From b536880c45722777df5ebe62897a6efcef757945 Mon Sep 17 00:00:00 2001 From: Jon Spillett Date: Wed, 17 Feb 2021 17:56:36 +1000 Subject: Add library context and property query support into the PKCS12 API Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14434) --- crypto/asn1/p5_pbe.c | 27 ++++++++--- crypto/asn1/p5_pbev2.c | 40 ++++++++++++---- crypto/asn1/p5_scrypt.c | 24 +++++++--- crypto/evp/evp_local.h | 4 ++ crypto/evp/evp_pbe.c | 118 +++++++++++++++++++++++++++++++---------------- crypto/evp/p5_crpt2.c | 68 +++++++++++++++++++-------- crypto/evp/pbe_scrypt.c | 20 ++++++-- crypto/pkcs12/p12_add.c | 76 +++++++++++++++++++++++------- crypto/pkcs12/p12_crpt.c | 49 ++++++++++++-------- crypto/pkcs12/p12_crt.c | 64 ++++++++++++++++++------- crypto/pkcs12/p12_decr.c | 64 ++++++++++++++++++------- crypto/pkcs12/p12_init.c | 16 ++++++- crypto/pkcs12/p12_key.c | 66 ++++++++++++++++---------- crypto/pkcs12/p12_mutl.c | 66 ++++++++++++++++---------- crypto/pkcs12/p12_p8d.c | 17 +++++-- crypto/pkcs12/p12_p8e.c | 44 +++++++++++++----- crypto/pkcs12/p12_sbag.c | 48 +++++++++++++------ crypto/pkcs7/pk7_lib.c | 31 +++++++++++++ crypto/pkcs7/pk7_local.h | 2 + 19 files changed, 611 insertions(+), 233 deletions(-) (limited to 'crypto') diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index 43cb054d9f..61b8587ebd 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -24,8 +24,9 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM) /* Set an algorithm identifier for a PKCS#5 PBE algorithm */ -int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, - const unsigned char *salt, int saltlen) +int PKCS5_pbe_set0_algor_ex(X509_ALGOR *algor, int alg, int iter, + const unsigned char *salt, int saltlen, + OSSL_LIB_CTX *ctx) { PBEPARAM *pbe = NULL; ASN1_STRING *pbe_str = NULL; @@ -54,7 +55,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, } if (salt) memcpy(sstr, salt, saltlen); - else if (RAND_bytes(sstr, saltlen) <= 0) + else if (RAND_bytes_ex(ctx, sstr, saltlen) <= 0) goto err; ASN1_STRING_set0(pbe->salt, sstr, saltlen); @@ -78,10 +79,17 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, return 0; } +int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, + const unsigned char *salt, int saltlen) +{ + return PKCS5_pbe_set0_algor_ex(algor, alg, iter, salt, saltlen, NULL); +} + /* Return an algorithm identifier for a PKCS#5 PBE algorithm */ -X509_ALGOR *PKCS5_pbe_set(int alg, int iter, - const unsigned char *salt, int saltlen) +X509_ALGOR *PKCS5_pbe_set_ex(int alg, int iter, + const unsigned char *salt, int saltlen, + OSSL_LIB_CTX *ctx) { X509_ALGOR *ret; ret = X509_ALGOR_new(); @@ -90,9 +98,16 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, return NULL; } - if (PKCS5_pbe_set0_algor(ret, alg, iter, salt, saltlen)) + if (PKCS5_pbe_set0_algor_ex(ret, alg, iter, salt, saltlen, ctx)) return ret; X509_ALGOR_free(ret); return NULL; } + +X509_ALGOR *PKCS5_pbe_set(int alg, int iter, + const unsigned char *salt, int saltlen) +{ + return PKCS5_pbe_set_ex(alg, iter, salt, saltlen, NULL); +} + diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index f5878de323..da227b96e2 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -10,6 +10,8 @@ #include #include "internal/cryptlib.h" #include +#include +#include #include #include @@ -37,9 +39,10 @@ IMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM) * and IV. */ -X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, - unsigned char *salt, int saltlen, - unsigned char *aiv, int prf_nid) +X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter, + unsigned char *salt, int saltlen, + unsigned char *aiv, int prf_nid, + OSSL_LIB_CTX *libctx) { X509_ALGOR *scheme = NULL, *ret = NULL; int alg_nid, keylen; @@ -66,7 +69,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) + else if (RAND_bytes_ex(libctx, iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } @@ -104,7 +107,8 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, X509_ALGOR_free(pbe2->keyfunc); - pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen); + pbe2->keyfunc = PKCS5_pbkdf2_set_ex(iter, salt, saltlen, prf_nid, keylen, + libctx); if (pbe2->keyfunc == NULL) goto merr; @@ -139,14 +143,25 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, return NULL; } +X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, + unsigned char *salt, int saltlen, + unsigned char *aiv, int prf_nid) +{ + return PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, aiv, prf_nid, + NULL); +} + X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt, int saltlen) { - return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1); + return PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, -1, + NULL); } -X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, - int prf_nid, int keylen) + +X509_ALGOR *PKCS5_pbkdf2_set_ex(int iter, unsigned char *salt, int saltlen, + int prf_nid, int keylen, + OSSL_LIB_CTX *libctx) { X509_ALGOR *keyfunc = NULL; PBKDF2PARAM *kdf = NULL; @@ -171,7 +186,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, if (salt) memcpy(osalt->data, salt, saltlen); - else if (RAND_bytes(osalt->data, saltlen) <= 0) + else if (RAND_bytes_ex(libctx, osalt->data, saltlen) <= 0) goto merr; if (iter <= 0) @@ -220,3 +235,10 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, X509_ALGOR_free(keyfunc); return NULL; } + +X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, + int prf_nid, int keylen) +{ + return PKCS5_pbkdf2_set_ex(iter, salt, saltlen, prf_nid, keylen, NULL); +} + diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 57c0a5ece9..e5a1ed59bc 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -10,10 +10,12 @@ #include #include "internal/cryptlib.h" #include +#include #include #include #include #include +#include "crypto/evp.h" #ifndef OPENSSL_NO_SCRYPT /* PKCS#5 scrypt password based encryption structures */ @@ -206,9 +208,10 @@ static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen, return NULL; } -int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, - int passlen, ASN1_TYPE *param, - const EVP_CIPHER *c, const EVP_MD *md, int en_de) +int PKCS5_v2_scrypt_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { unsigned char *salt, key[EVP_MAX_KEY_LENGTH]; uint64_t p, r, N; @@ -252,7 +255,8 