1 files changed, 69 insertions, 140 deletions
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index d34fc7053e..bb0c227ae7 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.40 2024/01/27 17:20:20 tb Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.41 2024/02/01 17:11:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -72,14 +72,12 @@
 /* Password based encryption (PBE) functions */
-struct pbe_config {
+static const struct pbe_config {
        int pbe_nid;
        int cipher_nid;
        int md_nid;
        EVP_PBE_KEYGEN *keygen;
-};
+} pbe_outer[] = {
-static const struct pbe_config pbe_outer[] = {
        {
                .pbe_nid = NID_pbeWithMD2AndDES_CBC,
                .cipher_nid = NID_des_cbc,
@@ -168,146 +166,28 @@ static const struct pbe_config pbe_outer[] = {
 #define N_PBE_OUTER (sizeof(pbe_outer) / sizeof(pbe_outer[0]))
-static const struct pbe_config pbe_prf[] = {
-        {
-                .pbe_nid = NID_hmacWithSHA1,
-                .cipher_nid = -1,
-                .md_nid = NID_sha1,
-        },
-        {
-                .pbe_nid = NID_hmacWithMD5,
-                .cipher_nid = -1,
-                .md_nid = NID_md5,
-        },
-        {
-                .pbe_nid = NID_hmacWithSHA224,
-                .cipher_nid = -1,
-                .md_nid = NID_sha224,
-        },
-        {
-                .pbe_nid = NID_hmacWithSHA256,
-                .cipher_nid = -1,
-                .md_nid = NID_sha256,
-        },
-        {
-                .pbe_nid = NID_hmacWithSHA384,
-                .cipher_nid = -1,
-                .md_nid = NID_sha384,
-        },
-        {
-                .pbe_nid = NID_hmacWithSHA512,
-                .cipher_nid = -1,
-                .md_nid = NID_sha512,
-        },
-        {
-                .pbe_nid = NID_id_HMACGostR3411_94,
-                .cipher_nid = -1,
-                .md_nid = NID_id_GostR3411_94,
-        },
-        {
-                .pbe_nid = NID_id_tc26_hmac_gost_3411_12_256,
-                .cipher_nid = -1,
-                .md_nid = NID_id_tc26_gost3411_2012_256,
-        },
-        {
-                .pbe_nid = NID_id_tc26_hmac_gost_3411_12_512,
-                .cipher_nid = -1,
-                .md_nid = NID_id_tc26_gost3411_2012_512,
-        },
-        {
-                .pbe_nid = NID_hmacWithSHA512_224,
-                .cipher_nid = -1,
-                .md_nid = NID_sha512_224,
-        },
-        {
-                .pbe_nid = NID_hmacWithSHA512_256,
-                .cipher_nid = -1,
-                .md_nid = NID_sha512_256,
-        },
-        {
-                .pbe_nid = NID_hmac_sha3_224,
-                .cipher_nid = -1,
-                .md_nid = NID_sha3_224,
-        },
-        {
-                .pbe_nid = NID_hmac_sha3_256,
-                .cipher_nid = -1,
-                .md_nid = NID_sha3_256,
-        },
-        {
-                .pbe_nid = NID_hmac_sha3_384,
-                .cipher_nid = -1,
-                .md_nid = NID_sha3_384,
-        },
-        {
-                .pbe_nid = NID_hmac_sha3_512,
-                .cipher_nid = -1,
-                .md_nid = NID_sha3_512,
-        },
-};
-#define N_PBE_PRF (sizeof(pbe_prf) / sizeof(pbe_prf[0]))
-int
-EVP_PBE_find(int type, int pbe_nid, int *out_cipher_nid, int *out_md_nid,
-    EVP_PBE_KEYGEN **out_keygen)
-{
-        const struct pbe_config *pbe = NULL;
-        size_t i;
-        if (out_cipher_nid != NULL)
-                *out_cipher_nid = NID_undef;
