign RSA key.");
+ return log_openssl_errors("Failed to assign RSA key");
/* pkey owns this now, don't free */
TAKE_PTR(rsa_key);
#endif
@@ -212,24 +238,23 @@ int rsa_pkey_to_n_e(
#if OPENSSL_VERSION_MAJOR >= 3
_cleanup_(BN_freep) BIGNUM *bn_n = NULL;
if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &bn_n))
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get RSA n.");
+ return log_openssl_errors("Failed to get RSA n");
_cleanup_(BN_freep) BIGNUM *bn_e = NULL;
if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &bn_e))
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get RSA e.");
+ return log_openssl_errors("Failed to get RSA e");
#else
const RSA *rsa = EVP_PKEY_get0_RSA((EVP_PKEY*) pkey);
if (!rsa)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to get RSA key from public key.");
+ return log_openssl_errors("Failed to get RSA key from public key");
const BIGNUM *bn_n = RSA_get0_n(rsa);
if (!bn_n)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get RSA n.");
+ return log_openssl_errors("Failed to get RSA n");
const BIGNUM *bn_e = RSA_get0_e(rsa);
if (!bn_e)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get RSA e.");
+ return log_openssl_errors("Failed to get RSA e");
#endif
size_t n_size = BN_num_bytes(bn_n), e_size = BN_num_bytes(bn_e);
@@ -254,17 +279,17 @@ int rsa_pkey_new(size_t bits, EVP_PKEY **ret) {
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
if (!ctx)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_PKEY_CTX");
if (EVP_PKEY_keygen_init(ctx) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize EVP_PKEY_CTX.");
+ return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, (int) bits) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set RSA bits to %zu.", bits);
+ return log_openssl_errors("Failed to set RSA bits to %zu", bits);
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to generate ECC key.");
+ return log_openssl_errors("Failed to generate ECC key");
*ret = TAKE_PTR(pkey);
@@ -286,70 +311,71 @@ int ecc_pkey_from_curve_x_y(
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (!ctx)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_PKEY_CTX");
- _cleanup_(BN_freep) BIGNUM *bn_x = BN_bin2bn(x, x_size, NULL), *bn_y = BN_bin2bn(y, y_size, NULL);
- if (!bn_x || !bn_y)
- return log_oom_debug();
+ _cleanup_(BN_freep) BIGNUM *bn_x = BN_bin2bn(x, x_size, NULL);
+ if (!bn_x)
+ return log_openssl_errors("Failed to create BIGNUM x");
+
+ _cleanup_(BN_freep) BIGNUM *bn_y = BN_bin2bn(y, y_size, NULL);
+ if (!bn_y)
+ return log_openssl_errors("Failed to create BIGNUM y");
_cleanup_(EC_GROUP_freep) EC_GROUP *group = EC_GROUP_new_by_curve_name(curve_id);
if (!group)
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "ECC curve id %d not supported.", curve_id);
+ return log_openssl_errors("ECC curve id %d not supported", curve_id);
_cleanup_(EC_POINT_freep) EC_POINT *point = EC_POINT_new(group);
if (!point)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EC_POINT");
if (!EC_POINT_set_affine_coordinates(group, point, bn_x, bn_y, NULL))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set ECC coordinates.");
+ return log_openssl_errors("Failed to set ECC coordinates");
#if OPENSSL_VERSION_MAJOR >= 3
if (EVP_PKEY_fromdata_init(ctx) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
- "Failed to initialize EVP_PKEY_CTX.");
+ return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
_cleanup_(OSSL_PARAM_BLD_freep) OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
if (!bld)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new OSSL_PARAM_BLD");
if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, (char*) OSSL_EC_curve_nid2name(curve_id), 0))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to add ECC OSSL_PKEY_PARAM_GROUP_NAME.");
+ return log_openssl_errors("Failed to add ECC OSSL_PKEY_PARAM_GROUP_NAME");
_cleanup_(OPENSSL_freep) void *pbuf = NULL;
size_t pbuf_len = 0;
pbuf_len = EC_POINT_point2buf(group, point, POINT_CONVERSION_UNCOMPRESSED, (unsigned char**) &pbuf, NULL);
if (pbuf_len == 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to convert ECC point to buffer.");
+ return log_openssl_errors("Failed to convert ECC point to buffer");
if (!OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pbuf, pbuf_len))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to add ECC OSSL_PKEY_PARAM_PUB_KEY.");
+ return log_openssl_errors("Failed to add ECC OSSL_PKEY_PARAM_PUB_KEY");
_cleanup_(OSSL_PARAM_freep) OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
if (!params)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to build ECC OSSL_PARAM.");
+ return log_openssl_errors("Failed to build ECC OSSL_PARAM");
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to create ECC EVP_PKEY.");
+ return log_openssl_errors("Failed to create ECC EVP_PKEY");
#else
_cleanup_(EC_KEY_freep) EC_KEY *eckey = EC_KEY_new();
if (!eckey)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EC_KEY");
if (!EC_KEY_set_group(eckey, group))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set ECC group.");
+ return log_openssl_errors("Failed to set ECC group");
if (!EC_KEY_set_public_key(eckey, point))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set ECC point.");
+ return log_openssl_errors("Failed to set ECC point");
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = EVP_PKEY_new();
if (!pkey)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_PKEY");
if (!EVP_PKEY_assign_EC_KEY(pkey, eckey))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to assign ECC key.");
