summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-05-13 11:58:52 +0200
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-08-21 09:04:11 +0200
commit97e00da90282dddfc572c84d8468d85ab1925fba (patch)
tree5ae138865d0e50f05db09df16285bb603fce87da /crypto
parentAdd libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_moc... (diff)
downloadopenssl-97e00da90282dddfc572c84d8468d85ab1925fba.tar.xz
openssl-97e00da90282dddfc572c84d8468d85ab1925fba.zip
Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11808)
Diffstat (limited to 'crypto')
-rw-r--r--crypto/cmp/cmp_local.h4
-rw-r--r--crypto/cmp/cmp_protect.c4
-rw-r--r--crypto/crmf/crmf_pbm.c15
3 files changed, 14 insertions, 9 deletions
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 95c4781b6f..90d043c71c 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -75,9 +75,9 @@ struct ossl_cmp_ctx_st {
ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
/* PBMParameters for MSG_MAC_ALG */
- size_t pbm_slen; /* currently fixed to 16 */
+ size_t pbm_slen; /* salt length, currently fixed to 16 */
int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */
- int pbm_itercnt; /* currently fixed to 500 */
+ int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */
int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
/* CMP message header and extra certificates */
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index 0f70c29953..7c3d5bf730 100644
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -195,8 +195,8 @@ static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx)
return NULL;
alg = X509_ALGOR_new();
- pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt,
- ctx->pbm_mac);
+ pbm = OSSL_CRMF_pbmp_new(ctx->libctx, ctx->pbm_slen,
+ ctx->pbm_owf, ctx->pbm_itercnt, ctx->pbm_mac);
pbm_str = ASN1_STRING_new();
if (alg == NULL || pbm == NULL || pbm_str == NULL)
goto err;
diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c
index f674eeeff7..77ef6e0a37 100644
--- a/crypto/crmf/crmf_pbm.c
+++ b/crypto/crmf/crmf_pbm.c
@@ -29,14 +29,15 @@
/*-
* creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
- * |slen| SHOULD be > 8 (16 is common)
+ * |slen| SHOULD be at least 8 (16 is common)
* |owfnid| e.g., NID_sha256
- * |itercnt| MUST be > 100 (500 is common)
+ * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
* |macnid| e.g., NID_hmac_sha1
* returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
*/
-OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
- int itercnt, int macnid)
+OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OPENSSL_CTX *libctx, size_t slen,
+ int owfnid, size_t itercnt,
+ int macnid)
{
OSSL_CRMF_PBMPARAMETER *pbm = NULL;
unsigned char *salt = NULL;
@@ -51,7 +52,7 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
*/
if ((salt = OPENSSL_malloc(slen)) == NULL)
goto err;
- if (RAND_bytes(salt, (int)slen) <= 0) {
+ if (RAND_bytes_ex(libctx, salt, (int)slen) <= 0) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
goto err;
}
@@ -82,6 +83,10 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100);
goto err;
}
+ if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
+ CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
+ goto err;
+ }
if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR);