summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/pkcs12
diff options
context:
space:
mode:
authorGary Ching-Pang Lin <glin@suse.com>2015-07-28 11:46:38 -0400
committerPeter Jones <pjones@redhat.com>2015-07-28 11:46:38 -0400
commit5ce38c90cf43ee79cd999716ea83a5a44eeb819e (patch)
tree2fb3d9dd667c772fae5f87fa61e1501cf12da0ce /Cryptlib/OpenSSL/crypto/pkcs12
parent69ba24ff72921ecabbb47178de40dc5a79350040 (diff)
downloadefi-boot-shim-5ce38c90cf43ee79cd999716ea83a5a44eeb819e.tar.gz
efi-boot-shim-5ce38c90cf43ee79cd999716ea83a5a44eeb819e.zip
Update openssl to 1.0.2d
Also update Cryptlib to edk2 r17731 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/pkcs12')
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c20
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c10
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c20
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c3
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c20
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c42
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c137
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c20
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c6
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c12
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c2
11 files changed, 144 insertions, 148 deletions
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c
index 54e4af50..982805d9 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c
@@ -108,6 +108,7 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
PKCS8_PRIV_KEY_INFO *p8)
{
PKCS12_SAFEBAG *bag;
+ const EVP_CIPHER *pbe_ciph;
/* Set up the safe bag */
if (!(bag = PKCS12_SAFEBAG_new())) {
@@ -116,8 +117,14 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
}
bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+
+ pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+
+ if (pbe_ciph)
+ pbe_nid = -1;
+
if (!(bag->value.shkeybag =
- PKCS8_encrypt(pbe_nid, NULL, pass, passlen, salt, saltlen, iter,
+ PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
p8))) {
PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -166,6 +173,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
{
PKCS7 *p7;
X509_ALGOR *pbe;
+ const EVP_CIPHER *pbe_ciph;
if (!(p7 = PKCS7_new())) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -175,7 +183,15 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
return NULL;
}
- if (!(pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen))) {
+
+ pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+
+ if (pbe_ciph)
+ pbe = PKCS5_pbe2_set(pbe_ciph, iter, salt, saltlen);
+ else
+ pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+
+ if (!pbe) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
return NULL;
}
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c
index 1b57ac86..fff3ba1e 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c
@@ -61,12 +61,6 @@
#include "cryptlib.h"
#include <openssl/pkcs12.h>
-#ifdef OPENSSL_SYS_NETWARE
-/* Rename these functions to avoid name clashes on NetWare OS */
-# define uni2asc OPENSSL_uni2asc
-# define asc2uni OPENSSL_asc2uni
-#endif
-
/* Add a local keyid to a safebag */
int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
@@ -148,6 +142,6 @@ char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
return NULL;
if (atype->type != V_ASN1_BMPSTRING)
return NULL;
- return uni2asc(atype->value.bmpstring->data,
- atype->value.bmpstring->length);
+ return OPENSSL_uni2asc(atype->value.bmpstring->data,
+ atype->value.bmpstring->length);
}
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c
index d75adf52..3a166e61 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c
@@ -61,28 +61,10 @@
#include "cryptlib.h"
#include <openssl/pkcs12.h>
-/* PKCS#12 specific PBE functions */
+/* PKCS#12 PBE algorithms now in static table */
void PKCS12_PBE_add(void)
{
-#ifndef OPENSSL_NO_RC4
- EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
- PKCS12_PBE_keyivgen);
- EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
- PKCS12_PBE_keyivgen);
-#endif
-#ifndef OPENSSL_NO_DES
- EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
- EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
- EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC,
- EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
-#endif
-#ifndef OPENSSL_NO_RC2
- EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
- EVP_sha1(), PKCS12_PBE_keyivgen);
- EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
- EVP_sha1(), PKCS12_PBE_keyivgen);
-#endif
}
int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c
index e9b150ca..7d2aeefa 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c