+ return log_openssl_errors("Failed to assign ECC key");
/* pkey owns this now, don't free */
TAKE_PTR(eckey);
#endif
@@ -375,48 +401,48 @@ int ecc_pkey_to_curve_x_y(
#if OPENSSL_VERSION_MAJOR >= 3
size_t name_size;
if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0, &name_size))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC group name size.");
+ return log_openssl_errors("Failed to get ECC group name size");
_cleanup_free_ char *name = new(char, name_size + 1);
if (!name)
return log_oom_debug();
if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, name, name_size + 1, NULL))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC group name.");
+ return log_openssl_errors("Failed to get ECC group name");
curve_id = OBJ_sn2nid(name);
if (curve_id == NID_undef)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC curve id.");
+ return log_openssl_errors("Failed to get ECC curve id");
if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC point x.");
+ return log_openssl_errors("Failed to get ECC point x");
if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC point y.");
+ return log_openssl_errors("Failed to get ECC point y");
#else
const EC_KEY *eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY*) pkey);
if (!eckey)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get EC_KEY.");
+ return log_openssl_errors("Failed to get EC_KEY");
const EC_GROUP *group = EC_KEY_get0_group(eckey);
if (!group)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get EC_GROUP.");
+ return log_openssl_errors("Failed to get EC_GROUP");
curve_id = EC_GROUP_get_curve_name(group);
if (curve_id == NID_undef)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC curve id.");
+ return log_openssl_errors("Failed to get ECC curve id");
const EC_POINT *point = EC_KEY_get0_public_key(eckey);
if (!point)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get EC_POINT.");
+ return log_openssl_errors("Failed to get EC_POINT");
bn_x = BN_new();
bn_y = BN_new();
if (!bn_x || !bn_y)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new BIGNUM");
if (!EC_POINT_get_affine_coordinates(group, point, bn_x, bn_y, NULL))
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to get ECC x/y.");
+ return log_openssl_errors("Failed to get ECC x/y.");
#endif
size_t x_size = BN_num_bytes(bn_x), y_size = BN_num_bytes(bn_y);
@@ -447,17 +473,17 @@ int ecc_pkey_new(int curve_id, EVP_PKEY **ret) {
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (!ctx)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_PKEY_CTX");
if (EVP_PKEY_keygen_init(ctx) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize EVP_PKEY_CTX.");
+ return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curve_id) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set ECC curve %d.", curve_id);
+ return log_openssl_errors("Failed to set ECC curve %d", curve_id);
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to generate ECC key.");
+ return log_openssl_errors("Failed to generate ECC key");
*ret = TAKE_PTR(pkey);
@@ -480,8 +506,7 @@ int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_s
sz = i2d_PublicKey(pk, NULL);
if (sz < 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to convert public key to DER format: %s",
- ERR_error_string(ERR_get_error(), NULL));
+ return log_openssl_errors("Unable to convert public key to DER format");
dd = d = malloc(sz);
if (!d)
@@ -489,18 +514,17 @@ int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_s
lsz = i2d_PublicKey(pk, &dd);
if (lsz < 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to convert public key to DER format: %s",
- ERR_error_string(ERR_get_error(), NULL));
+ return log_openssl_errors("Unable to convert public key to DER format");
m = EVP_MD_CTX_new();
if (!m)
- return log_oom_debug();
+ return log_openssl_errors("Failed to create new EVP_MD_CTX");
if (EVP_DigestInit_ex(m, md, NULL) != 1)
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize %s context.", EVP_MD_name(md));
+ return log_openssl_errors("Failed to initialize %s context", EVP_MD_name(md));
if (EVP_DigestUpdate(m, d, lsz) != 1)
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to run %s context.", EVP_MD_name(md));
+ return log_openssl_errors("Failed to run %s context", EVP_MD_name(md));
msz = EVP_MD_size(md);
assert(msz > 0);
@@ -511,7 +535,7 @@ int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_s
umsz = msz;
if (EVP_DigestFinal_ex(m, h, &umsz) != 1)
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize hash context.");
+ return log_openssl_errors("Failed to finalize hash context");
assert(umsz == (unsigned) msz);
@@ -560,8 +584,7 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
dersz = i2d_X509(cert, &der);
if (dersz < 0)
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to convert PEM certificate to DER format: %s",
- ERR_error_string(ERR_get_error(), NULL));
+ return log_openssl_errors("Unable to convert PEM certificate to DER format");
sha256_direct(der, dersz, buffer);
return 0;
diff --git a/src/test/test-openssl.c b/src/test/test-openssl.c
index 7672c8959d..c46ecdcda8 100644
--- a/src/test/test-openssl.c
+++ b/src/test/test-openssl.c
@@ -94,4 +94,12 @@ TEST(ecc_pkey_curve_x_y) {
assert_se(memcmp_nn(y, y_len, y2, y2_size) == 0);
}
+TEST(invalid) {
+ _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
+
+ DEFINE_HEX_PTR(key, "2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d466b7b");
+ assert_se(openssl_pkey_from_pem(key, key_len, &pkey) == -EIO);
+ assert_se(pkey == NULL);
+}
+
DEFINE_TEST_MAIN(LOG_DEBUG);