-        if (out_md_nid != NULL)
-                *out_md_nid = NID_undef;
-        if (out_keygen != NULL)
-                *out_keygen = NULL;
-        if (pbe_nid == NID_undef)
-                return 0;
-        if (type == EVP_PBE_TYPE_OUTER) {
-                for (i = 0; i < N_PBE_OUTER; i++) {
-                        if (pbe_nid == pbe_outer[i].pbe_nid) {
-                                pbe = &pbe_outer[i];
-                                break;
-                        }
-                }
-        } else if (type == EVP_PBE_TYPE_PRF) {
-                for (i = 0; i < N_PBE_PRF; i++) {
-                        if (pbe_nid == pbe_prf[i].pbe_nid) {
-                                pbe = &pbe_prf[i];
-                                break;
-                        }
-                }
-        }
-        if (pbe == NULL)
-                return 0;
-        if (out_cipher_nid != NULL)
-                *out_cipher_nid = pbe->cipher_nid;
-        if (out_md_nid != NULL)
-                *out_md_nid = pbe->md_nid;
-        if (out_keygen != NULL)
-                *out_keygen = pbe->keygen;
-        return 1;
-}
 int
 EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
    ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
 {
+        const struct pbe_config *cfg = NULL;
        const EVP_CIPHER *cipher = NULL;
        const EVP_MD *md = NULL;
-        int pbe_nid, cipher_nid, md_nid;
+        int pbe_nid;
-        EVP_PBE_KEYGEN *keygen;
+        size_t i;
        if ((pbe_nid = OBJ_obj2nid(pbe_obj)) == NID_undef) {
                EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
                return 0;
        }
-        if (!EVP_PBE_find(EVP_PBE_TYPE_OUTER, pbe_nid, &cipher_nid, &md_nid,
-            &keygen)) {
+        for (i = 0; i < N_PBE_OUTER; i++) {
+                if (pbe_nid == pbe_outer[i].pbe_nid) {
+                        cfg = &pbe_outer[i];
+                        break;
+                }
+        }
+        if (cfg == NULL) {
                EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
                ERR_asprintf_error_data("NID=%d", pbe_nid);
                return 0;
@@ -318,20 +198,20 @@ EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
        if (passlen == -1)
                passlen = strlen(pass);
-        if (cipher_nid != -1) {
+        if (cfg->cipher_nid != -1) {
-                if ((cipher = EVP_get_cipherbynid(cipher_nid)) == NULL) {
+                if ((cipher = EVP_get_cipherbynid(cfg->cipher_nid)) == NULL) {
                        EVPerror(EVP_R_UNKNOWN_CIPHER);
                        return 0;
                }
        }
-        if (md_nid != -1) {
+        if (cfg->md_nid != -1) {
-                if ((md = EVP_get_digestbynid(md_nid)) == NULL) {
+                if ((md = EVP_get_digestbynid(cfg->md_nid)) == NULL) {
                        EVPerror(EVP_R_UNKNOWN_DIGEST);
                        return 0;
                }
        }
-        if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
+        if (!cfg->keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
                EVPerror(EVP_R_KEYGEN_FAILURE);
                return 0;
        }
@@ -575,6 +455,47 @@ PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        return ret;
 }
+static int
+md_nid_from_prf_nid(int nid)
+{
+        switch (nid) {
+        case NID_hmacWithMD5:
+                return NID_md5;
+        case NID_hmacWithSHA1:
+                return NID_sha1;
+        case NID_hmacWithSHA224:
+                return NID_sha224;
+        case NID_hmacWithSHA256:
+                return NID_sha256;
+        case NID_hmacWithSHA384:
+                return NID_sha384;
+        case NID_hmacWithSHA512:
+                return NID_sha512;
+        case NID_hmacWithSHA512_224:
+                return NID_sha512_224;
+        case NID_hmacWithSHA512_256:
+                return NID_sha512_256;
+        case NID_hmac_sha3_224:
+                return NID_sha3_224;
+        case NID_hmac_sha3_256:
+                return NID_sha3_256;
+        case NID_hmac_sha3_384:
+                return NID_sha3_384;
+        case NID_hmac_sha3_512:
+                return NID_sha3_512;
+#ifndef OPENSSL_NO_GOST
+        case NID_id_HMACGostR3411_94:
+                return NID_id_GostR3411_94;
+        case NID_id_tc26_hmac_gost_3411_12_256:
+                return NID_id_tc26_gost3411_2012_256;
+        case NID_id_tc26_hmac_gost_3411_12_512:
+                return NID_id_tc26_gost3411_2012_512;
+#endif
+        default:
+                return NID_undef;
+        }
+}
 int
 PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
@@ -626,7 +547,7 @@ PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        else
                prf_nid = NID_hmacWithSHA1;
-        if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
+        if ((hmac_md_nid = md_nid_from_prf_nid(prf_nid)) == NID_undef) {
                EVPerror(EVP_R_UNSUPPORTED_PRF);
                goto err;
        }
@@ -725,6 +646,14 @@ LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
 */
 int
+EVP_PBE_find(int type, int pbe_nid, int *out_cipher_nid, int *out_md_nid,
+    EVP_PBE_KEYGEN **out_keygen)
+{
+        EVPerror(ERR_R_DISABLED);
+        return 0;
+}
+int
 EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
    EVP_PBE_KEYGEN *keygen)
 {

diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c index d34fc7053e..bb0c227ae7 100644 --- a/src/lib/libcrypto/evp/evp_pbe.c +++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_pbe.c,v 1.40 2024/01/27 17:20:20 tb Exp $ */	1	/* $OpenBSD: evp_pbe.c,v 1.41 2024/02/01 17:11:58 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -72,14 +72,12 @@
72		72
73	/* Password based encryption (PBE) functions */	73	/* Password based encryption (PBE) functions */
74		74
75	struct pbe_config {	75	static const struct pbe_config {
76	int pbe_nid;	76	int pbe_nid;
77	int cipher_nid;	77	int cipher_nid;
78	int md_nid;	78	int md_nid;
79	EVP_PBE_KEYGEN *keygen;	79	EVP_PBE_KEYGEN *keygen;
80	};	80	} pbe_outer[] = {
81
82	static const struct pbe_config pbe_outer[] = {
83	{	81	{
84	.pbe_nid = NID_pbeWithMD2AndDES_CBC,	82	.pbe_nid = NID_pbeWithMD2AndDES_CBC,
85	.cipher_nid = NID_des_cbc,	83	.cipher_nid = NID_des_cbc,
@@ -168,146 +166,28 @@ static const struct pbe_config pbe_outer[] = {
168		166
169	#define N_PBE_OUTER (sizeof(pbe_outer) / sizeof(pbe_outer[0]))	167	#define N_PBE_OUTER (sizeof(pbe_outer) / sizeof(pbe_outer[0]))
170		168
171	static const struct pbe_config pbe_prf[] = {
172	{
173	.pbe_nid = NID_hmacWithSHA1,
174	.cipher_nid = -1,
175	.md_nid = NID_sha1,
176	},
177	{
178	.pbe_nid = NID_hmacWithMD5,
179	.cipher_nid = -1,
180	.md_nid = NID_md5,
181	},
182	{
183	.pbe_nid = NID_hmacWithSHA224,
184	.cipher_nid = -1,
185	.md_nid = NID_sha224,
186	},
187	{
188	.pbe_nid = NID_hmacWithSHA256,
189	.cipher_nid = -1,
190	.md_nid = NID_sha256,
191	},
192	{
193	.pbe_nid = NID_hmacWithSHA384,
194	.cipher_nid = -1,
195	.md_nid = NID_sha384,
196	},
197	{
198	.pbe_nid = NID_hmacWithSHA512,
199	.cipher_nid = -1,
200	.md_nid = NID_sha512,
201	},
202	{
203	.pbe_nid = NID_id_HMACGostR3411_94,
204	.cipher_nid = -1,
205	.md_nid = NID_id_GostR3411_94,
206	},
207	{
208	.pbe_nid = NID_id_tc26_hmac_gost_3411_12_256,
209	.cipher_nid = -1,
210	.md_nid = NID_id_tc26_gost3411_2012_256,
211	},
212	{
213	.pbe_nid = NID_id_tc26_hmac_gost_3411_12_512,
214	.cipher_nid = -1,
215	.md_nid = NID_id_tc26_gost3411_2012_512,
216	},
217	{
218	.pbe_nid = NID_hmacWithSHA512_224,
219	.cipher_nid = -1,
220	.md_nid = NID_sha512_224,
221	},
222	{
223	.pbe_nid = NID_hmacWithSHA512_256,
224	.cipher_nid = -1,
225	.md_nid = NID_sha512_256,
226	},
227	{
228	.pbe_nid = NID_hmac_sha3_224,
229	.cipher_nid = -1,
230	.md_nid = NID_sha3_224,
231	},
232	{
233	.pbe_nid = NID_hmac_sha3_256,
234	.cipher_nid = -1,
235	.md_nid = NID_sha3_256,
236	},
237	{
238	.pbe_nid = NID_hmac_sha3_384,
239	.cipher_nid = -1,
240	.md_nid = NID_sha3_384,
241	},
242	{
243	.pbe_nid = NID_hmac_sha3_512,
244	.cipher_nid = -1,
245	.md_nid = NID_sha3_512,
246	},
247	};
248
249	#define N_PBE_PRF (sizeof(pbe_prf) / sizeof(pbe_prf[0]))
250
251	int
252	EVP_PBE_find(int type, int pbe_nid, int out_cipher_nid, int out_md_nid,
253	EVP_PBE_KEYGEN **out_keygen)
254	{
255	const struct pbe_config *pbe = NULL;
256	size_t i;
257
258	if (out_cipher_nid != NULL)
259	*out_cipher_nid = NID_undef;
260	if (out_md_nid != NULL)
261	*out_md_nid = NID_undef;
262	if (out_keygen != NULL)
263	*out_keygen = NULL;
264
265	if (pbe_nid == NID_undef)
266	return 0;
267
268	if (type == EVP_PBE_TYPE_OUTER) {
269	for (i = 0; i < N_PBE_OUTER; i++) {
270	if (pbe_nid == pbe_outer[i].pbe_nid) {
271	pbe = &pbe_outer[i];
272	break;
273	}
274	}
275	} else if (type == EVP_PBE_TYPE_PRF) {
276	for (i = 0; i < N_PBE_PRF; i++) {
277	if (pbe_nid == pbe_prf[i].pbe_nid) {
278	pbe = &pbe_prf[i];
279	break;
280	}
281	}
282	}
283	if (pbe == NULL)
284	return 0;
285
286	if (out_cipher_nid != NULL)
287	*out_cipher_nid = pbe->cipher_nid;
288	if (out_md_nid != NULL)
289	*out_md_nid = pbe->md_nid;
290	if (out_keygen != NULL)
291	*out_keygen = pbe->keygen;
292
293	return 1;
294	}
295
296	int	169	int
297	EVP_PBE_CipherInit(ASN1_OBJECT pbe_obj, const char pass, int passlen,	170	EVP_PBE_CipherInit(ASN1_OBJECT pbe_obj, const char pass, int passlen,
298	ASN1_TYPE param, EVP_CIPHER_CTX ctx, int en_de)	171	ASN1_TYPE param, EVP_CIPHER_CTX ctx, int en_de)
299	{	172	{
		173	const struct pbe_config *cfg = NULL;
300	const EVP_CIPHER *cipher = NULL;	174	const EVP_CIPHER *cipher = NULL;
301	const EVP_MD *md = NULL;	175	const EVP_MD *md = NULL;
302	int pbe_nid, cipher_nid, md_nid;	176	int pbe_nid;
303	EVP_PBE_KEYGEN *keygen;	177	size_t i;
304		178
305	if ((pbe_nid = OBJ_obj2nid(pbe_obj)) == NID_undef) {	179	if ((pbe_nid = OBJ_obj2nid(pbe_obj)) == NID_undef) {
306	EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);	180	EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
307	return 0;	181	return 0;
308	}	182	}
309	if (!EVP_PBE_find(EVP_PBE_TYPE_OUTER, pbe_nid, &cipher_nid, &md_nid,	183
310	&keygen)) {	184	for (i = 0; i < N_PBE_OUTER; i++) {
		185	if (pbe_nid == pbe_outer[i].pbe_nid) {
		186	cfg = &pbe_outer[i];
		187	break;
		188	}
		189	}
		190	if (cfg == NULL) {
311	EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);	191	EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
312	ERR_asprintf_error_data("NID=%d", pbe_nid);	192	ERR_asprintf_error_data("NID=%d", pbe_nid);
313	return 0;	193	return 0;
