[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Fri Jan 3 17:00:33 UTC 2020 

The branch master has been updated
       via  1fdde9170cbe36c9cd7bf9dc712836f591f7d511 (commit)
      from  e7b834b6bb0a32be694ebc8e614247c9af735c0f (commit)


- Log -----------------------------------------------------------------
commit 1fdde9170cbe36c9cd7bf9dc712836f591f7d511
Author: Ibrahim M. Ghazal <imgx64 at gmail.com>
Date:   Tue Dec 24 21:39:55 2019 +0300

    Add -iter option to pkcs12 command
    
    Fixes #8194
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/10130)

-----------------------------------------------------------------------

Summary of changes:
 apps/pkcs12.c                  | 14 ++++++++++----
 doc/man1/openssl-pkcs12.pod.in | 15 +++++++++------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 96e142ff81..5eff88b644 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -53,7 +53,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS,
     OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER,
-    OPT_DESCERT, OPT_EXPORT, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
+    OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
     OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
     OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
     OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
@@ -121,8 +121,9 @@ const OPTIONS pkcs12_options[] = {
     {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
     {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
 # endif
-    {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
-    {"maciter", OPT_MACITER, '-', "Use MAC iteration"},
+    {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"},
+    {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"},
+    {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
     {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
     {"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
     {"nodes", OPT_NODES, '-', "Don't encrypt private keys"},
@@ -214,11 +215,16 @@ int pkcs12_main(int argc, char **argv)
             if (!opt_cipher(opt_unknown(), &enc))
                 goto opthelp;
             break;
+        case OPT_ITER:
+            if (!opt_int(opt_arg(), &iter))
+                goto opthelp;
+            maciter = iter;
+            break;
         case OPT_NOITER:
             iter = 1;
             break;
         case OPT_MACITER:
-            maciter = PKCS12_DEFAULT_ITER;
+            /* no-op */
             break;
         case OPT_NOMACITER:
             maciter = 1;
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 16eb0accec..86c9de4670 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -25,8 +25,9 @@ B<openssl> B<pkcs12>
 [B<-nokeys>]
 [B<-info>]
 [B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>]
-[B<-noiter>]
-[B<-maciter> | B<-nomaciter> | B<-nomac>]
+[B<-iter> I<count> | B<-noiter> | B<-nomaciter>]
+[B<-maciter>]
+[B<-nomac>]
 [B<-twopass>]
 [B<-descert>]
 [B<-certpbe> I<cipher>]
@@ -233,17 +234,19 @@ the use of signing only keys for SSL client authentication.
 
 Specify the MAC digest algorithm. If not included them SHA1 will be used.
 
-=item B<-nomaciter>, B<-noiter>
+=item B<-iter> I<count>
 
-These options affect the iteration counts on the MAC and key algorithms.
-Unless you wish to produce files compatible with MSIE 4.0 you should leave
-these options alone.
+This option specifies the iteration count for the encryption key and MAC. The
+default value is 2048.
 
 To discourage attacks by using large dictionaries of common passwords the
 algorithm that derives keys from passwords can have an iteration count applied
 to it: this causes a certain part of the algorithm to be repeated and slows it
 down. The MAC is used to check the file integrity but since it will normally
 have the same password as the keys and certificates it could also be attacked.
+
+=item B<-nomaciter>, B<-noiter>
+
 By default both MAC and encryption iteration counts are set to 2048, using
 these options the MAC and encryption iteration counts can be set to 1, since
 this reduces the file security you should not use these options unless you

More information about the openssl-commits mailing list