diff options
| author | Jon Spillett <jon.spillett@oracle.com> | 2021-02-17 17:56:36 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-04-30 09:15:50 +1000 |
| commit | b536880c45722777df5ebe62897a6efcef757945 (patch) | |
| tree | 015ad29f74586e3407079864fa686ffcde658fad /crypto/evp/p5_crpt2.c | |
| parent | d77ba503a2cf1c83098baca345327761b991d191 (diff) | |
Add library context and property query support into the PKCS12 API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
Diffstat (limited to 'crypto/evp/p5_crpt2.c')
| -rw-r--r-- | crypto/evp/p5_crpt2.c | 68 |
1 files changed, 49 insertions, 19 deletions
diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index b8edf4b5a8..e7a2b51091 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -21,8 +21,7 @@ int ossl_pkcs5_pbkdf2_hmac_ex(const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, int keylen, - unsigned char *out, + const EVP_MD *digest, int keylen, unsigned char *out, OSSL_LIB_CTX *libctx, const char *propq) { const char *empty = ""; @@ -108,13 +107,16 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, * them... */ -int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *c, - const EVP_MD *md, int en_de) +int PKCS5_v2_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *c, + const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { PBE2PARAM *pbe2 = NULL; - const EVP_CIPHER *cipher; - EVP_PBE_KEYGEN *kdf; + char ciph_name[80]; + const EVP_CIPHER *cipher = NULL; + EVP_CIPHER *cipher_fetch = NULL; + EVP_PBE_KEYGEN_EX *kdf; int rv = 0; @@ -125,8 +127,8 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, } /* See if we recognise the key derivation function */ - if (!EVP_PBE_find(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm), - NULL, NULL, &kdf)) { + if (!EVP_PBE_find_ex(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm), + NULL, NULL, NULL, &kdf)) { ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION); goto err; } @@ -134,10 +136,17 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, /* * lets see if we recognise the encryption algorithm. */ + if (OBJ_obj2txt(ciph_name, sizeof(ciph_name), pbe2->encryption->algorithm, 0) <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_CIPHER); + goto err; + } - cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm); + cipher = cipher_fetch = EVP_CIPHER_fetch(libctx, ciph_name, propq); + /* Fallback to legacy method */ + if (cipher == NULL) + cipher = EVP_get_cipherbyname(ciph_name); - if (!cipher) { + if (cipher == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_CIPHER); goto err; } @@ -149,15 +158,24 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ERR_raise(ERR_LIB_EVP, EVP_R_CIPHER_PARAMETER_ERROR); goto err; } - rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de); + rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de, libctx, propq); err: + EVP_CIPHER_free(cipher_fetch); PBE2PARAM_free(pbe2); return rv; } -int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, - int passlen, ASN1_TYPE *param, - const EVP_CIPHER *c, const EVP_MD *md, int en_de) +int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *c, + const EVP_MD *md, int en_de) +{ + return PKCS5_v2_PBE_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, NULL, NULL); +} + +int PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { unsigned char *salt, key[EVP_MAX_KEY_LENGTH]; int saltlen, iter, t; @@ -165,7 +183,8 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, unsigned int keylen = 0; int prf_nid, hmac_md_nid; PBKDF2PARAM *kdf = NULL; - const EVP_MD *prfmd; + const EVP_MD *prfmd = NULL; + EVP_MD *prfmd_fetch = NULL; if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); @@ -207,7 +226,9 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, goto err; } - prfmd = EVP_get_digestbynid(hmac_md_nid); + prfmd = prfmd_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(hmac_md_nid), propq); + if (prfmd == NULL) + prfmd = EVP_get_digestbynid(hmac_md_nid); if (prfmd == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_PRF); goto err; @@ -222,12 +243,21 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, salt = kdf->salt->value.octet_string->data; saltlen = kdf->salt->value.octet_string->length; iter = ASN1_INTEGER_get(kdf->iter); - if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd, - keylen, key)) + if (!ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter, prfmd, + keylen, key, libctx, propq)) goto err; rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de); err: OPENSSL_cleanse(key, keylen); PBKDF2PARAM_free(kdf); + EVP_MD_free(prfmd_fetch); return rv; } + +int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de) +{ + return PKCS5_v2_PBKDF2_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, + NULL, NULL); +} |