@@ -60,9 +60,6 @@
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/pkcs12.h>
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
PKCS12_SAFEBAG *bag);
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c
index af0b7f83..b40ea10c 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c
@@ -93,7 +93,13 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
goto err;
}
- EVP_CipherUpdate(&ctx, out, &i, in, inlen);
+ if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) {
+ OPENSSL_free(out);
+ out = NULL;
+ PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB);
+ goto err;
+ }
+
outlen = i;
if (!EVP_CipherFinal_ex(&ctx, out + i, &i)) {
OPENSSL_free(out);
@@ -165,28 +171,32 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
const char *pass, int passlen,
void *obj, int zbuf)
{
- ASN1_OCTET_STRING *oct;
+ ASN1_OCTET_STRING *oct = NULL;
unsigned char *in = NULL;
int inlen;
if (!(oct = M_ASN1_OCTET_STRING_new())) {
PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
inlen = ASN1_item_i2d(obj, &in, it);
if (!in) {
PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCODE_ERROR);
- return NULL;
+ goto err;
}
if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
&oct->length, 1)) {
PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
OPENSSL_free(in);
- return NULL;
+ goto err;
}
if (zbuf)
OPENSSL_cleanse(in, inlen);
OPENSSL_free(in);
return oct;
+ err:
+ if (oct)
+ ASN1_OCTET_STRING_free(oct);
+ return NULL;
}
IMPLEMENT_PKCS12_STACK_OF(PKCS7)
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c
index dcccc105..99b8260c 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c
@@ -72,12 +72,6 @@ extern BIO *bio_err;
void h__dump(unsigned char *p, int len);
#endif
-#ifdef OPENSSL_SYS_NETWARE
-/* Rename these functions to avoid name clashes on NetWare OS */
-# define uni2asc OPENSSL_uni2asc
-# define asc2uni OPENSSL_asc2uni
-#endif
-
/* PKCS12 compatible key/IV generation */
#ifndef min
# define min(a,b) ((a) < (b) ? (a) : (b))
@@ -90,15 +84,18 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
int ret;
unsigned char *unipass;
int uniplen;
+
if (!pass) {
unipass = NULL;
uniplen = 0;
- } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) {
+ } else if (!OPENSSL_asc2uni(pass, passlen, &unipass, &uniplen)) {
PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC, ERR_R_MALLOC_FAILURE);
return 0;
}
ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
id, iter, n, out, md_type);
+ if (ret <= 0)
+ return 0;
if (unipass) {
OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
OPENSSL_free(unipass);
@@ -139,6 +136,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
#endif
v = EVP_MD_block_size(md_type);
u = EVP_MD_size(md_type);
+ if (u < 0)
+ return 0;
D = OPENSSL_malloc(v);
Ai = OPENSSL_malloc(u);
B = OPENSSL_malloc(v + 1);
@@ -161,14 +160,16 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
for (i = 0; i < Plen; i++)
*p++ = pass[i % passlen];
for (;;) {
- EVP_DigestInit_ex(&ctx, md_type, NULL);
- EVP_DigestUpdate(&ctx, D, v);
- EVP_DigestUpdate(&ctx, I, Ilen);
- EVP_DigestFinal_ex(&ctx, Ai, NULL);
+ if (!EVP_DigestInit_ex(&ctx, md_type, NULL)
+ || !EVP_DigestUpdate(&ctx, D, v)
+ || !EVP_DigestUpdate(&ctx, I, Ilen)
+ || !EVP_DigestFinal_ex(&ctx, Ai, NULL))
+ goto err;
for (j = 1; j < iter; j++) {
- EVP_DigestInit_ex(&ctx, md_type, NULL);
- EVP_DigestUpdate(&ctx, Ai, u);
- EVP_DigestFinal_ex(&ctx, Ai, NULL);
+ if (!EVP_DigestInit_ex(&ctx, md_type, NULL)
+ || !EVP_DigestUpdate(&ctx, Ai, u)
+ || !EVP_DigestFinal_ex(&ctx, Ai, NULL))
+ goto err;
}
memcpy(out, Ai, min(n, u));
if (u >= n) {
@@ -193,20 +194,23 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
goto err;
if (!BN_add(Ij, Ij, Bpl1))
goto err;
- BN_bn2bin(Ij, B);
+ if (!BN_bn2bin(Ij, B))
+ goto err;
Ijlen = BN_num_bytes(Ij);
/* If more than 2^(v*8) - 1 cut off MSB */
if (Ijlen > v) {
- BN_bn2bin(Ij, B);
+ if (!BN_bn2bin(Ij, B))
+ goto err;
memcpy(I + j, B + 1, v);
#ifndef PKCS12_BROKEN_KEYGEN
/* If less than v bytes pad with zeroes */
} else if (Ijlen < v) {
memset(I + j, 0, v - Ijlen);
- BN_bn2bin(Ij, I + j + v - Ijlen);
+ if (!BN_bn2bin(Ij, I + j + v - Ijlen))
+ goto err;
#endif
- } else
- BN_bn2bin(Ij, I + j);
+ } else if (!BN_bn2bin(Ij, I + j))
+ goto err;
}
}
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c
index 819251c3..9aa3c90c 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c
@@ -64,16 +64,13 @@
/* Simplified PKCS#12 routines */
static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
- EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
+ EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
- int passlen, EVP_PKEY **pkey, X509 **cert,
- STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
