PKCS12_set_pbmac1_pbkdf2() fixups.

Adding a test that called PKCS12_set_pbmac1_pbkdf2() with a saltlen of
zero, pointed out that the libctx and propq were not being propagated.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29068)

diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index d2d8ffc35bbd6a6b5f49c50ba05619ba3b674f9f..f28a0d9d3682c6dd3a8c496f161336ba38a1b628 100644 (file)
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -26,7 +26,8 @@ static int pkcs12_pbmac1_pbkdf2_key_gen(const char *pass, int passlen,
                                         unsigned char *salt, int saltlen,
                                         int id, int iter, int keylen,
                                         unsigned char *out,
                                         unsigned char *salt, int saltlen,
                                         int id, int iter, int keylen,
                                         unsigned char *out,

-                                        const EVP_MD *md_type);
+                                        const EVP_MD *md_type,
+                                        OSSL_LIB_CTX *libctx, const char *propq);

 
 int PKCS12_mac_present(const PKCS12 *p12)
 {
 
 int PKCS12_mac_present(const PKCS12 *p12)
 {


@@ -160,7 +161,9 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
                                                 unsigned char *salt, int slen,
                                                 int id, int iter, int n,
                                                 unsigned char *out,
                                                 unsigned char *salt, int slen,
                                                 int id, int iter, int n,
                                                 unsigned char *out,

-                                                const EVP_MD *md_type))
+                                                const EVP_MD *md_type,
+                                                OSSL_LIB_CTX *libctx,
+                                                const char *propq))

 {
     int ret = 0;
     const EVP_MD *md;
 {
     int ret = 0;
     const EVP_MD *md;


@@ -173,6 +176,8 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
     int md_nid = NID_undef;
     const X509_ALGOR *macalg;
     const ASN1_OBJECT *macoid;
     int md_nid = NID_undef;
     const X509_ALGOR *macalg;
     const ASN1_OBJECT *macoid;

+    OSSL_LIB_CTX *libctx;
+    const char *propq;

 
     if (!PKCS7_type_is_data(p12->authsafes)) {
         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
 
     if (!PKCS7_type_is_data(p12->authsafes)) {
         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);


@@ -184,6 +189,8 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         return 0;
     }
 
         return 0;
     }
 

+    libctx = p12->authsafes->ctx.libctx;
+    propq = p12->authsafes->ctx.propq;

     salt = p12->mac->salt->data;
     saltlen = p12->mac->salt->length;
     if (p12->mac->iter == NULL)
     salt = p12->mac->salt->data;
     saltlen = p12->mac->salt->length;
     if (p12->mac->iter == NULL)


@@ -200,8 +207,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
             return 0;
     }
     (void)ERR_set_mark();
             return 0;
     }
     (void)ERR_set_mark();

-    md = md_fetch = EVP_MD_fetch(p12->authsafes->ctx.libctx, md_name,
-                                 p12->authsafes->ctx.propq);
+    md = md_fetch = EVP_MD_fetch(libctx, md_name, propq);

     if (md == NULL)
         md = EVP_get_digestbynid(OBJ_obj2nid(macoid));
 
     if (md == NULL)
         md = EVP_get_digestbynid(OBJ_obj2nid(macoid));
 


@@ -219,8 +225,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
 
     /* For PBMAC1 we use a special keygen callback if not provided (e.g. on verification) */
     if (pbmac1_md_nid != NID_undef && pkcs12_key_gen == NULL) {
 
     /* For PBMAC1 we use a special keygen callback if not provided (e.g. on verification) */
     if (pbmac1_md_nid != NID_undef && pkcs12_key_gen == NULL) {

-        keylen = PBMAC1_PBKDF2_HMAC(p12->authsafes->ctx.libctx, p12->authsafes->ctx.propq,
-                                    pass, passlen, macalg, key);
+        keylen = PBMAC1_PBKDF2_HMAC(libctx, propq, pass, passlen, macalg, key);

         if (keylen < 0)
             goto err;
     } else if ((md_nid == NID_id_GostR3411_94
         if (keylen < 0)
             goto err;
     } else if ((md_nid == NID_id_GostR3411_94


@@ -242,14 +247,14 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
 
             if (OBJ_obj2txt(hmac_md_name, sizeof(hmac_md_name), OBJ_nid2obj(pbmac1_kdf_nid), 0) < 0)
                 goto err;
 
             if (OBJ_obj2txt(hmac_md_name, sizeof(hmac_md_name), OBJ_nid2obj(pbmac1_kdf_nid), 0) < 0)
                 goto err;

-            hmac_md = EVP_MD_fetch(NULL, hmac_md_name, NULL);
+            hmac_md = EVP_MD_fetch(libctx, hmac_md_name, propq);

             if (hmac_md == NULL)
                 goto err;
             fetched = 1;
         }
         if (pkcs12_key_gen != NULL) {
             int res = (*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID,
             if (hmac_md == NULL)
                 goto err;
             fetched = 1;
         }
         if (pkcs12_key_gen != NULL) {
             int res = (*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID,

-                                        iter, keylen, key, hmac_md);
+                                        iter, keylen, key, hmac_md, libctx, propq);

 
             if (fetched)
                 EVP_MD_free(hmac_md);
 
             if (fetched)
                 EVP_MD_free(hmac_md);


@@ -262,8 +267,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
                 EVP_MD_free(hmac_md);
             /* Default to UTF-8 password */
             if (!PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, PKCS12_MAC_ID,
                 EVP_MD_free(hmac_md);
             /* Default to UTF-8 password */
             if (!PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, PKCS12_MAC_ID,

