pkcs12: use correct key length when using STREEBOG-512

PKCS#12 files using GOST HMAC (GOST R 34.11-94 and Streebog) use special
function to generate MAC key. Pass correct key length (fixed to be 32)
when generating PKCS#12 files protected with Streebog (currently it
incorrectly uses 64 there).

Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 200d1de908f23b11ac4a0d59b6dad65fc9b87c83..8c3310d066b08350c697f1a55dea9cffb3badf62 100644 (file)
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -970,7 +970,7 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
                                                           sizeof(salt),
                                                           iter,
                                                           pass,
-                                                          mac_size,
+                                                          key_len,
                                                           key);
        } else
 #endif

diff --git a/tests/cert-tests/pkcs12-gost b/tests/cert-tests/pkcs12-gost
index ee9318f7506eaa6cac04e0049f140dbaf4134138..2b5b6bfd7987e9d689694dd180502001f75bf3df 100755 (executable)
--- a/tests/cert-tests/pkcs12-gost
+++ b/tests/cert-tests/pkcs12-gost
@@ -81,6 +81,20 @@ if test ${rc} != 0; then
        exit 1
 fi
 
+${VALGRIND} "${CERTTOOL}" --pkcs-cipher=gost28147-tc26z --hash streebog-512 --to-p12 --password "Пароль для PFX" --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile $TMPFILE >/dev/null
+rc=$?
+if test ${rc} != 0; then
+       echo "PKCS12 FATAL encoding"
+       exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" --p12-info --inder --password "Пароль для PFX" --infile $TMPFILE >${TMPFILE_PEM} 2>/dev/null
+rc=$?
+if test ${rc} != 0; then
+       echo "PKCS12 FATAL decrypting/decoding"
+       exit 1
+fi
+
 rm -f "$TMPFILE" "$TMPFILE_PEM"
 
 exit 0