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0 || ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0 || ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0 - || EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) { + || EVP_PBE_scrypt_ex(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0, + libctx, propq) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_ILLEGAL_SCRYPT_PARAMETERS); goto err; } @@ -261,8 +265,8 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, salt = sparam->salt->data; saltlen = sparam->salt->length; - if (EVP_PBE_scrypt(pass, passlen, salt, saltlen, N, r, p, 0, key, keylen) - == 0) + if (EVP_PBE_scrypt_ex(pass, passlen, salt, saltlen, N, r, p, 0, key, + keylen, libctx, propq) == 0) goto err; rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de); err: @@ -271,4 +275,12 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, SCRYPT_PARAMS_free(sparam); return rv; } + +int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de) +{ + return PKCS5_v2_scrypt_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, NULL, NULL); +} + #endif /* OPENSSL_NO_SCRYPT */ diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index 82c5641842..1490f0df4f 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -217,6 +217,10 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de); +int PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, + int en_de, OSSL_LIB_CTX *libctx, const char *propq); struct evp_Encode_Ctx_st { /* number saved in a partial encode/decode */ diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index d9d51e0d78..193920724d 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -10,6 +10,8 @@ #include #include "internal/cryptlib.h" #include +#include +#include #include #include #include "crypto/evp.h" @@ -25,41 +27,42 @@ struct evp_pbe_st { int cipher_nid; int md_nid; EVP_PBE_KEYGEN *keygen; + EVP_PBE_KEYGEN_EX *keygen_ex; }; static STACK_OF(EVP_PBE_CTL) *pbe_algs; static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndDES_CBC, - NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen}, + NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndDES_CBC, - NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen}, + NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC, - NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen}, + NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4, - NID_rc4, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc4, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC4, - NID_rc4_40, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc4_40, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - NID_des_ede3_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_des_ede3_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And2_Key_TripleDES_CBC, - NID_des_ede_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_des_ede_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC2_CBC, - NID_rc2_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc2_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC2_CBC, - NID_rc2_40_cbc, NID_sha1, PKCS12_PBE_keyivgen}, + NID_rc2_40_cbc, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex}, - {EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen}, + {EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen, &PKCS5_v2_PBE_keyivgen_ex}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndRC2_CBC, - NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen}, + NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndRC2_CBC, - NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen}, + NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndDES_CBC, - NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen}, + NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen, NULL}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA1, -1, NID_sha1, 0}, {EVP_PBE_TYPE_PRF, NID_hmac_md5, -1, NID_md5, 0}, @@ -76,22 +79,27 @@ static const EVP_PBE_CTL builtin_pbe[] = { NID_id_GostR3411_2012_512, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512_224, -1, NID_sha512_224, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512_256, -1, NID_sha512_256, 0}, - {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, + {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen, &PKCS5_v2_PBKDF2_keyivgen_ex}, #ifndef OPENSSL_NO_SCRYPT - {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen} + {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen, &PKCS5_v2_scrypt_keyivgen_ex} #endif }; -int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, - ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de) + +int EVP_PBE_CipherInit_ex(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, + ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { - const EVP_CIPHER *cipher; - const EVP_MD *md; - int cipher_nid, md_nid; + const EVP_CIPHER *cipher = NULL; + EVP_CIPHER *cipher_fetch = NULL; + const EVP_MD *md = NULL; + EVP_MD *md_fetch = NULL; + int ret = 0, cipher_nid, md_nid; + EVP_PBE_KEYGEN_EX *keygen_ex; EVP_PBE_KEYGEN *keygen; - if (!EVP_PBE_find(EVP_PBE_TYPE_OUTER, OBJ_obj2nid(pbe_obj), - &cipher_nid, &md_nid, &keygen)) { + if (!EVP_PBE_find_ex(EVP_PBE_TYPE_OUTER, OBJ_obj2nid(pbe_obj), + &cipher_nid, &md_nid, &keygen, &keygen_ex)) { char obj_tmp[80]; if (pbe_obj == NULL) @@ -100,7 +108,7 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, i2t_ASN1_OBJECT(obj_tmp, sizeof(obj_tmp), pbe_obj); ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_PBE_ALGORITHM, "TYPE=%s", obj_tmp); - return 0; + goto err; } if (pass == NULL) @@ -108,28 +116,48 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, else if (passlen == -1) passlen = strlen(pass); - if (cipher_nid == -1) - cipher = NULL; - else { - cipher = EVP_get_cipherbynid(cipher_nid); - if (!cipher) { + if (cipher_nid != -1) { + cipher = cipher_fetch = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(cipher_nid), propq); + /* Fallback to legacy method */ + if (cipher == NULL) + cipher = EVP_get_cipherbynid(cipher_nid); + + if (cipher == NULL) { ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_CIPHER, OBJ_nid2sn(cipher_nid)); - return 0; + goto err; } } - if (md_nid == -1) - md = NULL; - else { - md = EVP_get_digestbynid(md_nid); - if (!md) { + if (md_nid != -1) { + md = md_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(md_nid), propq); + /* Fallback to legacy method */ + if (md == NULL) + EVP_get_digestbynid(md_nid); + + if (md == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_UNKNOWN_DIGEST); - return 0; + goto err; } } - return keygen(ctx, pass, passlen, param, cipher, md, en_de); + /* Try extended keygen with libctx/propq first, fall back to legacy keygen */ + if (keygen_ex != NULL) + ret = keygen_ex(ctx, pass, passlen, param, cipher, md, en_de, libctx, propq); + else + ret = keygen(ctx, pass, passlen, param, cipher, md, en_de); + +err: + EVP_CIPHER_free(cipher_fetch); + EVP_MD_free(md_fetch); + + return ret; +} + +int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, + ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de) +{ + return EVP_PBE_CipherInit_ex(pbe_obj, pass, passlen, param, ctx, en_de, NULL, NULL); } DECLARE_OBJ_BSEARCH_CMP_FN(EVP_PBE_CTL, EVP_PBE_CTL, pbe2); @@ -205,8 +233,8 @@ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md, cipher_nid, md_nid, keygen); } -int EVP_PBE_find(int type, int pbe_nid, - int *pcnid, int *pmnid, EVP_PBE_KEYGEN **pkeygen) +int EVP_PBE_find_ex(int type, int pbe_nid, int *pcnid, int *pmnid, + EVP_PBE_KEYGEN **pkeygen, EVP_PBE_KEYGEN_EX **pkeygen_ex) { EVP_PBE_CTL *pbetmp = NULL, pbelu; int i; @@ -225,15 +253,23 @@ int EVP_PBE_find(int type, int pbe_nid, } if (pbetmp == NULL) return 0; - if (pcnid) + if (pcnid != NULL) *pcnid = pbetmp->cipher_nid; - if (pmnid) + if (pmnid != NULL) *pmnid = pbetmp->md_nid; - if (pkeygen) + if (pkeygen != NULL) *pkeygen = pbetmp->keygen; + if (pkeygen_ex != NULL) + *pkeygen_ex = pbetmp->keygen_ex; return 1; } +int EVP_PBE_find(int type, int pbe_nid, + int *pcnid, int *pmnid, EVP_PBE_KEYGEN **pkeygen) +{ + return EVP_PBE_find_ex(type, pbe_nid, pcnid, pmnid, pkeygen, NULL); +} + static void free_evp_pbe_ctl(EVP_PBE_CTL *pbe) { OPENSSL_free(pbe); diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index b8edf4b5a8..e7a2b51091 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -21,8 +21,7 @@ int ossl_pkcs5_pbkdf2_hmac_ex(const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, int keylen, - unsigned char *out, + const EVP_MD *digest, int keylen, unsigned char *out, OSSL_LIB_CTX *libctx, const char *propq) { const char *empty = ""; @@ -108,13 +107,16 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, * them... */ -int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *c, - const EVP_MD *md, int en_de) +int PKCS5_v2_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *c, + const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { PBE2PARAM *pbe2 = NULL; - const EVP_CIPHER *cipher; - EVP_PBE_KEYGEN *kdf; + char ciph_name[80]; + const EVP_CIPHER *cipher = NULL; + EVP_CIPHER *cipher_fetch = NULL; + EVP_PBE_KEYGEN_EX *kdf; int rv = 0; @@ -125,8 +127,8 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, } /* See if we recognise the key derivation function */ - if (!EVP_PBE_find(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm), - NULL, NULL, &kdf)) { + if (!EVP_PBE_find_ex(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm), + NULL, NULL, NULL, &kdf)) { ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION); goto err; } @@ -134,10 +136,17 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, /* * lets see if we recognise the encryption algorithm. */ + if (OBJ_obj2txt(ciph_name, sizeof(ciph_name), pbe2->encryption->algorithm, 0) <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_CIPHER); + goto err; + } - cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm); + cipher = cipher_fetch = EVP_CIPHER_fetch(libctx, ciph_name, propq); + /* Fallback to legacy method */ + if (cipher == NULL) + cipher = EVP_get_cipherbyname(ciph_name); - if (!cipher) { + if (cipher == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_CIPHER); goto err; } @@ -149,15 +158,24 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ERR_raise(ERR_LIB_EVP, EVP_R_CIPHER_PARAMETER_ERROR); goto err; } - rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de); + rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de, libctx, propq); err: + EVP_CIPHER_free(cipher_fetch); PBE2PARAM_free(pbe2); return rv; } -int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, - int passlen, ASN1_TYPE *param, - const EVP_CIPHER *c, const EVP_MD *md, int en_de) +int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *c, + const EVP_MD *md, int en_de) +{ + return PKCS5_v2_PBE_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, NULL, NULL); +} + +int PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { unsigned char *salt, key[EVP_MAX_KEY_LENGTH]; int saltlen, iter, t; @@ -165,7 +183,8 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, unsigned int keylen = 0; int prf_nid, hmac_md_nid; PBKDF2PARAM *kdf = NULL; - const EVP_MD *prfmd; + const EVP_MD *prfmd = NULL; + EVP_MD *prfmd_fetch = NULL; if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); @@ -207,7 +226,9 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, goto err; } - prfmd = EVP_get_digestbynid(hmac_md_nid); + prfmd = prfmd_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(hmac_md_nid), propq); + if (prfmd == NULL) + prfmd = EVP_get_digestbynid(hmac_md_nid); if (prfmd == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_PRF); goto err; @@ -222,12 +243,21 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, salt = kdf->salt->value.octet_string->data; saltlen = kdf->salt->value.octet_string->length; iter = ASN1_INTEGER_get(kdf->iter); - if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd, - keylen, key)) + if (!ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter, prfmd, + keylen, key, libctx, propq)) goto err; rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de); err: OPENSSL_cleanse(key, keylen); PBKDF2PARAM_free(kdf); + EVP_MD_free(prfmd_fetch); return rv; } + +int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, int en_de) +{ + return PKCS5_v2_PBKDF2_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, + NULL, NULL); +} diff --git a/crypto/evp/pbe_scrypt.c b/crypto/evp/pbe_scrypt.c index 2537a073dd..78b2d13ec9 100644 --- a/crypto/evp/pbe_scrypt.c +++ b/crypto/evp/pbe_scrypt.c @@ -34,10 +34,11 @@ # define SCRYPT_MAX_MEM (1024 * 1024 * 32) #endif -int EVP_PBE_scrypt(const char *pass, size_t passlen, - const unsigned char *salt, size_t saltlen, - uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, - unsigned char *key, size_t keylen) +int EVP_PBE_scrypt_ex(const char *pass, size_t passlen, + const unsigned char *salt, size_t saltlen, + uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, + unsigned char *key, size_t keylen, + OSSL_LIB_CTX *ctx, const char *propq) { const char *empty = ""; int rv = 1; @@ -63,7 +64,7 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, maxmem = SCRYPT_MAX_MEM; /* Use OSSL_LIB_CTX_set0_default() if you need a library context */ - kdf = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_SCRYPT, NULL); + kdf = EVP_KDF_fetch(ctx, OSSL_KDF_NAME_SCRYPT, propq); kctx = EVP_KDF_CTX_new(kdf); EVP_KDF_free(kdf); if (kctx == NULL) @@ -86,4 +87,13 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, return rv; } +int EVP_PBE_scrypt(const char *pass, size_t passlen, + const unsigned char *salt, size_t saltlen, + uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, + unsigned char *key, size_t keylen) +{ + return EVP_PBE_scrypt_ex(pass, passlen, salt, saltlen, N, r, p, maxmem, + key, keylen, NULL, NULL); +} + #endif diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c index 4b6e6b9c22..f0b0819f84 100644 --- a/crypto/pkcs12/p12_add.c +++ b/crypto/pkcs12/p12_add.c @@ -9,8 +9,11 @@ #include #include "internal/cryptlib.h" +#include +#include #include #include "p12_local.h" +#include "crypto/pkcs7/pk7_local.h" /* Pack an object into an OCTET STRING and turn into a safebag */ @@ -80,15 +83,17 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) /* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */ -PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, - STACK_OF(PKCS12_SAFEBAG) *bags) +PKCS7 *PKCS12_pack_p7encdata_ex(int pbe_nid, const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + STACK_OF(PKCS12_SAFEBAG) *bags, + OSSL_LIB_CTX *ctx, const char *propq) { PKCS7 *p7; X509_ALGOR *pbe; - const EVP_CIPHER *pbe_ciph; + const EVP_CIPHER *pbe_ciph = NULL; + EVP_CIPHER *pbe_ciph_fetch = NULL; - if ((p7 = PKCS7_new()) == NULL) { + if ((p7 = PKCS7_new_ex(ctx, propq)) == NULL) { ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); return NULL; } @@ -97,12 +102,16 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, goto err; } - pbe_ciph = EVP_get_cipherbynid(pbe_nid); + pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq); + if (pbe_ciph == NULL) + pbe_ciph = EVP_get_cipherbynid(pbe_nid); - if (pbe_ciph) - pbe = PKCS5_pbe2_set(pbe_ciph, iter, salt, saltlen); - else - pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); + if (pbe_ciph != NULL) { + pbe = PKCS5_pbe2_set_iv_ex(pbe_ciph, iter, salt, saltlen, NULL, -1, ctx); + } else { + ERR_clear_error(); + pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, ctx); + } if (pbe == NULL) { ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); @@ -112,34 +121,52 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, p7->d.encrypted->enc_data->algorithm = pbe; ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data); if (!(p7->d.encrypted->enc_data->enc_data = - PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, - passlen, bags, 1))) { + PKCS12_item_i2d_encrypt_ex(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, + passlen, bags, 1, ctx, propq))) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_ENCRYPT_ERROR); goto err; } + EVP_CIPHER_free(pbe_ciph_fetch); return p7; err: PKCS7_free(p7); + EVP_CIPHER_free(pbe_ciph_fetch); return NULL; } +PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + STACK_OF(PKCS12_SAFEBAG) *bags) +{ + return PKCS12_pack_p7encdata_ex(pbe_nid, pass, passlen, salt, saltlen, + iter, bags, NULL, NULL); +} + STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen) { if (!PKCS7_type_is_encrypted(p7)) return NULL; - return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, + return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, - p7->d.encrypted->enc_data->enc_data, 1); + p7->d.encrypted->enc_data->enc_data, 1, + p7->ctx.libctx, p7->ctx.propq); +} + +PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey_ex(const PKCS12_SAFEBAG *bag, + const char *pass, int passlen, + OSSL_LIB_CTX *ctx, const char *propq) +{ + return PKCS8_decrypt_ex(bag->value.shkeybag, pass, passlen, ctx, propq); } PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, const char *pass, int passlen) { - return PKCS8_decrypt(bag->value.shkeybag, pass, passlen); + return PKCS12_decrypt_skey_ex(bag, pass, passlen, NULL, NULL); } int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) @@ -152,10 +179,25 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) { + STACK_OF(PKCS7) *p7s; + PKCS7 *p7; + int i; + if (!PKCS7_type_is_data(p12->authsafes)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); return NULL; } - return ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + p7s = ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + if (p7s != NULL) { + for (i = 0; i < sk_PKCS7_num(p7s); i++) { + p7 = sk_PKCS7_value(p7s, i); + if (!ossl_pkcs7_ctx_propagate(p12->authsafes, p7)) + goto err; + } + } + return p7s; +err: + sk_PKCS7_free(p7s); + return NULL; } diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index 8a6f71f7bb..aeea598696 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -9,6 +9,9 @@ #include #include "internal/cryptlib.h" +#include +#include +#include "crypto/evp.h" #include /* PKCS#12 PBE algorithms now in static table */ @@ -17,21 +20,16 @@ void PKCS12_PBE_add(void) { } -int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *cipher, - const EVP_MD *md, int en_de) +int PKCS12_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *cipher, + const EVP_MD *md, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { PBEPARAM *pbe; int saltlen, iter, ret; unsigned char *salt; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; - int (*pkcs12_key_gen)(const char *pass, int passlen, - unsigned char *salt, int slen, - int id, int iter, int n, - unsigned char *out, - const EVP_MD *md_type); - - pkcs12_key_gen = PKCS12_key_gen_utf8; + unsigned char *piv = iv; if (cipher == NULL) return 0; @@ -50,21 +48,36 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, iter = ASN1_INTEGER_get(pbe->iter); salt = pbe->salt->data; saltlen = pbe->salt->length; - if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_KEY_ID, - iter, EVP_CIPHER_key_length(cipher), key, md)) { + if (!PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, PKCS12_KEY_ID, + iter, EVP_CIPHER_key_length(cipher), key, md, + libctx, propq)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); PBEPARAM_free(pbe); return 0; } - if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_IV_ID, - iter, EVP_CIPHER_iv_length(cipher), iv, md)) { - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_IV_GEN_ERROR); - PBEPARAM_free(pbe); - return 0; + if (EVP_CIPHER_iv_length(cipher) > 0) { + if (!PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, PKCS12_IV_ID, + iter, EVP_CIPHER_iv_length(cipher), iv, md, + libctx, propq)) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_IV_GEN_ERROR); + PBEPARAM_free(pbe); + return 0; + } + } else { + piv = NULL; } PBEPARAM_free(pbe); - ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); + ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, piv, en_de); OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); return ret; } + +int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, + ASN1_TYPE *param, const EVP_CIPHER *cipher, + const EVP_MD *md, int en_de) +{ + return PKCS12_PBE_keyivgen_ex(ctx, pass, passlen, param, cipher, md, en_de, + NULL, NULL); +} + diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index f735cb2a67..00c7129746 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -28,9 +28,10 @@ static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) return 1; } -PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, - STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, - int mac_iter, int keytype) +PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, + X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, + int iter, int mac_iter, int keytype, + OSSL_LIB_CTX *ctx, const char *propq) { PKCS12 *p12 = NULL; STACK_OF(PKCS7) *safes = NULL; @@ -76,14 +77,16 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * goto err; } - if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass)) + if (bags && !PKCS12_add_safe_ex(&safes, bags, nid_cert, iter, pass, + ctx, propq)) goto err; sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); bags = NULL; if (pkey) { - bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass); + bag = PKCS12_add_key_ex(&bags, pkey, keytype, iter, nid_key, pass, + ctx, propq); if (!bag) goto err; @@ -105,7 +108,7 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); bags = NULL; - p12 = PKCS12_add_safes(safes, 0); + p12 = PKCS12_add_safes_ex(safes, 0, ctx, propq); if (p12 == NULL) goto err; @@ -128,6 +131,14 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * } +PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, + STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, + int mac_iter, int keytype) +{ + return PKCS12_create_ex(pass, name, pkey, cert, ca, nid_key, nid_cert, + iter, mac_iter, keytype, NULL, NULL); +} + PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) { PKCS12_SAFEBAG *bag = NULL; @@ -165,9 +176,10 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) } -PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, - EVP_PKEY *key, int key_usage, int iter, - int nid_key, const char *pass) +PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, + EVP_PKEY *key, int key_usage, int iter, + int nid_key, const char *pass, + OSSL_LIB_CTX *ctx, const char *propq) { PKCS12_SAFEBAG *bag = NULL; @@ -179,8 +191,8 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, if (key_usage && !PKCS8_add_keyusage(p8, key_usage)) goto err; if (nid_key != -1) { - bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1, NULL, 0, - iter, p8); + bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0, + iter, p8, ctx, propq); PKCS8_PRIV_KEY_INFO_free(p8); } else bag = PKCS12_SAFEBAG_create0_p8inf(p8); @@ -199,6 +211,14 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, } +PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, + EVP_PKEY *key, int key_usage, int iter, + int nid_key, const char *pass) +{ + return PKCS12_add_key_ex(pbags, key, key_usage, iter, nid_key, pass, + NULL, NULL); +} + PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, int nid_type, const unsigned char *value, int len) { @@ -217,8 +237,9 @@ PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, return NULL; } -int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, - int nid_safe, int iter, const char *pass) +int PKCS12_add_safe_ex(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, + int nid_safe, int iter, const char *pass, + OSSL_LIB_CTX *ctx, const char *propq) { PKCS7 *p7 = NULL; int free_safes = 0; @@ -240,7 +261,7 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, if (nid_safe == -1) p7 = PKCS12_pack_p7data(bags); else - p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, iter, bags); + p7 = PKCS12_pack_p7encdata_ex(nid_safe, pass, -1, NULL, 0, iter, bags, ctx, propq); if (p7 == NULL) goto err; @@ -256,7 +277,12 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, } PKCS7_free(p7); return 0; +} +int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, + int nid_safe, int iter, const char *pass) +{ + return PKCS12_add_safe_ex(psafes, bags, nid_safe, iter, pass, NULL, NULL); } static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, @@ -285,13 +311,14 @@ static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, } -PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) +PKCS12 *PKCS12_add_safes_ex(STACK_OF(PKCS7) *safes, int nid_p7, + OSSL_LIB_CTX *ctx, const char *propq) { PKCS12 *p12; if (nid_p7 <= 0) nid_p7 = NID_pkcs7_data; - p12 = PKCS12_init(nid_p7); + p12 = PKCS12_init_ex(nid_p7, ctx, propq); if (p12 == NULL) return NULL; @@ -303,3 +330,8 @@ PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) return p12; } + +PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) +{ + return PKCS12_add_safes_ex(safes, nid_p7, NULL, NULL); +} diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index e7a32f9cd6..ef316d044b 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -16,10 +16,11 @@ * Encrypt/Decrypt a buffer based on password and algor, result in a * OPENSSL_malloc'ed buffer */ -unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, - const char *pass, int passlen, - const unsigned char *in, int inlen, - unsigned char **data, int *datalen, int en_de) +unsigned char *PKCS12_pbe_crypt_ex(const X509_ALGOR *algor, + const char *pass, int passlen, + const unsigned char *in, int inlen, + unsigned char **data, int *datalen, int en_de, + OSSL_LIB_CTX *libctx, const char *propq) { unsigned char *out = NULL; int outlen, i; @@ -32,8 +33,8 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, } /* Process data */ - if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen, - algor->parameter, ctx, en_de)) + if (!EVP_PBE_CipherInit_ex(algor->algorithm, pass, passlen, + algor->parameter, ctx, en_de, libctx, propq)) goto err; /* @@ -109,22 +110,33 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, } +unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, + const char *pass, int passlen, + const unsigned char *in, int inlen, + unsigned char **data, int *datalen, int en_de) +{ + return PKCS12_pbe_crypt_ex(algor, pass, passlen, in, inlen, data, datalen, + en_de, NULL, NULL); +} + /* * Decrypt an OCTET STRING and decode ASN1 structure if zbuf set zero buffer * after use. */ -void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, - const char *pass, int passlen, - const ASN1_OCTET_STRING *oct, int zbuf) +void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it, + const char *pass, int passlen, + const ASN1_OCTET_STRING *oct, int zbuf, + OSSL_LIB_CTX *libctx, + const char *propq) { unsigned char *out = NULL; const unsigned char *p; void *ret; int outlen = 0; - if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, - &out, &outlen, 0)) + if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length, + &out, &outlen, 0, libctx, propq)) return NULL; p = out; OSSL_TRACE_BEGIN(PKCS12_DECRYPT) { @@ -141,15 +153,25 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, return ret; } +void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, + const char *pass, int passlen, + const ASN1_OCTET_STRING *oct, int zbuf) +{ + return PKCS12_item_decrypt_d2i_ex(algor, it, pass, passlen, oct, zbuf, + NULL, NULL); +} + /* * Encode ASN1 structure and encrypt, return OCTET STRING if zbuf set zero * encoding. */ -ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, - const ASN1_ITEM *it, - const char *pass, int passlen, - void *obj, int zbuf) +ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt_ex(X509_ALGOR *algor, + const ASN1_ITEM *it, + const char *pass, int passlen, + void *obj, int zbuf, + OSSL_LIB_CTX *ctx, + const char *propq) { ASN1_OCTET_STRING *oct = NULL; unsigned char *in = NULL; @@ -164,8 +186,8 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, ERR_raise(ERR_LIB_PKCS12, PKCS12_R_ENCODE_ERROR); goto err; } - if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data, - &oct->length, 1)) { + if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, in, inlen, &oct->data, + &oct->length, 1, ctx, propq)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_ENCRYPT_ERROR); OPENSSL_free(in); goto err; @@ -178,3 +200,11 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, ASN1_OCTET_STRING_free(oct); return NULL; } + +ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, + const ASN1_ITEM *it, + const char *pass, int passlen, + void *obj, int zbuf) +{ + return PKCS12_item_i2d_encrypt_ex(algor, it, pass, passlen, obj, zbuf, NULL, NULL); +} diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index 3ab7692ab9..dcfdd5ba13 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -10,11 +10,12 @@ #include #include "internal/cryptlib.h" #include +#include "crypto/pkcs7.h" #include "p12_local.h" /* Initialise a PKCS12 structure to take data */ -PKCS12 *PKCS12_init(int mode) +PKCS12 *PKCS12_init_ex(int mode, OSSL_LIB_CTX *ctx, const char *propq) { PKCS12 *pkcs12; @@ -25,6 +26,13 @@ PKCS12 *PKCS12_init(int mode) if (!ASN1_INTEGER_set(pkcs12->version, 3)) goto err; pkcs12->authsafes->type = OBJ_nid2obj(mode); + + ossl_pkcs7_set0_libctx(pkcs12->authsafes, ctx); + if (!ossl_pkcs7_set1_propq(pkcs12->authsafes, propq)) { + ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); + goto err; + } + switch (mode) { case NID_pkcs7_data: if ((pkcs12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL) { @@ -42,3 +50,9 @@ PKCS12 *PKCS12_init(int mode) PKCS12_free(pkcs12); return NULL; } + +PKCS12 *PKCS12_init(int mode) +{ + return PKCS12_init_ex(mode, NULL, NULL); +} + diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index fd7f7a926b..a4ed0e516c 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -16,9 +16,10 @@ #include #include "internal/provider.h" -int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type) +int PKCS12_key_gen_asc_ex(const char *pass, int passlen, unsigned char *salt, + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type, + OSSL_LIB_CTX *ctx, const char *propq) { int ret; unsigned char *unipass; @@ -31,15 +32,24 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); return 0; } - ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, - id, iter, n, out, md_type); + ret = PKCS12_key_gen_uni_ex(unipass, uniplen, salt, saltlen, id, iter, + n, out, md_type, ctx, propq); OPENSSL_clear_free(unipass, uniplen); return ret > 0; } -int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type) +int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type) +{ + return PKCS12_key_gen_asc_ex(pass, passlen, salt, saltlen, id, iter, n, + out, md_type, NULL, NULL); +} + +int PKCS12_key_gen_utf8_ex(const char *pass, int passlen, unsigned char *salt, + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type, + OSSL_LIB_CTX *ctx, const char *propq) { int ret; unsigned char *unipass; @@ -52,15 +62,24 @@ int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt, ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); return 0; } - ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, - id, iter, n, out, md_type); + ret = PKCS12_key_gen_uni_ex(unipass, uniplen, salt, saltlen, id, iter, + n, out, md_type, ctx, propq); OPENSSL_clear_free(unipass, uniplen); return ret > 0; } -int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type) +int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt, + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type) +{ + return PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, id, iter, n, + out, md_type, NULL, NULL); +} + +int PKCS12_key_gen_uni_ex(unsigned char *pass, int passlen, unsigned char *salt, + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type, + OSSL_LIB_CTX *libctx, const char *propq) { int res = 0; EVP_KDF *kdf; @@ -70,12 +89,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, if (n <= 0) return 0; - /* - * The parameter query isn't available but the library context can be - * extracted from the passed digest. - */ - kdf = EVP_KDF_fetch(ossl_provider_libctx(EVP_MD_provider(md_type)), - "PKCS12KDF", NULL); + kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq); if (kdf == NULL) return 0; ctx = EVP_KDF_CTX_new(kdf); @@ -92,11 +106,9 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS12_ID, &id); *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_ITER, &iter); *p = OSSL_PARAM_construct_end(); - if (!EVP_KDF_CTX_set_params(ctx, params)) - goto err; OSSL_TRACE_BEGIN(PKCS12_KEYGEN) { - BIO_printf(trc_out, "PKCS12_key_gen_uni(): ID %d, ITER %d\n", id, iter); + BIO_printf(trc_out, "PKCS12_key_gen_uni_ex(): ID %d, ITER %d\n", id, iter); BIO_printf(trc_out, "Password (length %d):\n", passlen); BIO_hex_string(trc_out, 0, passlen, pass, passlen); BIO_printf(trc_out, "\n"); @@ -105,7 +117,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BIO_printf(trc_out, "\n"); } OSSL_TRACE_END(PKCS12_KEYGEN); - if (EVP_KDF_derive(ctx, out, (size_t)n, NULL)) { + if (EVP_KDF_derive(ctx, out, (size_t)n, params)) { res = 1; OSSL_TRACE_BEGIN(PKCS12_KEYGEN) { BIO_printf(trc_out, "Output KEY (length %d)\n", n); @@ -113,7 +125,13 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BIO_printf(trc_out, "\n"); } OSSL_TRACE_END(PKCS12_KEYGEN); } - err: EVP_KDF_CTX_free(ctx); return res; } + +int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type) +{ + return PKCS12_key_gen_uni_ex(pass, passlen, salt, saltlen, id, iter, n, out, md_type, NULL, NULL); +} diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 70b3ec702b..f072436110 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -82,18 +82,17 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, const EVP_MD *md_type)) { int ret = 0; - const EVP_MD *md_type; + const EVP_MD *md; + EVP_MD *md_fetch; HMAC_CTX *hmac = NULL; unsigned char key[EVP_MAX_MD_SIZE], *salt; int saltlen, iter; + char md_name[80]; int md_size = 0; - int md_type_nid; + int md_nid; const X509_ALGOR *macalg; const ASN1_OBJECT *macoid; - if (pkcs12_key_gen == NULL) - pkcs12_key_gen = PKCS12_key_gen_utf8; - if (!PKCS7_type_is_data(p12->authsafes)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); return 0; @@ -107,32 +106,51 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, iter = ASN1_INTEGER_get(p12->mac->iter); X509_SIG_get0(p12->mac->dinfo, &macalg, NULL); X509_ALGOR_get0(&macoid, NULL, NULL, macalg); - if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) { + if (OBJ_obj2txt(md_name, sizeof(md_name), macoid, 0) < 0) + return 0; + md = md_fetch = EVP_MD_fetch(p12->authsafes->ctx.libctx, md_name, + p12->authsafes->ctx.propq); + if (md == NULL) + md = EVP_get_digestbynid(OBJ_obj2nid(macoid)); + + if (md == NULL) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); return 0; } - md_size = EVP_MD_size(md_type); - md_type_nid = EVP_MD_type(md_type); + md_size = EVP_MD_size(md); + md_nid = EVP_MD_type(md); if (md_size < 0) - return 0; - if ((md_type_nid == NID_id_GostR3411_94 - || md_type_nid == NID_id_GostR3411_2012_256 - || md_type_nid == NID_id_GostR3411_2012_512) + goto err; + if ((md_nid == NID_id_GostR3411_94 + || md_nid == NID_id_GostR3411_2012_256 + || md_nid == NID_id_GostR3411_2012_512) && ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) { md_size = TK26_MAC_KEY_LEN; if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter, - md_size, key, md_type)) { + md_size, key, md)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); goto err; } - } else - if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, - iter, md_size, key, md_type)) { - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); - goto err; + } else { + if (pkcs12_key_gen != NULL) { + if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, + iter, md_size, key, md)) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); + goto err; + } + } else { + /* Default to UTF-8 password */ + if (!PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, PKCS12_MAC_ID, + iter, md_size, key, md, + p12->authsafes->ctx.libctx, + p12->authsafes->ctx.propq)) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); + goto err; + } + } } if ((hmac = HMAC_CTX_new()) == NULL - || !HMAC_Init_ex(hmac, key, md_size, md_type, NULL) + || !HMAC_Init_ex(hmac, key, md_size, md, NULL) || !HMAC_Update(hmac, p12->authsafes->d.data->data, p12->authsafes->d.data->length) || !HMAC_Final(hmac, mac, maclen)) { @@ -143,6 +161,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, err: OPENSSL_cleanse(key, sizeof(key)); HMAC_CTX_free(hmac); + EVP_MD_free(md_fetch); return ret; } @@ -163,8 +182,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_ABSENT); return 0; } - if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, - PKCS12_key_gen_utf8)) { + if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, NULL)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); return 0; } @@ -198,8 +216,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, /* * Note that output mac is forced to UTF-8... */ - if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, - PKCS12_key_gen_utf8)) { + if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, NULL)) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); return 0; } @@ -242,7 +259,8 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, } p12->mac->salt->length = saltlen; if (!salt) { - if (RAND_bytes(p12->mac->salt->data, saltlen) <= 0) + if (RAND_bytes_ex(p12->authsafes->ctx.libctx, p12->mac->salt->data, + saltlen) <= 0) return 0; } else memcpy(p12->mac->salt->data, salt, saltlen); diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c index 2577cba46c..599a64f878 100644 --- a/crypto/pkcs12/p12_p8d.c +++ b/crypto/pkcs12/p12_p8d.c @@ -11,13 +11,22 @@ #include "internal/cryptlib.h" #include -PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, - int