[openssl] master update
tomas at openssl.org
tomas at openssl.org
Fri May 7 09:01:06 UTC 2021
The branch master has been updated
via 592ea4ba94b790a9c366fd12792d88fb9c28ef88 (commit)
from 6d1bb1fffdeb053c6448ebf025979f9ad4689aaf (commit)
- Log -----------------------------------------------------------------
commit 592ea4ba94b790a9c366fd12792d88fb9c28ef88
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Tue May 4 15:19:42 2021 +1000
Fixes #15070. Allow custom algorithm ID ASN.1 encoding for provided ciphers
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15130)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/evp_lib.c | 14 ++++--
doc/man7/provider-cipher.pod | 2 +-
include/openssl/core_names.h | 2 +-
providers/fips-sources.checksums | 2 +-
providers/fips.checksum | 2 +-
providers/implementations/ciphers/cipher_rc2.c | 6 ++-
test/pkcs12_format_test.c | 65 +++++++++++++++++++++++++-
7 files changed, 81 insertions(+), 12 deletions(-)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 66a862688a..842ee51b8d 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -126,8 +126,9 @@ int evp_cipher_param_to_asn1_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
* We make two passes, the first to get the appropriate buffer size,
* and the second to get the actual value.
*/
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_ALG_ID,
- NULL, 0);
+ *p++ = OSSL_PARAM_construct_octet_string(
+ OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS,
+ NULL, 0);
*p = OSSL_PARAM_construct_end();
if (!EVP_CIPHER_CTX_get_params(c, params))
@@ -213,8 +214,9 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
if ((derl = i2d_ASN1_TYPE(type, &der)) >= 0) {
*p++ =
- OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_ALG_ID,
- der, (size_t)derl);
+ OSSL_PARAM_construct_octet_string(
+ OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS,
+ der, (size_t)derl);
*p = OSSL_PARAM_construct_end();
if (EVP_CIPHER_CTX_set_params(c, params))
ret = 1;
@@ -369,6 +371,10 @@ int evp_cipher_cache_constants(EVP_CIPHER *cipher)
/* Provided implementations may have a custom cipher_cipher */
if (cipher->prov != NULL && cipher->ccipher != NULL)
cipher->flags |= EVP_CIPH_FLAG_CUSTOM_CIPHER;
+ /* Provided implementations may also have custom ASN1 algorithm parameters */
+ if (OSSL_PARAM_locate_const(EVP_CIPHER_gettable_ctx_params(cipher),
+ OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS))
+ cipher->flags |= EVP_CIPH_FLAG_CUSTOM_ASN1;
}
return ok;
}
diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod
index 87b7992d84..26c4e57852 100644
--- a/doc/man7/provider-cipher.pod
+++ b/doc/man7/provider-cipher.pod
@@ -350,7 +350,7 @@ Gets a implementation specific randomly generated key for the associated
cipher ctx. This is currently only supported by 3DES (which sets the key to
odd parity).
-=item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALG_ID>) <octet string>
+=item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
Used to pass the DER encoded AlgorithmIdentifier parameter to or from
the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)>
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 02476560f0..7ebde7c2a1 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -94,7 +94,7 @@ extern "C" {
#define OSSL_CIPHER_PARAM_SPEED "speed" /* uint */
#define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */
/* For passing the AlgorithmIdentifier parameter in DER form */
-#define OSSL_CIPHER_PARAM_ALG_ID "alg_id_param" /* octet_string */
+#define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */
#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \
"tls1multi_maxsndfrag" /* uint */
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index 239667e003..805b2da9c2 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -172,7 +172,7 @@ fa39906519062932adafb63cbf05b5dfa7563673576d421c80ec6b889d024e84 crypto/ec/ecp_
87599335b61f97362799170d7b19cbbf775bfecc0fab570b267c7622241cfad8 crypto/evp/ec_support.c
c146c0a8a06e3c558207c1c76039dd2a61a2160cc243e9e3de2e290bc6e1b2d0 crypto/evp/evp_enc.c
9b4956b5c28db987001b33421aacf3b9f352181f874c768ad1b034e083483561 crypto/evp/evp_fetch.c
-c1017021bfff5cd76ac66e08ece80c78cbb9551194a4560c84ad0ad75d46511f crypto/evp/evp_lib.c
