diff options
| author | Jon Spillett <jon.spillett@oracle.com> | 2021-05-06 15:25:29 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-05-24 15:21:25 +1000 |
| commit | 8bb6fdfc9971557f3aaa4e5dfc4cab0e5e9220a6 (patch) | |
| tree | 7151ffe947ac709db23b80952bca3a97f4722d7d /crypto | |
| parent | 0f183675b8ea2490ca5e0b4e66baa27a3e6478ba (diff) | |
Added PKCS5_PBE_keyivgen_ex() to allow PBKDF1 algorithms to be fetched for a specific library context
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/evp/evp_pbe.c | 12 | ||||
| -rw-r--r-- | crypto/evp/p5_crpt.c | 45 |
2 files changed, 36 insertions, 21 deletions
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 7c73cfc501..6347a0635f 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -34,11 +34,11 @@ static STACK_OF(EVP_PBE_CTL) *pbe_algs; static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndDES_CBC, - NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen, NULL}, + NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndDES_CBC, - NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen, NULL}, + NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC, - NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen, NULL}, + NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, @@ -58,11 +58,11 @@ static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen, &PKCS5_v2_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndRC2_CBC, - NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen, NULL}, + NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndRC2_CBC, - NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen, NULL}, + NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndDES_CBC, - NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen, NULL}, + NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA1, -1, NID_sha1, 0}, {EVP_PBE_TYPE_PRF, NID_hmac_md5, -1, NID_md5, 0}, diff --git a/crypto/evp/p5_crpt.c b/crypto/evp/p5_crpt.c index 59d1a23ad6..abf153cb43 100644 --- a/crypto/evp/p5_crpt.c +++ b/crypto/evp/p5_crpt.c @@ -15,9 +15,6 @@ #include <openssl/core_names.h> #include <openssl/kdf.h> -#define PKCS5_PBES1_OUTPUT_LENGTH 16 -#define PKCS5_PBES1_KEY_IV_LENGTH 8 - /* * Doesn't do anything now: Builtin PBE algorithms in static table. */ @@ -26,15 +23,18 @@ void PKCS5_PBE_add(void) { } -int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *cipher, - const EVP_MD *md, int en_de) +int PKCS5_PBE_keyivgen_ex(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *cipher, + const EVP_MD *md, int en_de, OSSL_LIB_CTX *libctx, + const char *propq) { - unsigned char out[PKCS5_PBES1_OUTPUT_LENGTH]; + unsigned char md_tmp[EVP_MAX_MD_SIZE]; + unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; int ivl, kl; PBEPARAM *pbe = NULL; int saltlen, iter; unsigned char *salt; + int mdsize; int rv = 0; EVP_KDF *kdf; EVP_KDF_CTX *kctx = NULL; @@ -55,12 +55,12 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, } ivl = EVP_CIPHER_iv_length(cipher); - if (ivl != PKCS5_PBES1_KEY_IV_LENGTH) { + if (ivl < 0 || ivl > 16) { ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); goto err; } kl = EVP_CIPHER_key_length(cipher); - if (kl != PKCS5_PBES1_KEY_IV_LENGTH) { + if (kl < 0 || kl > (int)sizeof(md_tmp)) { ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); goto err; } @@ -77,7 +77,11 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, else if (passlen == -1) passlen = strlen(pass); - kdf = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF1, NULL); + mdsize = EVP_MD_size(md); + if (mdsize < 0) + goto err; + + kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF1, propq); kctx = EVP_KDF_CTX_new(kdf); EVP_KDF_free(kdf); if (kctx == NULL) @@ -90,16 +94,27 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)mdname, 0); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_derive(kctx, out, PKCS5_PBES1_OUTPUT_LENGTH, params) != 1) + if (EVP_KDF_derive(kctx, md_tmp, mdsize, params) != 1) goto err; - - if (!EVP_CipherInit_ex(cctx, cipher, NULL, out, - out + PKCS5_PBES1_KEY_IV_LENGTH, en_de)) + memcpy(key, md_tmp, kl); + memcpy(iv, md_tmp + (16 - ivl), ivl); + if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de)) goto err; - OPENSSL_cleanse(out, PKCS5_PBES1_OUTPUT_LENGTH); + OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE); + OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); rv = 1; err: EVP_KDF_CTX_free(kctx); PBEPARAM_free(pbe); return rv; } + +int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *cipher, + const EVP_MD *md, int en_de) +{ + return PKCS5_PBE_keyivgen_ex(cctx, pass, passlen, param, cipher, md, en_de, + NULL, NULL); +} + |