passlen) +PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_ex(const X509_SIG *p8, const char *pass, + int passlen, OSSL_LIB_CTX *ctx, + const char *propq) { const X509_ALGOR *dalg; const ASN1_OCTET_STRING *doct; + X509_SIG_get0(p8, &dalg, &doct); - return PKCS12_item_decrypt_d2i(dalg, + return PKCS12_item_decrypt_d2i_ex(dalg, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, - passlen, doct, 1); + passlen, doct, 1, ctx, propq); } + +PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, + int passlen) +{ + return PKCS8_decrypt_ex(p8, pass, passlen, NULL, NULL); +} + diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c index d98a1d66c2..ac2c7ef537 100644 --- a/crypto/pkcs12/p12_p8e.c +++ b/crypto/pkcs12/p12_p8e.c @@ -9,30 +9,34 @@ #include #include "internal/cryptlib.h" +#include #include #include "crypto/x509.h" -X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, - const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, - PKCS8_PRIV_KEY_INFO *p8inf) +X509_SIG *PKCS8_encrypt_ex(int pbe_nid, const EVP_CIPHER *cipher, + const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq) { X509_SIG *p8 = NULL; X509_ALGOR *pbe; if (pbe_nid == -1) - pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen); + pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, -1, + libctx); else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) - pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid); + pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, pbe_nid, + libctx); else { ERR_clear_error(); - pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); + pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx); } if (pbe == NULL) { ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB); return NULL; } - p8 = PKCS8_set0_pbe(pass, passlen, p8inf, pbe); + p8 = PKCS8_set0_pbe_ex(pass, passlen, p8inf, pbe, libctx, propq); if (p8 == NULL) { X509_ALGOR_free(pbe); return NULL; @@ -41,15 +45,25 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, return p8; } -X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen, - PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe) +X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, + const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf) +{ + return PKCS8_encrypt_ex(pbe_nid, cipher, pass, passlen, salt, saltlen, iter, + p8inf, NULL, NULL); +} + +X509_SIG *PKCS8_set0_pbe_ex(const char *pass, int passlen, + PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe, + OSSL_LIB_CTX *ctx, const char *propq) { X509_SIG *p8; ASN1_OCTET_STRING *enckey; enckey = - PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), - pass, passlen, p8inf, 1); + PKCS12_item_i2d_encrypt_ex(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), + pass, passlen, p8inf, 1, ctx, propq); if (!enckey) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_ENCRYPT_ERROR); return NULL; @@ -67,3 +81,9 @@ X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen, return p8; } + +X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen, + PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe) +{ + return PKCS8_set0_pbe_ex(pass, passlen, p8inf, pbe, NULL, NULL); +} diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c index 2387a8db43..e439372082 100644 --- a/crypto/pkcs12/p12_sbag.c +++ b/crypto/pkcs12/p12_sbag.c @@ -198,29 +198,49 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8) return bag; } -PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, - const char *pass, - int passlen, - unsigned char *salt, - int saltlen, int iter, - PKCS8_PRIV_KEY_INFO *p8inf) -{ - PKCS12_SAFEBAG *bag; - const EVP_CIPHER *pbe_ciph; +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(int pbe_nid, + const char *pass, + int passlen, + unsigned char *salt, + int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *ctx, + const char *propq) +{ + PKCS12_SAFEBAG *bag = NULL; + const EVP_CIPHER *pbe_ciph = NULL; + EVP_CIPHER *pbe_ciph_fetch = NULL; X509_SIG *p8; - pbe_ciph = EVP_get_cipherbynid(pbe_nid); - if (pbe_ciph) + pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq); + if (pbe_ciph == NULL) + pbe_ciph = EVP_get_cipherbynid(pbe_nid); + + if (pbe_ciph != NULL) pbe_nid = -1; - p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter, - p8inf); + p8 = PKCS8_encrypt_ex(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter, + p8inf, ctx, propq); if (p8 == NULL) - return NULL; + goto err; bag = PKCS12_SAFEBAG_create0_pkcs8(p8); if (bag == NULL) X509_SIG_free(p8); +err: + EVP_CIPHER_free(pbe_ciph_fetch); return bag; } + +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, + const char *pass, + int passlen, + unsigned char *salt, + int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf) +{ + return PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(pbe_nid, pass, passlen, + salt, saltlen, iter, p8inf, + NULL, NULL); +} diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index bf959a28d2..a4b62f40dd 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -469,6 +469,37 @@ const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7) return p7 != NULL ? &p7->ctx : NULL; } +void ossl_pkcs7_set0_libctx(PKCS7 *p7, OSSL_LIB_CTX *ctx) +{ + p7->ctx.libctx = ctx; +} + +int ossl_pkcs7_set1_propq(PKCS7 *p7, const char *propq) +{ + if (p7->ctx.propq != NULL) { + OPENSSL_free(p7->ctx.propq); + p7->ctx.propq = NULL; + } + if (propq != NULL) { + p7->ctx.propq = OPENSSL_strdup(propq); + if (p7->ctx.propq == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + } + return 1; +} + +int ossl_pkcs7_ctx_propagate(const PKCS7 *from, PKCS7 *to) +{ + ossl_pkcs7_set0_libctx(to, from->ctx.libctx); + if (!ossl_pkcs7_set1_propq(to, from->ctx.propq)) + return 0; + + ossl_pkcs7_resolve_libctx(to); + return 1; +} + OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx) { return ctx != NULL ? ctx->libctx : NULL; diff --git a/crypto/pkcs7/pk7_local.h b/crypto/pkcs7/pk7_local.h index 177ecc196b..8deb342b79 100644 --- a/crypto/pkcs7/pk7_local.h +++ b/crypto/pkcs7/pk7_local.h @@ -12,3 +12,5 @@ const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7); OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx); const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx); + +int ossl_pkcs7_ctx_propagate(const PKCS7 *from, PKCS7 *to); -- cgit v1.2.1