diff options
author | Johannes Bauer <joe@johannes-bauer.com> | 2017-07-26 21:49:36 +0200 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2017-08-03 01:07:52 +0100 |
commit | f55129c73920a060e813c883d864222482e067c8 (patch) | |
tree | f140821abd6f4c9c32c3f0cb090ec1e521f9c801 /crypto/kdf | |
parent | a24a5b8cc4103ddd69f21c91c7d7372abc270157 (diff) |
Changed use of EVP_PKEY_CTX_md() and more specific error codes
Changed HKDF to use EVP_PKEY_CTX_md() (review comment of @snhenson) and
introduced more specific error codes (not only indicating *that* some
parameter is missing, but actually *which* one it is).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
Diffstat (limited to 'crypto/kdf')
-rw-r--r-- | crypto/kdf/hkdf.c | 19 | ||||
-rw-r--r-- | crypto/kdf/kdf_err.c | 4 | ||||
-rw-r--r-- | crypto/kdf/tls1_prf.c | 8 |
3 files changed, 19 insertions, 12 deletions
diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c index 8ffc8a3899..25a173826e 100644 --- a/crypto/kdf/hkdf.c +++ b/crypto/kdf/hkdf.c @@ -148,14 +148,9 @@ static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, return EVP_PKEY_CTX_hkdf_mode(ctx, mode); } - if (strcmp(type, "md") == 0) { - const EVP_MD *md = EVP_get_digestbyname(value); - if (!md) { - KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_INVALID_DIGEST); - return 0; - } - return EVP_PKEY_CTX_set_hkdf_md(ctx, md); - } + if (strcmp(type, "md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_MD, value); if (strcmp(type, "salt") == 0) return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value); @@ -184,8 +179,12 @@ static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, { HKDF_PKEY_CTX *kctx = ctx->data; - if (kctx->md == NULL || kctx->key == NULL) { - KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_PARAMETER); + if (kctx->md == NULL) { + KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + if (kctx->key == NULL) { + KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY); return 0; } diff --git a/crypto/kdf/kdf_err.c b/crypto/kdf/kdf_err.c index f5d0f7eaf6..3b185c8ee5 100644 --- a/crypto/kdf/kdf_err.c +++ b/crypto/kdf/kdf_err.c @@ -25,7 +25,11 @@ static const ERR_STRING_DATA KDF_str_functs[] = { static const ERR_STRING_DATA KDF_str_reasons[] = { {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_MESSAGE_DIGEST), + "missing message digest"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_PARAMETER), "missing parameter"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SEED), "missing seed"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_UNKNOWN_PARAMETER_TYPE), "unknown parameter type"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, diff --git a/crypto/kdf/tls1_prf.c b/crypto/kdf/tls1_prf.c index 1673b577ad..f5e1063461 100644 --- a/crypto/kdf/tls1_prf.c +++ b/crypto/kdf/tls1_prf.c @@ -124,8 +124,12 @@ static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { TLS1_PRF_PKEY_CTX *kctx = ctx->data; - if (kctx->md == NULL || kctx->sec == NULL || kctx->seedlen == 0) { - KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_PARAMETER); + if (kctx->md == NULL) { + KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + if (kctx->sec == NULL || kctx->seedlen == 0) { + KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); return 0; } return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen, |