-                                        iter, keylen, key, md,
-                                        p12->authsafes->ctx.libctx, p12->authsafes->ctx.propq)) {
+                                        iter, keylen, key, md, libctx, propq)) {

                 ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR);
                 goto err;
             }
                 ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR);
                 goto err;
             }


@@ -377,10 +381,11 @@ static int pkcs12_pbmac1_pbkdf2_key_gen(const char *pass, int passlen,
                                         unsigned char *salt, int saltlen,
                                         int id, int iter, int keylen,
                                         unsigned char *out,
                                         unsigned char *salt, int saltlen,
                                         int id, int iter, int keylen,
                                         unsigned char *out,

-                                        const EVP_MD *md_type)
+                                        const EVP_MD *md_type,
+                                        OSSL_LIB_CTX *libctx, const char *propq)

 {
 {

-    return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
-                             md_type, keylen, out);
+    return ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter, md_type,
+                                     keylen, out, libctx, propq);

 }
 
 static int pkcs12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 }
 
 static int pkcs12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,


@@ -447,6 +452,7 @@ int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
     int keylen = 0;
     PBMAC1PARAM *param = NULL;
     X509_ALGOR  *hmac_alg = NULL, *macalg = NULL;
     int keylen = 0;
     PBMAC1PARAM *param = NULL;
     X509_ALGOR  *hmac_alg = NULL, *macalg = NULL;

+    OSSL_LIB_CTX *libctx = p12->authsafes->ctx.libctx;

 
     if (md_type == NULL)
         /* No need to do a fetch as the md_type is used only to get a NID */
 
     if (md_type == NULL)
         /* No need to do a fetch as the md_type is used only to get a NID */


@@ -471,23 +477,26 @@ int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
     }
 
     if (salt == NULL) {
     }
 
     if (salt == NULL) {

-        if (saltlen <= 0) {
+        if (saltlen < 0) {

             ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_SALT_LENGTH);
             goto err;
         }
             ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_SALT_LENGTH);
             goto err;
         }

-        known_salt = OPENSSL_malloc(saltlen);
-        if (known_salt == NULL)
-            goto err;
+        if (saltlen > 0) {
+            known_salt = OPENSSL_malloc(saltlen);
+            if (known_salt == NULL)
+                goto err;

 
 

-        if (RAND_bytes_ex(NULL, known_salt, saltlen, 0) <= 0) {
-            ERR_raise(ERR_LIB_PKCS12, ERR_R_RAND_LIB);
-            goto err;
+            if (RAND_bytes_ex(libctx, known_salt, saltlen, 0) <= 0) {
+                ERR_raise(ERR_LIB_PKCS12, ERR_R_RAND_LIB);
+                goto err;
+            }

         }
     }
 
     param = PBMAC1PARAM_new();
     hmac_alg = X509_ALGOR_new();
         }
     }
 
     param = PBMAC1PARAM_new();
     hmac_alg = X509_ALGOR_new();

-    alg = PKCS5_pbkdf2_set(iter, salt ? salt : known_salt, saltlen, prf_nid, keylen);
+    alg = PKCS5_pbkdf2_set_ex(iter, salt ? salt : known_salt, saltlen,
+                              prf_nid, keylen, libctx);

     if (param == NULL || hmac_alg == NULL || alg == NULL)
         goto err;
 
     if (param == NULL || hmac_alg == NULL || alg == NULL)
         goto err;
 

diff --git a/test/pkcs12_api_test.c b/test/pkcs12_api_test.c
index 5afef5a16ad3aa5da3ae82b9c3c43b1a56952b8c..e2f9edbb9820e7236ae2b2c99fca26b837304074 100644 (file)
--- a/test/pkcs12_api_test.c
+++ b/test/pkcs12_api_test.c
@@ -253,6 +253,33 @@ const OPTIONS *test_get_options(void)
     return options;
 }
 
     return options;
 }
 

+static int test_PKCS12_set_pbmac1_pbkdf2_saltlen_zero(void)
+{
+    int ret = 0;
+    EVP_PKEY *key = NULL;
+    X509 *cert = NULL;
+    STACK_OF(X509) *ca = NULL;
+    PKCS12 *p12 = NULL;
+
+    if (!TEST_ptr(p12 = PKCS12_load(in_file)))
+        return 0;
+    if (!TEST_true(PKCS12_parse(p12, in_pass, &key, &cert, &ca)))
+        goto err;
+    PKCS12_free(p12);
+
+    if (!TEST_ptr(p12 = PKCS12_create_ex2("pass", NULL, key, cert, ca,
+                                          NID_undef, NID_undef, 0, -1, 0,
+                                          testctx, NULL, NULL, NULL)))
+        goto err;
+    ret = TEST_true(PKCS12_set_pbmac1_pbkdf2(p12, "pass", -1, NULL, 0, 0, NULL, NULL));
+err:
+    PKCS12_free(p12);
+    EVP_PKEY_free(key);
+    X509_free(cert);
+    OSSL_STACK_OF_X509_free(ca);
+    return ret;
+}
+

 int setup_tests(void)
 {
     OPTION_CHOICE o;
 int setup_tests(void)
 {
     OPTION_CHOICE o;


@@ -292,6 +319,7 @@ int setup_tests(void)
     ADD_TEST(test_null_args);
     ADD_TEST(pkcs12_parse_test);
     ADD_ALL_TESTS(pkcs12_create_ex2_test, 3);
     ADD_TEST(test_null_args);
     ADD_TEST(pkcs12_parse_test);
     ADD_ALL_TESTS(pkcs12_create_ex2_test, 3);

+    ADD_TEST(test_PKCS12_set_pbmac1_pbkdf2_saltlen_zero);

     return 1;
 }
 
     return 1;
 }