OpenSSL: Fix recognition of repeated 'wrong passphrase' errors

Without it, we were getting the wrong error if the passphrase was wrong
a second time, and not correctly staying in the retry loop:

Enter PEM pass phrase:
140379913099200:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:536:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
140379913099200:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
Loading private key failed (see above errors)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/openssl.c b/openssl.c
index efd342c..a03b20e 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -647,6 +647,7 @@ static int is_pem_password_error(struct openconnect_info *vpninfo)
            ERR_GET_REASON(err) == EVP_R_BAD_DECRYPT) {
                vpn_progress(vpninfo, PRG_ERR,
                             _("Loading private key failed (wrong passphrase?)\n"));
+               ERR_clear_error();
                return 1;
        }
 

diff --git a/www/changelog.xml b/www/changelog.xml
index 0a0d1e2..e1e7550 100644 (file)
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -17,6 +17,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
+       <li>Fix repeated passphrase retry for OpenSSL.</li>
        <li>Add keystore support for Android.</li>
        <li>Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12.</li>
        <li>Fix library references to OpenSSL's <tt>ERR_print_errors_cb()</tt> when built against GnuTLS v2.12.</li>