Support for alternative KDFs.

Don't hard code NID_id_pbkdf2 in PBES2: look it up in PBE table. Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-02-06 12:08:45 +00:00 · 2015-02-06 12:08:45 +00:00 · d6c5462ef8
commit d6c5462ef8
parent 849037169d
3 changed files with 7 additions and 4 deletions
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@ -1073,6 +1073,8 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 # define EVP_PBE_TYPE_OUTER      0x0
 /* Is an PRF type OID */
 # define EVP_PBE_TYPE_PRF        0x1
+/* Is a PKCS#5 v2.0 KDF */
+# define EVP_PBE_TYPE_KDF        0x2

 int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid,
                         int md_nid, EVP_PBE_KEYGEN *keygen);
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@ -118,6 +118,7 @@ static const EVP_PBE_CTL builtin_pbe[] = {
    {EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0},
    {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
    {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
+    {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}
 };

 #ifdef TEST
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@ -194,6 +194,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
    int plen;
    PBE2PARAM *pbe2 = NULL;
    const EVP_CIPHER *cipher;
+    EVP_PBE_KEYGEN *kdf;

    int rv = 0;

@ -211,8 +212,8 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
    }

    /* See if we recognise the key derivation function */
-
-    if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
+    if (!EVP_PBE_find(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm),
+			NULL, NULL, &kdf)) {
        EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
               EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
        goto err;
@ -236,8 +237,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_CIPHER_PARAMETER_ERROR);
        goto err;
    }
-    rv = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
-                                  pbe2->keyfunc->parameter, c, md, en_de);
+    rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de);
 err:
    PBE2PARAM_free(pbe2);
    return rv;