diff options
| author | Jon Spillett <jon.spillett@oracle.com> | 2021-02-17 17:56:36 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-04-30 09:15:50 +1000 |
| commit | b536880c45722777df5ebe62897a6efcef757945 (patch) | |
| tree | 015ad29f74586e3407079864fa686ffcde658fad | |
| parent | d77ba503a2cf1c83098baca345327761b991d191 (diff) | |
Add library context and property query support into the PKCS12 API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
50 files changed, 2305 insertions, 341 deletions
diff --git a/CHANGES.md b/CHANGES.md index 1097c8c749..1f6c72a1a0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -46,6 +46,27 @@ OpenSSL 3.0 *Shane Lontis* + * Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX` + and (where relevant) a property query. Other APIs which handle PKCS#7 and + PKCS#8 objects have also been enhanced where required. This includes: + + PKCS12_add_key_ex(), PKCS12_add_safe_ex(), PKCS12_add_safes_ex(), + PKCS12_create_ex(), PKCS12_decrypt_skey_ex(), PKCS12_init_ex(), + PKCS12_item_decrypt_d2i_ex(), PKCS12_item_i2d_encrypt_ex(), + PKCS12_key_gen_asc_ex(), PKCS12_key_gen_uni_ex(), PKCS12_key_gen_utf8_ex(), + PKCS12_pack_p7encdata_ex(), PKCS12_pbe_crypt_ex(), PKCS12_PBE_keyivgen_ex(), + PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(), PKCS5_pbe2_set_iv_ex(), + PKCS5_pbe_set0_algor_ex(), PKCS5_pbe_set_ex(), PKCS5_pbkdf2_set_ex(), + PKCS5_v2_PBE_keyivgen_ex(), PKCS5_v2_scrypt_keyivgen_ex(), + PKCS8_decrypt_ex(), PKCS8_encrypt_ex(), PKCS8_set0_pbe_ex(). + + As part of this change the EVP_PBE_xxx APIs can also accept a library + context and property query and will call an extended version of the key/IV + derivation function which supports these parameters. This includes + EVP_PBE_CipherInit_ex(), EVP_PBE_find_ex() and EVP_PBE_scrypt_ex(). + + *Jon Spillett* + * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" *Matt Caswell* diff --git a/apps/build.info b/apps/build.info index aa91ebbb95..cba9803c65 100644 --- a/apps/build.info +++ b/apps/build.info @@ -18,10 +18,7 @@ $OPENSSLSRC=\ pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \ s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \ spkac.c verify.c version.c x509.c rehash.c storeutl.c \ - list.c info.c fipsinstall.c -IF[{- !$disabled{'des'} -}] - $OPENSSLSRC=$OPENSSLSRC pkcs12.c -ENDIF + list.c info.c fipsinstall.c pkcs12.c IF[{- !$disabled{'ec'} -}] $OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c ENDIF diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 306bcda7b4..c5a8fcdeda 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -58,13 +58,19 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, - OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, +#ifndef OPENSSL_NO_DES + OPT_DESCERT, +#endif + OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, - OPT_R_ENUM, OPT_PROV_ENUM, OPT_LEGACY_ALG + OPT_R_ENUM, OPT_PROV_ENUM, +#ifndef OPENSSL_NO_DES + OPT_LEGACY_ALG +#endif } OPTION_CHOICE; const OPTIONS pkcs12_options[] = { @@ -79,13 +85,15 @@ const OPTIONS pkcs12_options[] = { {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, {"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"}, +#ifndef OPENSSL_NO_DES {"legacy", OPT_LEGACY_ALG, '-', -#ifdef OPENSSL_NO_RC2 +# ifdef OPENSSL_NO_RC2 "Use legacy encryption algorithm 3DES_CBC for keys and certs" -#else +# else "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs" -#endif +# endif }, +#endif #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -130,8 +138,10 @@ const OPTIONS pkcs12_options[] = { {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"}, {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"}, +#ifndef OPENSSL_NO_DES {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"}, +#endif {"macalg", OPT_MACALG, 's', "Digest algorithm to use in MAC (default SHA1)"}, {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"}, @@ -149,7 +159,10 @@ int pkcs12_main(int argc, char **argv) char *passcertsarg = NULL, *passcerts = NULL; char *name = NULL, *csp_name = NULL; char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; - int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0; + int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0; +#ifndef OPENSSL_NO_DES + int use_legacy = 0; +#endif /* use library defaults for the iter, maciter, cert, and key PBE */ int iter = 