+f975f6ba3aff8130b775f39182fdc783a3ef954402313248edd661d29032aa05 crypto/evp/evp_lib.c
af0245f7a849997921c0719df339469427656821416b402754fc1f5f5e2da291 crypto/evp/evp_rand.c
c0f87865be8dab6ea909fd976e5a46e4e8343b18403090c4a59b2af90f9a1329 crypto/evp/evp_utils.c
896bc29e0009657071bd74401513bdbedfb08ca66e34bf634e824fd3f34beb0a crypto/evp/exchange.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index 3f183b8c1a..ab881aa507 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-31b3d6511f42b33ac269d527ab6ff7c18f0afda32f913d825eee5efc7e772da2 providers/fips-sources.checksums
+734ff29885aaf5d08474ad7e36f7ec6ea1813ce9c917d335225fe8fe284f38f1 providers/fips-sources.checksums
diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c
index f8a18462af..106f47e866 100644
--- a/providers/implementations/ciphers/cipher_rc2.c
+++ b/providers/implementations/ciphers/cipher_rc2.c
@@ -117,7 +117,7 @@ static int rc2_get_ctx_params(void *vctx, OSSL_PARAM params[])
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_ALG_ID);
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS);
if (p != NULL) {
long num;
int i;
@@ -176,7 +176,7 @@ static int rc2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
return 0;
}
}
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_ALG_ID);
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS);
if (p != NULL) {
ASN1_TYPE *type = NULL;
long num = 0;
@@ -210,11 +210,13 @@ static int rc2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(rc2)
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_RC2_KEYBITS, NULL),
+OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS, NULL, 0),
CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(rc2)
CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(rc2)
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_RC2_KEYBITS, NULL),
+OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS, NULL, 0),
CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(rc2)
#define IMPLEMENT_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, blkbits, \
diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c
index e3fb55315a..0ab1651322 100644
--- a/test/pkcs12_format_test.c
+++ b/test/pkcs12_format_test.c
@@ -229,6 +229,15 @@ static const int enc_nids_all[] = {
NID_des_ede3_cbc,
NID_des_cbc,
#endif
+#ifndef OPENSSL_NO_RC5
+ NID_rc5_cbc,
+#endif
+#ifndef OPENSSL_NO_RC4
+ NID_rc4,
+#endif
+#ifndef OPENSSL_NO_RC2
+ NID_rc2_cbc,
+#endif
#ifndef OPENSSL_NO_MD2
# ifndef OPENSSL_NO_DES
@@ -602,6 +611,55 @@ static int test_single_secret_encrypted_content(void)
return end_pkcs12_builder(pb);
}
+static int test_single_secret(PKCS12_ENC *enc)
+{
+ int custom_nid;
+ char fname[80];
+ PKCS12_BUILDER *pb;
+
+ sprintf(fname, "1secret_ciph-%s_iter-%d.p12", OBJ_nid2sn(enc->nid), enc->iter);
+ pb = new_pkcs12_builder(fname);
+ custom_nid = get_custom_oid();
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_secretbag(pb, custom_nid, "VerySecretMessage", ATTRS1);
+
+ end_contentinfo_encrypted(pb, enc);
+
+ end_pkcs12_with_mac(pb, &mac_default);
+
+ /* Read/decode */
+ start_check_pkcs12_with_mac(pb, &mac_default);
+
+ start_check_contentinfo_encrypted(pb, enc);
+
+ check_secretbag(pb, custom_nid, "VerySecretMessage", ATTRS1);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+static int test_single_secret_enc_alg(int z)
+{
+ PKCS12_ENC enc;
+
+ if (lgcyprov == NULL)
+ enc.nid = enc_nids_no_legacy[z];
+ else
+ enc.nid = enc_nids_all[z];
+ enc.pass = enc_default.pass;
+ enc.iter = enc_default.iter;
+
+ return test_single_secret(&enc);
+}
+
static int test_multiple_contents(void)
{
PKCS12_BUILDER *pb = new_pkcs12_builder("multi_contents.p12");
@@ -720,10 +778,13 @@ int setup_tests(void)
}
ADD_TEST(test_single_cert_no_attrs);
- if (lgcyprov == NULL)
+ if (lgcyprov == NULL) {
ADD_ALL_TESTS(test_single_key_enc_alg, OSSL_NELEM(enc_nids_no_legacy));
- else
+ ADD_ALL_TESTS(test_single_secret_enc_alg, OSSL_NELEM(enc_nids_no_legacy));
+ } else {
ADD_ALL_TESTS(test_single_key_enc_alg, OSSL_NELEM(enc_nids_all));
+ ADD_ALL_TESTS(test_single_secret_enc_alg, OSSL_NELEM(enc_nids_all));
+ }
ADD_ALL_TESTS(test_single_key_enc_pass, OSSL_NELEM(passwords));
ADD_ALL_TESTS(test_single_key_enc_iter, OSSL_NELEM(iters));
ADD_TEST(test_single_key_with_attrs);
More information about the openssl-commits
mailing list