diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-13 11:58:52 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-21 09:04:11 +0200 |
| commit | 97e00da90282dddfc572c84d8468d85ab1925fba (patch) | |
| tree | 5ae138865d0e50f05db09df16285bb603fce87da /crypto | |
| parent | 1a7cd250ad55a3c9d684a7259c20ea8075c2b08b (diff) | |
Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/cmp/cmp_local.h | 4 | ||||
| -rw-r--r-- | crypto/cmp/cmp_protect.c | 4 | ||||
| -rw-r--r-- | crypto/crmf/crmf_pbm.c | 15 |
3 files changed, 14 insertions, 9 deletions
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 95c4781b6f..90d043c71c 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -75,9 +75,9 @@ struct ossl_cmp_ctx_st { ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */ ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ /* PBMParameters for MSG_MAC_ALG */ - size_t pbm_slen; /* currently fixed to 16 */ + size_t pbm_slen; /* salt length, currently fixed to 16 */ int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */ - int pbm_itercnt; /* currently fixed to 500 */ + int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */ int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */ /* CMP message header and extra certificates */ diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 0f70c29953..7c3d5bf730 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -195,8 +195,8 @@ static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx) return NULL; alg = X509_ALGOR_new(); - pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt, - ctx->pbm_mac); + pbm = OSSL_CRMF_pbmp_new(ctx->libctx, ctx->pbm_slen, + ctx->pbm_owf, ctx->pbm_itercnt, ctx->pbm_mac); pbm_str = ASN1_STRING_new(); if (alg == NULL || pbm == NULL || pbm_str == NULL) goto err; diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index f674eeeff7..77ef6e0a37 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -29,14 +29,15 @@ /*- * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4) - * |slen| SHOULD be > 8 (16 is common) + * |slen| SHOULD be at least 8 (16 is common) * |owfnid| e.g., NID_sha256 - * |itercnt| MUST be > 100 (500 is common) + * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT * |macnid| e.g., NID_hmac_sha1 * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error */ -OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, - int itercnt, int macnid) +OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OPENSSL_CTX *libctx, size_t slen, + int owfnid, size_t itercnt, + int macnid) { OSSL_CRMF_PBMPARAMETER *pbm = NULL; unsigned char *salt = NULL; @@ -51,7 +52,7 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, */ if ((salt = OPENSSL_malloc(slen)) == NULL) goto err; - if (RAND_bytes(salt, (int)slen) <= 0) { + if (RAND_bytes_ex(libctx, salt, (int)slen) <= 0) { CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM); goto err; } @@ -82,6 +83,10 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100); goto err; } + if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) { + CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT); + goto err; + } if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) { CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR); |