0, maciter = 0; int cert_pbe = NID_undef; @@ -214,9 +227,11 @@ int pkcs12_main(int argc, char **argv) case OPT_NOMACVER: macver = 0; break; +#ifndef OPENSSL_NO_DES case OPT_DESCERT: cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; break; +#endif case OPT_EXPORT: export_pkcs12 = 1; break; @@ -328,9 +343,11 @@ int pkcs12_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; +#ifndef OPENSSL_NO_DES case OPT_LEGACY_ALG: use_legacy = 1; break; +#endif case OPT_PROV_CASES: if (!opt_provider(o)) goto end; @@ -410,6 +427,7 @@ int pkcs12_main(int argc, char **argv) if (cert_pbe == -1 && maciter == -1) WARN_NO_EXPORT("nomac"); } +#ifndef OPENSSL_NO_DES if (use_legacy) { /* load the legacy provider if not loaded already*/ if (!OSSL_PROVIDER_available(app_get0_libctx(), "legacy")) { @@ -421,11 +439,11 @@ int pkcs12_main(int argc, char **argv) } if (cert_pbe == NID_undef) { /* Adapt default algorithm */ -#ifndef OPENSSL_NO_RC2 +# ifndef OPENSSL_NO_RC2 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; -#else +# else cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -#endif +# endif } if (key_pbe == NID_undef) @@ -435,7 +453,7 @@ int pkcs12_main(int argc, char **argv) if (macalg == NULL) macalg = "sha1"; } - +#endif private = 1; @@ -643,8 +661,9 @@ int pkcs12_main(int argc, char **argv) if (!twopass) OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); - p12 = PKCS12_create(cpass, name, key, ee_cert, certs, - key_pbe, cert_pbe, iter, -1, keytype); + p12 = PKCS12_create_ex(cpass, name, key, ee_cert, certs, + key_pbe, cert_pbe, iter, -1, keytype, + app_get0_libctx(), app_get0_propq()); if (p12 == NULL) { BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n", @@ -694,7 +713,12 @@ int pkcs12_main(int argc, char **argv) if (out == NULL) goto end; - if ((p12 = d2i_PKCS12_bio(in, NULL)) == NULL) { + p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq()); + if (p12 == NULL) { + ERR_print_errors(bio_err); + goto end; + } + if ((p12 = d2i_PKCS12_bio(in, &p12)) == NULL) { ERR_print_errors(bio_err); goto end; } diff --git a/apps/progs.pl b/apps/progs.pl index a03b83139c..74461f5b3f 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -98,7 +98,6 @@ EOF gendh => "dh", dhparam => "dh", ecparam => "ec", - pkcs12 => "des", ); my %cmd_deprecated = ( # The format of this table is: diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index 43cb054d9f..61b8587ebd 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -24,8 +24,9 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM) /* Set an algorithm identifier for a PKCS#5 PBE algorithm */ -int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, - const unsigned char *salt, int saltlen) +int PKCS5_pbe_set0_algor_ex(X509_ALGOR *algor, int alg, int iter, + const unsigned char *salt, int saltlen, + OSSL_LIB_CTX *ctx) { PBEPARAM *pbe = NULL; ASN1_STRING *pbe_str = NULL; @@ -54,7 +55,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, } if (salt) memcpy(sstr, salt, saltlen); - else if (RAND_bytes(sstr, saltlen) <= 0) + else if (RAND_bytes_ex(ctx, sstr, saltlen) <= 0) goto err; ASN1_STRING_set0(pbe->salt, sstr, saltlen); @@ -78,10 +79,17 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, return 0; } +int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, + const unsigned char *salt, int saltlen) +{ + return PKCS5_pbe_set0_algor_ex(algor, alg, iter, salt, saltlen, NULL); +} + /* Return an algorithm identifier for a PKCS#5 PBE algorithm */ -X509_ALGOR *PKCS5_pbe_set(int alg, int iter, - const unsigned char *salt, int saltlen) +X509_ALGOR *PKCS5_pbe_set_ex(int alg, int iter, + const unsigned char *salt, int saltlen, + OSSL_LIB_CTX *ctx) { X509_ALGOR *ret; ret = X509_ALGOR_new(); @@ -90,9 +98,16 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, return NULL; } - if (PKCS5_pbe_set0_algor(ret, alg, iter, salt, saltlen)) + if (PKCS5_pbe_set0_algor_ex(ret, alg, iter, salt, saltlen, ctx)) return ret; X509_ALGOR_free(ret); return NULL; } + +X509_ALGOR *PKCS5_pbe_set(int alg, int iter, + const unsigned char *salt, int saltlen) +{ + return PKCS5_pbe_set_ex(alg, iter, salt, saltlen, NULL); +} + diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index f5878de323..da227b96e2 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -10,6 +10,8 @@ #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/asn1t.h> +#include <openssl/core.h> +#include <openssl/core_names.h> #include <openssl/x509.h> #include <openssl/rand.h> @@ -37,9 +39,10 @@ IMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM) * and IV. */ -X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, - unsigned char *salt, int saltlen, - unsigned char *aiv, int prf_nid) +X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter, + unsigned char *salt, int saltlen, + unsigned char *aiv, int prf_nid, + OSSL_LIB_CTX *libctx) { X509_ALGOR *scheme = NULL, *ret = NULL; int alg_nid, keylen; @@ -66,7 +69,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) + else if (RAND_bytes_ex(libctx, iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } @@ -104,7 +107,8 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, X509_ALGOR_free(pbe2->keyfunc); - pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen); + pbe2->keyfunc = PKCS5_pbkdf2_set_ex(iter, salt, saltlen, prf_nid, keylen, + libctx); if (pbe2->keyfunc == NULL) goto merr; @@ -139,14 +143,25 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, return NULL; } +X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, + unsigned char *salt, int saltlen, + unsigned char *aiv, int prf_nid) +{ + return PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, aiv, prf_nid, + NULL); +} + X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt, int saltlen) { - return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1); + return PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, -1, + NULL); } -X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, - int prf_nid, int keylen) + +X509_ALGOR *PKCS5_pbkdf2_set_ex(int iter, unsigned char *salt, int saltlen, + int prf_nid, int keylen, + OSSL_LIB_CTX *libctx) { X509_ALGOR *keyfunc = NULL; PBKDF2PARAM *kdf = NULL; @@ -171,7 +186,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, if (salt) memcpy(osalt->data, salt, saltlen); - else if (RAND_bytes(osalt->data, saltlen) <= 0) + else if (RAND_bytes_ex(libctx, osalt->data, saltlen) <= 0) goto merr; if (iter <= 0) @@ -220,3 +235,10 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, X509_ALGOR_free(keyfunc); return NULL; } + +X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, + int prf_nid, int keylen) +{ + return PKCS5_pbkdf2_set_ex(iter, salt, saltlen, prf_nid, keylen, NULL); +} + diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 57c0a5ece9..e5a1ed59bc 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -10,10 +10,12 @@ #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/asn1t.h> +#include <openssl/core_names.h> #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/rand.h> +#include "crypto/evp.h" #ifndef OPENSSL_NO_SCRYPT /* PKCS#5 scrypt password based encryption structures */ @@ -206,9 +208,10 @@ static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen, return NULL; } -int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, - int passlen, ASN1_TYPE *param, - const EVP_CIPHER *c, const EVP_MD *md, int en_de) +int PKCS5_v2_scrypt_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { unsigned char *salt, key[EVP_MAX_KEY_LENGTH]; uint64_t p, r, N; @@ -252,7 +255,8 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0 || ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0 || ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0 - || EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) { + || EVP_PBE_scrypt_ex(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0, + libctx, propq) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_ILLEGAL_SCRYPT_PARAMETERS); goto err; } @@ -261,8 +265,8 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, salt = sparam->salt->data; saltlen = sparam->salt->length; - if (EVP_PBE_scrypt(pass, passlen, salt, saltlen, N, r, p, 0, key, keylen) - == 0) + if (EVP_PBE_scrypt_ex(pass, passlen, salt, saltlen, N, r, p, 0, key, + keylen, libctx, propq) == 0) goto err; rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de); err: @@ -271,4 +275,12 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, SCRYPT_PARAMS_free(sparam); return rv; } + +int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de) +{ + return PKCS5_v2_scrypt_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, NULL, NULL); +} + #endif /* OPENSSL_NO_SCRYPT */ diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index 82c5641842..1490f0df4f 