- char *keymatch);
+ int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
- EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
- ASN1_OCTET_STRING **keyid, char *keymatch);
+ EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
/*
* Parse and decrypt a PKCS#12 structure returning user key, user cert and
@@ -85,7 +82,8 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) **ca)
{
-
+ STACK_OF(X509) *ocerts = NULL;
+ X509 *x = NULL;
/* Check for NULL PKCS12 structure */
if (!p12) {
@@ -94,14 +92,6 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
return 0;
}
- /* Allocate stack for ca certificates if needed */
- if ((ca != NULL) && (*ca == NULL)) {
- if (!(*ca = sk_X509_new_null())) {
- PKCS12err(PKCS12_F_PKCS12_PARSE, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- }
-
if (pkey)
*pkey = NULL;
if (cert)
@@ -130,11 +120,45 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
goto err;
}
- if (!parse_pk12(p12, pass, -1, pkey, cert, ca)) {
+ /* Allocate stack for other certificates */
+ ocerts = sk_X509_new_null();
+
+ if (!ocerts) {
+ PKCS12err(PKCS12_F_PKCS12_PARSE, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!parse_pk12(p12, pass, -1, pkey, ocerts)) {
PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_PARSE_ERROR);
goto err;
}
+ while ((x = sk_X509_pop(ocerts))) {
+ if (pkey && *pkey && cert && !*cert) {
+ ERR_set_mark();
+ if (X509_check_private_key(x, *pkey)) {
+ *cert = x;
+ x = NULL;
+ }
+ ERR_pop_to_mark();
+ }
+
+ if (ca && x) {
+ if (!*ca)
+ *ca = sk_X509_new_null();
+ if (!*ca)
+ goto err;
+ if (!sk_X509_push(*ca, x))
+ goto err;
+ x = NULL;
+ }
+ if (x)
+ X509_free(x);
+ }
+
+ if (ocerts)
+ sk_X509_pop_free(ocerts, X509_free);
+
return 1;
err:
@@ -143,8 +167,10 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
EVP_PKEY_free(*pkey);
if (cert && *cert)
X509_free(*cert);
- if (ca)
- sk_X509_pop_free(*ca, X509_free);
+ if (x)
+ X509_free(x);
+ if (ocerts)
+ sk_X509_pop_free(ocerts, X509_free);
return 0;
}
@@ -152,15 +178,13 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
/* Parse the outer PKCS#12 structure */
static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
- EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+ EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
STACK_OF(PKCS7) *asafes;
STACK_OF(PKCS12_SAFEBAG) *bags;
int i, bagnid;
PKCS7 *p7;
- ASN1_OCTET_STRING *keyid = NULL;
- char keymatch = 0;
if (!(asafes = PKCS12_unpack_authsafes(p12)))
return 0;
for (i = 0; i < sk_PKCS7_num(asafes); i++) {
@@ -176,8 +200,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
sk_PKCS7_pop_free(asafes, PKCS7_free);
return 0;
}
- if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
- &keyid, &keymatch)) {
+ if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
sk_PKCS7_pop_free(asafes, PKCS7_free);
return 0;
@@ -185,71 +208,46 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
}
sk_PKCS7_pop_free(asafes, PKCS7_free);
- if (keyid)
- M_ASN1_OCTET_STRING_free(keyid);
return 1;
}
static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
- int passlen, EVP_PKEY **pkey, X509 **cert,
- STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
- char *keymatch)
+ int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
int i;
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
if (!parse_bag(sk_PKCS12_SAFEBAG_value(bags, i),
- pass, passlen, pkey, cert, ca, keyid, keymatch))
+ pass, passlen, pkey, ocerts))
return 0;
}
return 1;
}
-#define MATCH_KEY 0x1
-#define MATCH_CERT 0x2
-#define MATCH_ALL 0x3
-
static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
- EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
- ASN1_OCTET_STRING **keyid, char *keymatch)
+ EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
PKCS8_PRIV_KEY_INFO *p8;
X509 *x509;
- ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL;
ASN1_TYPE *attrib;
ASN1_BMPSTRING *fname = NULL;
+ ASN1_OCTET_STRING *lkid = NULL;
if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
fname = attrib->value.bmpstring;
- if ((attrib = PKCS12_get_attr(bag, NID_localKeyID))) {
- lkey = attrib->value.octet_string;
- ckid = lkey;
- }
-
- /* Check for any local key id matching (if needed) */
- if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
- if (*keyid) {
- if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey))
- lkey = NULL;
- } else {
- if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
- PKCS12err(PKCS12_F_PARSE_BAG, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- }
- }
+ if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
+ lkid = attrib->value.octet_string;
switch (M_PKCS12_bag_type(bag)) {
case NID_keyBag:
- if (!lkey || !pkey)
