1 files changed, 44 insertions, 5 deletions
diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c
index 3908160170..4ba6625204 100644
--- a/src/usr.bin/openssl/enc.c
+++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.14 2018/02/07 05:47:55 jsing Exp $ */
+/* $OpenBSD: enc.c,v 1.15 2019/01/18 03:45:47 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -99,6 +99,8 @@ static struct {
        char *passarg;
        int printkey;
        int verbose;
+        int iter;
+        int pbkdf2;
 } enc_config;
 static int
@@ -273,6 +275,18 @@ static struct option enc_options[] = {
                .type = OPTION_FLAG,
                .opt.flag = &enc_config.verbose,
        },
+        {
+                .name = "iter",
+                .desc = "Specify iteration count and force use of PBKDF2",
+                .type = OPTION_VALUE,
+                .opt.value = &enc_config.iter,
+        },
+        {
+                .name = "pbkdf2",
+                .desc = "Use the pbkdf2 key derivation function",
+                .type = OPTION_FLAG,
+                .opt.flag = &enc_config.pbkdf2,
+        },
 #ifdef ZLIB
        {
                .name = "z",
@@ -416,7 +430,7 @@ enc_main(int argc, char **argv)
                goto end;
        }
        if (dgst == NULL) {
-                dgst = EVP_md5();       /* XXX */
+                dgst = EVP_sha256();
        }
        if (enc_config.bufsize != NULL) {
@@ -604,10 +618,35 @@ enc_main(int argc, char **argv)
                                }
                                sptr = salt;
                        }
+                        if (enc_config.pbkdf2 == 1 || enc_config.iter > 0) {
+                                /*
+                                 * derive key and default iv
+                                 * concatenated into a temporary buffer
+                                 */
+                                unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
+                                int iklen = EVP_CIPHER_key_length(enc_config.cipher);
+                                int ivlen = EVP_CIPHER_iv_length(enc_config.cipher);
+                                /* not needed if HASH_UPDATE() is fixed : */
+                                int islen = (sptr != NULL ? sizeof(salt) : 0);
+                                if (enc_config.iter == 0)
+                                        enc_config.iter = 10000;
+                                if (!PKCS5_PBKDF2_HMAC(enc_config.keystr,
+                                        strlen(enc_config.keystr), sptr, islen,
+                                        enc_config.iter, dgst, iklen+ivlen, tmpkeyiv)) {
+                                        BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n");
+                                        goto end;
+                                }
+                                /* split and move data back to global buffer */
+                                memcpy(key, tmpkeyiv, iklen);
+                                memcpy(iv, tmpkeyiv+iklen, ivlen);
+                        } else {
+                                EVP_BytesToKey(enc_config.cipher, dgst, sptr,
+                                    (unsigned char *)enc_config.keystr,
+                                    strlen(enc_config.keystr), 1, key, iv);
+                        }
-                        EVP_BytesToKey(enc_config.cipher, dgst, sptr,
-                            (unsigned char *)enc_config.keystr,
-                            strlen(enc_config.keystr), 1, key, iv);
                        /*
                         * zero the complete buffer or the string passed from
                         * the command line bug picked up by Larry J. Hughes

diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c index 3908160170..4ba6625204 100644 --- a/src/usr.bin/openssl/enc.c +++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: enc.c,v 1.14 2018/02/07 05:47:55 jsing Exp $ */	1	/* $OpenBSD: enc.c,v 1.15 2019/01/18 03:45:47 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -99,6 +99,8 @@ static struct {
99	char *passarg;	99	char *passarg;
100	int printkey;	100	int printkey;
101	int verbose;	101	int verbose;
		102	int iter;
		103	int pbkdf2;
102	} enc_config;	104	} enc_config;
103		105
104	static int	106	static int
@@ -273,6 +275,18 @@ static struct option enc_options[] = {
273	.type = OPTION_FLAG,	275	.type = OPTION_FLAG,
274	.opt.flag = &enc_config.verbose,	276	.opt.flag = &enc_config.verbose,
275	},	277	},
		278	{
		279	.name = "iter",
		280	.desc = "Specify iteration count and force use of PBKDF2",
		281	.type = OPTION_VALUE,
		282	.opt.value = &enc_config.iter,
		283	},
		284	{
		285	.name = "pbkdf2",
		286	.desc = "Use the pbkdf2 key derivation function",
		287	.type = OPTION_FLAG,
		288	.opt.flag = &enc_config.pbkdf2,
		289	},
276	#ifdef ZLIB	290	#ifdef ZLIB
277	{	291	{
278	.name = "z",	292	.name = "z",
@@ -416,7 +430,7 @@ enc_main(int argc, char **argv)
416	goto end;	430	goto end;
417	}	431	}
418	if (dgst == NULL) {	432	if (dgst == NULL) {
419	dgst = EVP_md5(); /* XXX */	433	dgst = EVP_sha256();
420	}	434	}
421		435
422	if (enc_config.bufsize != NULL) {	436	if (enc_config.bufsize != NULL) {
@@ -604,10 +618,35 @@ enc_main(int argc, char **argv)
604	}	618	}
605	sptr = salt;	619	sptr = salt;
606	}	620	}
		621	if (enc_config.pbkdf2 == 1 \|\| enc_config.iter > 0) {
		622	/*
		623	* derive key and default iv
		624	* concatenated into a temporary buffer
		625	*/
		626	unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
		627	int iklen = EVP_CIPHER_key_length(enc_config.cipher);
		628	int ivlen = EVP_CIPHER_iv_length(enc_config.cipher);
		629	/* not needed if HASH_UPDATE() is fixed : */
		630	int islen = (sptr != NULL ? sizeof(salt) : 0);
		631
		632	if (enc_config.iter == 0)
		633	enc_config.iter = 10000;
		634
		635	if (!PKCS5_PBKDF2_HMAC(enc_config.keystr,
		636	strlen(enc_config.keystr), sptr, islen,
		637	enc_config.iter, dgst, iklen+ivlen, tmpkeyiv)) {
		638	BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n");
		639	goto end;
		640	}
		641	/* split and move data back to global buffer */
		642	memcpy(key, tmpkeyiv, iklen);
		643	memcpy(iv, tmpkeyiv+iklen, ivlen);
		644	} else {
		645	EVP_BytesToKey(enc_config.cipher, dgst, sptr,
		646	(unsigned char *)enc_config.keystr,
		647	strlen(enc_config.keystr), 1, key, iv);
		648	}
607		649
608	EVP_BytesToKey(enc_config.cipher, dgst, sptr,
609	(unsigned char *)enc_config.keystr,
610	strlen(enc_config.keystr), 1, key, iv);
611	/*	650	/*
612	* zero the complete buffer or the string passed from	651	* zero the complete buffer or the string passed from
613	* the command line bug picked up by Larry J. Hughes	652	* the command line bug picked up by Larry J. Hughes