openssl/crypto/pkcs12/p12_crpt.c

/*
 * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/pkcs12.h>

/* PKCS#12 PBE algorithms now in static table */

void PKCS12_PBE_add(void)
{
}

int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                        ASN1_TYPE *param, const EVP_CIPHER *cipher,
                        const EVP_MD *md, int en_de)
{
    PBEPARAM *pbe;
    int saltlen, iter, ret;
    unsigned char *salt;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
    int (*pkcs12_key_gen)(const char *pass, int passlen,
                          unsigned char *salt, int slen,
                          int id, int iter, int n,
                          unsigned char *out,
                          const EVP_MD *md_type);

    pkcs12_key_gen = PKCS12_key_gen_utf8;

    if (cipher == NULL)
        return 0;

    /* Extract useful info from parameter */

    pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), param);
    if (pbe == NULL) {
        PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
        return 0;
    }

    if (!pbe->iter)
        iter = 1;
    else
        iter = ASN1_INTEGER_get(pbe->iter);
    salt = pbe->salt->data;
    saltlen = pbe->salt->length;
    if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
                           iter, EVP_CIPHER_key_length(cipher), key, md)) {
        PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_KEY_GEN_ERROR);
        PBEPARAM_free(pbe);
        return 0;
    }
    if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_IV_ID,
                           iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
        PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR);
        PBEPARAM_free(pbe);
        return 0;
    }
    PBEPARAM_free(pbe);
    ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
    OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
    OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
    return ret;
}
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`/*`
Copyright consolidation 09/10 Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-17 18:52:22 +00:00			`* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00			`*`
Copyright consolidation 09/10 Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-17 18:52:22 +00:00			`* Licensed under the OpenSSL license (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00			`*/`

			`#include <stdio.h>`
Identify and move common internal libcrypto header files There are header files in crypto/ that are used by a number of crypto/ submodules. Move those to crypto/include/internal and adapt the affected source code and Makefiles. The header files that got moved are: crypto/cryptolib.h crypto/md32_common.h Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-05-14 14:56:48 +00:00			`#include "internal/cryptlib.h"`
Change #include filenames from <foo.h> to <openssl.h>. Submitted by: Reviewed by: PR: 1999-04-23 22:13:45 +00:00			`#include <openssl/pkcs12.h>`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00
Change builting PBE to use static table. Add entries for HMAC and MD5, GOST. 2006-05-15 17:34:36 +00:00			`/* PKCS#12 PBE algorithms now in static table */`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00
Change functions to ANSI C. 1999-04-19 21:31:43 +00:00			`void PKCS12_PBE_add(void)`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00			`{`
			`}`

Fix more error codes. (Also improve util/ck_errf.pl script, and occasionally fix source code formatting.) 2005-05-11 03:45:39 +00:00			`int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`ASN1_TYPE param, const EVP_CIPHER cipher,`
			`const EVP_MD *md, int en_de)`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00			`{`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`PBEPARAM *pbe;`
			`int saltlen, iter, ret;`
			`unsigned char *salt;`
			`unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];`
crypto/pkcs12: facilitate accessing data with non-interoperable password. Originally PKCS#12 subroutines treated password strings as ASCII. It worked as long as they were pure ASCII, but if there were some none-ASCII characters result was non-interoperable. But fixing it poses problem accessing data protected with broken password. In order to make asscess to old data possible add retry with old-style password. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-26 14:42:41 +00:00			`int (pkcs12_key_gen)(const char pass, int passlen,`
			`unsigned char *salt, int slen,`
			`int id, int iter, int n,`
			`unsigned char *out,`
			`const EVP_MD *md_type);`

Don't switch password formats using global state. To avoid possible race conditions don't switch password format using global state in crypto/pkcs12 Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-08-24 17:54:10 +00:00			`pkcs12_key_gen = PKCS12_key_gen_utf8;`
Rewrite PBE handling read to support PKCS#5 v2.0 and update the function list for Win32. 1999-06-06 13:07:13 +00:00
RT4002: check for NULL cipher in p12_crpt.c The NULL cipher case can't actually happen because we have no EVP_PBE_CTL combinations where cipher_nid is -1 and keygen is PKCS12_PBE_keyivgen. But make the code more obviously correct. Reviewed-by: Matt Caswell <matt@openssl.org> 2015-09-01 12:56:58 +00:00			`if (cipher == NULL)`
			`return 0;`

Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`/* Extract useful info from parameter */`
improved error checking and some fixes PR: 1170 Submitted by: Yair Elharrar Reviewed and edited by: Nils Larsch 2005-07-26 21:10:34 +00:00
Remove duplicate code. Update code to use ASN1_TYPE_pack_sequence and ASN1_TYPE_unpack_sequence instead of performing the same operation manually. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-03-28 15:10:54 +00:00			`pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), param);`
			`if (pbe == NULL) {`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);`
			`return 0;`
			`}`
Rewrite PBE handling read to support PKCS#5 v2.0 and update the function list for Win32. 1999-06-06 13:07:13 +00:00
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`if (!pbe->iter)`
			`iter = 1;`
			`else`
			`iter = ASN1_INTEGER_get(pbe->iter);`
			`salt = pbe->salt->data;`
			`saltlen = pbe->salt->length;`
crypto/pkcs12: facilitate accessing data with non-interoperable password. Originally PKCS#12 subroutines treated password strings as ASCII. It worked as long as they were pure ASCII, but if there were some none-ASCII characters result was non-interoperable. But fixing it poses problem accessing data protected with broken password. In order to make asscess to old data possible add retry with old-style password. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-26 14:42:41 +00:00			`if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_KEY_ID,`
			`iter, EVP_CIPHER_key_length(cipher), key, md)) {`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_KEY_GEN_ERROR);`
			`PBEPARAM_free(pbe);`
			`return 0;`
			`}`
crypto/pkcs12: facilitate accessing data with non-interoperable password. Originally PKCS#12 subroutines treated password strings as ASCII. It worked as long as they were pure ASCII, but if there were some none-ASCII characters result was non-interoperable. But fixing it poses problem accessing data protected with broken password. In order to make asscess to old data possible add retry with old-style password. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-26 14:42:41 +00:00			`if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_IV_ID,`
			`iter, EVP_CIPHER_iv_length(cipher), iv, md)) {`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR);`
			`PBEPARAM_free(pbe);`
			`return 0;`
			`}`
			`PBEPARAM_free(pbe);`
			`ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);`
			`OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);`
			`OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);`
			`return ret;`
Yet more PKCS#12 integration: add lots of files under crypto/pkcs12 and add them to the build environment. 1999-03-28 23:17:34 +00:00			`}`