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -217,6 +217,10 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de); +int PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, + int en_de, OSSL_LIB_CTX *libctx, const char *propq); struct evp_Encode_Ctx_st { /* number saved in a partial encode/decode */ diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index d9d51e0d78..193920724d 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -10,6 +10,8 @@ #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/evp.h> +#include <openssl/core.h> +#include <openssl/core_names.h> #include <openssl/pkcs12.h> #include <openssl/x509.h> #include "crypto/evp.h" @@ -25,41 +27,42 @@ struct evp_pbe_st { int cipher_nid; int md_nid; EVP_PBE_KEYGEN *keygen; + EVP_PBE_KEYGEN_EX *keygen_ex; }; static STACK_OF(EVP_PBE_CTL) *pbe_algs; static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndDES_CBC, - NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen}, + NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndDES_CBC, - NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen}, + NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC, - NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen}, + NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4, - NID_rc4, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc4, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC4, - NID_rc4_40, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc4_40, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - NID_des_ede3_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_des_ede3_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And2_Key_TripleDES_CBC, - NID_des_ede_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_des_ede_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC2_CBC, - NID_rc2_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc2_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC2_CBC, - NID_rc2_40_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc2_40_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, - {EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen}, + {EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen, &PKCS5_v2_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndRC2_CBC, - NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen}, + NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndRC2_CBC, - NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen}, + NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndDES_CBC, - NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen}, + NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA1, -1, NID_sha1, 0}, {EVP_PBE_TYPE_PRF, NID_hmac_md5, -1, NID_md5, 0}, @@ -76,22 +79,27 @@ static const EVP_PBE_CTL builtin_pbe[] = { NID_id_GostR3411_2012_512, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512_224, -1, NID_sha512_224, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512_256, -1, NID_sha512_256, 0}, - {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, + {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen, &PKCS5_v2_PBKDF2_keyivgen_ex}, #ifndef OPENSSL_NO_SCRYPT - {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen} + {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen, &PKCS5_v2_scrypt_keyivgen_ex} #endif }; -int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, - ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de) + +int EVP_PBE_CipherInit_ex(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, + ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { - const EVP_CIPHER *cipher; - const EVP_MD *md; - int cipher_nid, md_nid; + const EVP_CIPHER *cipher = NULL; + EVP_CIPHER *cipher_fetch = NULL; + const EVP_MD *md = NULL; + EVP_MD *md_fetch = NULL; + int ret = 0, cipher_nid, md_nid; + EVP_PBE_KEYGEN_EX *keygen_ex; EVP_PBE_KEYGEN *keygen; - if (!EVP_PBE_find(EVP_PBE_TYPE_OUTER, OBJ_obj2nid(pbe_obj), - &cipher_nid, &md_nid, &keygen)) { + if (!EVP_PBE_find_ex(EVP_PBE_TYPE_OUTER, OBJ_obj2nid(pbe_obj), + &cipher_nid, &md_nid, &keygen, &keygen_ex)) { char obj_tmp[80]; if (pbe_obj == NULL) @@ -100,7 +108,7 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, i2t_ASN1_OBJECT(obj_tmp, sizeof(obj_tmp), pbe_obj); ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_PBE_ALGORITHM, "TYPE=%s", obj_tmp); - return 0; + goto err; } |