+ if (!pkey || *pkey)
return 1;
if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
return 0;
- *keymatch |= MATCH_KEY;
break;
case NID_pkcs8ShroudedKeyBag:
- if (!lkey || !pkey)
+ if (!pkey || *pkey)
return 1;
if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
return 0;
@@ -257,7 +255,6 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
PKCS8_PRIV_KEY_INFO_free(p8);
if (!(*pkey))
return 0;
- *keymatch |= MATCH_KEY;
break;
case NID_certBag:
@@ -265,11 +262,9 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
return 1;
if (!(x509 = PKCS12_certbag2x509(bag)))
return 0;
- if (ckid) {
- if (!X509_keyid_set1(x509, ckid->data, ckid->length)) {
- X509_free(x509);
- return 0;
- }
+ if (lkid && !X509_keyid_set1(x509, lkid->data, lkid->length)) {
+ X509_free(x509);
+ return 0;
}
if (fname) {
int len, r;
@@ -285,23 +280,15 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
}
}
- if (lkey) {
- *keymatch |= MATCH_CERT;
- if (cert)
- *cert = x509;
- else
- X509_free(x509);
- } else {
- if (ca)
- sk_X509_push(*ca, x509);
- else
- X509_free(x509);
+ if (!sk_X509_push(ocerts, x509)) {
+ X509_free(x509);
+ return 0;
}
+
break;
case NID_safeContentsBag:
- return parse_bags(bag->value.safes, pass, passlen,
- pkey, cert, ca, keyid, keymatch);
+ return parse_bags(bag->value.safes, pass, passlen, pkey, ocerts);
break;
default:
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c
index b50f1b64..5ab4bf29 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c
@@ -60,6 +60,7 @@
#ifndef OPENSSL_NO_HMAC
# include <stdio.h>
# include "cryptlib.h"
+# include <openssl/crypto.h>
# include <openssl/hmac.h>
# include <openssl/rand.h>
# include <openssl/pkcs12.h>
@@ -72,6 +73,7 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
HMAC_CTX hmac;
unsigned char key[EVP_MAX_MD_SIZE], *salt;
int saltlen, iter;
+ int md_size;
if (!PKCS7_type_is_data(p12->authsafes)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
@@ -88,16 +90,22 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
return 0;
}
+ md_size = EVP_MD_size(md_type);
+ if (md_size < 0)
+ return 0;
if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
- EVP_MD_size(md_type), key, md_type)) {
+ md_size, key, md_type)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
return 0;
}
HMAC_CTX_init(&hmac);
- HMAC_Init_ex(&hmac, key, EVP_MD_size(md_type), md_type, NULL);
- HMAC_Update(&hmac, p12->authsafes->d.data->data,
- p12->authsafes->d.data->length);
- HMAC_Final(&hmac, mac, maclen);
+ if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL)
+ || !HMAC_Update(&hmac, p12->authsafes->d.data->data,
+ p12->authsafes->d.data->length)
+ || !HMAC_Final(&hmac, mac, maclen)) {
+ HMAC_CTX_cleanup(&hmac);
+ return 0;
+ }
HMAC_CTX_cleanup(&hmac);
return 1;
}
@@ -116,7 +124,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
return 0;
}
if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
- || memcmp(mac, p12->mac->dinfo->digest->data, maclen))
+ || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))
return 0;
return 1;
}
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c
index d970f054..861a087f 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c
@@ -76,8 +76,12 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
if (pbe_nid == -1)
pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
- else
+ else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
+ pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid);
+ else {
+ ERR_clear_error();
pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+ }
if (!pbe) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
goto err;
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c
index fc53cf04..a0b992ea 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c
@@ -61,16 +61,10 @@
#include "cryptlib.h"
#include <openssl/pkcs12.h>
-#ifdef OPENSSL_SYS_NETWARE
-/* Rename these functions to avoid name clashes on NetWare OS */
-# define uni2asc OPENSSL_uni2asc
-# define asc2uni OPENSSL_asc2uni
-#endif
-
/* Cheap and nasty Unicode stuff */
-unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni,
- int *unilen)
+unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
+ unsigned char **uni, int *unilen)
{
int ulen, i;
unsigned char *unitmp;
@@ -93,7 +87,7 @@ unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni,
return unitmp;
}
-char *uni2asc(unsigned char *uni, int unilen)
+char *OPENSSL_uni2asc(unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c b/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c
index 799f8387..e58710b2 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
/* crypto/pkcs12/pk12err.c */
/* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-17 10:21:46 +0000