@@ -318,20 +198,20 @@ EVP_PBE_CipherInit(ASN1_OBJECT pbe_obj, const char pass, int passlen,
318	if (passlen == -1)	198	if (passlen == -1)
319	passlen = strlen(pass);	199	passlen = strlen(pass);
320		200
321	if (cipher_nid != -1) {	201	if (cfg->cipher_nid != -1) {
322	if ((cipher = EVP_get_cipherbynid(cipher_nid)) == NULL) {	202	if ((cipher = EVP_get_cipherbynid(cfg->cipher_nid)) == NULL) {
323	EVPerror(EVP_R_UNKNOWN_CIPHER);	203	EVPerror(EVP_R_UNKNOWN_CIPHER);
324	return 0;	204	return 0;
325	}	205	}
326	}	206	}
327	if (md_nid != -1) {	207	if (cfg->md_nid != -1) {
328	if ((md = EVP_get_digestbynid(md_nid)) == NULL) {	208	if ((md = EVP_get_digestbynid(cfg->md_nid)) == NULL) {
329	EVPerror(EVP_R_UNKNOWN_DIGEST);	209	EVPerror(EVP_R_UNKNOWN_DIGEST);
330	return 0;	210	return 0;
331	}	211	}
332	}	212	}
333		213
334	if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) {	214	if (!cfg->keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
335	EVPerror(EVP_R_KEYGEN_FAILURE);	215	EVPerror(EVP_R_KEYGEN_FAILURE);
336	return 0;	216	return 0;
337	}	217	}
@@ -575,6 +455,47 @@ PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,
575	return ret;	455	return ret;
576	}	456	}
577		457
		458	static int
		459	md_nid_from_prf_nid(int nid)
		460	{
		461	switch (nid) {
		462	case NID_hmacWithMD5:
		463	return NID_md5;
		464	case NID_hmacWithSHA1:
		465	return NID_sha1;
		466	case NID_hmacWithSHA224:
		467	return NID_sha224;
		468	case NID_hmacWithSHA256:
		469	return NID_sha256;
		470	case NID_hmacWithSHA384:
		471	return NID_sha384;
		472	case NID_hmacWithSHA512:
		473	return NID_sha512;
		474	case NID_hmacWithSHA512_224:
		475	return NID_sha512_224;
		476	case NID_hmacWithSHA512_256:
		477	return NID_sha512_256;
		478	case NID_hmac_sha3_224:
		479	return NID_sha3_224;
		480	case NID_hmac_sha3_256:
		481	return NID_sha3_256;
		482	case NID_hmac_sha3_384:
		483	return NID_sha3_384;
		484	case NID_hmac_sha3_512:
		485	return NID_sha3_512;
		486	#ifndef OPENSSL_NO_GOST
		487	case NID_id_HMACGostR3411_94:
		488	return NID_id_GostR3411_94;
		489	case NID_id_tc26_hmac_gost_3411_12_256:
		490	return NID_id_tc26_gost3411_2012_256;
		491	case NID_id_tc26_hmac_gost_3411_12_512:
		492	return NID_id_tc26_gost3411_2012_512;
		493	#endif
		494	default:
		495	return NID_undef;
		496	}
		497	}
		498
578	int	499	int
579	PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,	500	PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,
580	ASN1_TYPE param, const EVP_CIPHER c, const EVP_MD *md, int en_de)	501	ASN1_TYPE param, const EVP_CIPHER c, const EVP_MD *md, int en_de)
@@ -626,7 +547,7 @@ PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,
626	else	547	else
627	prf_nid = NID_hmacWithSHA1;	548	prf_nid = NID_hmacWithSHA1;
628		549
629	if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {	550	if ((hmac_md_nid = md_nid_from_prf_nid(prf_nid)) == NID_undef) {
630	EVPerror(EVP_R_UNSUPPORTED_PRF);	551	EVPerror(EVP_R_UNSUPPORTED_PRF);
631	goto err;	552	goto err;
632	}	553	}
@@ -725,6 +646,14 @@ LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
725	*/	646	*/
726		647
727	int	648	int
		649	EVP_PBE_find(int type, int pbe_nid, int out_cipher_nid, int out_md_nid,
		650	EVP_PBE_KEYGEN **out_keygen)
		651	{
		652	EVPerror(ERR_R_DISABLED);
		653	return 0;
		654	}
		655
		656	int
728	EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,	657	EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
729	EVP_PBE_KEYGEN *keygen)	658	EVP_PBE_KEYGEN *keygen)
730	{	659	{