mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-06 20:20:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc

Browse Source 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
This commit is contained in:
Dr. David von Oheimb 2020-05-13 11:58:52 +02:00
parent 1a7cd250ad
commit 97e00da902
5 changed files with 37 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/cmp/cmp_local.h
View File

@ -75,9 +75,9 @@ struct ossl_cmp_ctx_st {
ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
/* PBMParameters for MSG_MAC_ALG */
size_t pbm_slen; /* currently fixed to 16 */
size_t pbm_slen; /* salt length, currently fixed to 16 */
int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */
int pbm_itercnt; /* currently fixed to 500 */
int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */
int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
/* CMP message header and extra certificates */

4
crypto/cmp/cmp_protect.c
View File

@ -195,8 +195,8 @@ static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx)
return NULL;
alg = X509_ALGOR_new();
pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt,
ctx->pbm_mac);
pbm = OSSL_CRMF_pbmp_new(ctx->libctx, ctx->pbm_slen,
ctx->pbm_owf, ctx->pbm_itercnt, ctx->pbm_mac);
pbm_str = ASN1_STRING_new();
if (alg == NULL || pbm == NULL || pbm_str == NULL)
goto err;

15
crypto/crmf/crmf_pbm.c
View File

@ -29,14 +29,15 @@
/*-
* creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
* |slen| SHOULD be > 8 (16 is common)
* |slen| SHOULD be at least 8 (16 is common)
* |owfnid| e.g., NID_sha256
* |itercnt| MUST be > 100 (500 is common)
* |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
* |macnid| e.g., NID_hmac_sha1
* returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
*/
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
int itercnt, int macnid)
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OPENSSL_CTX *libctx, size_t slen,
int owfnid, size_t itercnt,
int macnid)
{
OSSL_CRMF_PBMPARAMETER *pbm = NULL;
unsigned char *salt = NULL;
@ -51,7 +52,7 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
*/
if ((salt = OPENSSL_malloc(slen)) == NULL)
goto err;
if (RAND_bytes(salt, (int)slen) <= 0) {
if (RAND_bytes_ex(libctx, salt, (int)slen) <= 0) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
goto err;
}
@ -82,6 +83,10 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100);
goto err;
}
if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
goto err;
}
if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR);

35
doc/man3/OSSL_CRMF_pbmp_new.pod
View File

@ -8,15 +8,16 @@ OSSL_CRMF_pbmp_new
=head1 SYNOPSIS
#include <openssl/crmf.h>
#include <openssl/crmf.h>
int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
const unsigned char *msg, size_t msglen,
const unsigned char *sec, size_t seclen,
unsigned char **mac, size_t *maclen);
int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
const unsigned char *msg, size_t msglen,
const unsigned char *sec, size_t seclen,
unsigned char **mac, size_t *maclen);
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t saltlen, int owfnid,
int itercnt, int macnid);
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OPENSSL_CTX *libctx, size_t saltlen,
int owfnid, size_t itercnt,
int macnid);
=head1 DESCRIPTION
@ -26,13 +27,12 @@ lengths B<msglen> and B<seclen>. On success writes the address of the newly
allocated MAC via the B<mac> reference parameter and writes the length via the
B<maclen> reference parameter unless it its NULL.
The iteration count must be at least 100, as stipulated by RFC 4211, and is
limited to at most 100000 to avoid DoS through manipulated or otherwise
malformed input.
OSSL_CRMF_pbmp_new() initializes and returns a new PBMParameter
structure with a new random salt of given length B<saltlen>, OWF (one-way
function) NID B<owfnid>, iteration count B<itercnt>, and MAC NID B<macnid>.
OSSL_CRMF_pbmp_new() initializes and returns a new B<PBMParameter> structure
with a new random salt of given length B<saltlen>,
OWF (one-way function) NID B<owfnid>, OWF iteration count B<itercnt>,
and MAC NID B<macnid>.
The library context I<libctx> parameter may be used to select the provider
for the random number generation (DRBG) and may be NULL for the default.
=head1 NOTES
@ -40,7 +40,12 @@ The algorithms for the OWF (one-way function) and for the MAC (message
authentication code) may be any with a NID defined in B<openssl/objects.h>.
As specified by RFC 4210, these should include NID_hmac_sha1.
RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long.
RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long,
where 16 bytes is common.
The iteration count must be at least 100, as stipulated by RFC 4211, and is
limited to at most 100000 to avoid DoS through manipulated or otherwise
malformed input.
=head1 RETURN VALUES

5
include/openssl/crmf.h
View File

@ -67,8 +67,9 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSGS)
typedef struct ossl_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
/* crmf_pbm.c */
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
int itercnt, int macnid);
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OPENSSL_CTX *libctx, size_t slen,
int owfnid, size_t itercnt,
int macnid);
int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
const unsigned char *msg, size_t msglen,
const unsigned char *sec, size_t seclen,