OpenSSL CHANGES
_______________
- Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
+ Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]
+
+ *) Update PKCS#7 enveloped data routines to use new API. This is now
+ supported by any public key method supporting the encrypt operation. A
+ ctrl is added to allow the public key algorithm to examine or modify
+ the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
+ a no op.
+ [Steve Henson]
*) Add a ctrl to asn1 method to allow a public key algorithm to express
a default digest type to use. In most cases this will be SHA1 but some
/* Since this is used to store all sorts of things, via macros, for now, make
its data void * */
int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
+void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len);
int ASN1_STRING_length(const ASN1_STRING *x);
void ASN1_STRING_length_set(ASN1_STRING *x, int n);
int ASN1_STRING_type(ASN1_STRING *x);
return(1);
}
+void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len)
+ {
+ if (str->data)
+ OPENSSL_free(str->data);
+ str->data = data;
+ str->length = len;
+ }
+
ASN1_STRING *ASN1_STRING_new(void)
{
return(ASN1_STRING_type_new(V_ASN1_OCTET_STRING));
EVP_PKEY_CTRL_MD, 0, (void *)md)
#define EVP_PKEY_CTRL_MD 1
-#define EVP_PKEY_CTRL_PEER_KEY 2
+#define EVP_PKEY_CTRL_PEER_KEY 2
+
+#define EVP_PKEY_CTRL_PKCS7_ENCRYPT 3
+#define EVP_PKEY_CTRL_PKCS7_DECRYPT 4
#define EVP_PKEY_ALG_CTRL 0x1000
}
+static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
+ unsigned char *key, int keylen)
+ {
+ EVP_PKEY_CTX *pctx = NULL;
+ EVP_PKEY *pkey = NULL;
+ unsigned char *ek = NULL;
+ int ret = 0;
+ int eklen;
+
+ pkey = X509_get_pubkey(ri->cert);
+
+ if (!pkey)
+ return 0;
+
+ pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!pctx)
+ return 0;
+
+ if (EVP_PKEY_encrypt_init(pctx) <= 0)
+ goto err;
+
+ if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
+ EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0)
+ {
+ PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR);
+ goto err;
+ }
+
+ if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0)
+ goto err;
+
+ ek = OPENSSL_malloc(eklen);
+
+ if (ek == NULL)
+ {
+ PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0)
+ goto err;
+
+ ASN1_STRING_set0(ri->enc_key, ek, eklen);
+ ek = NULL;
+
+ ret = 1;
+
+ err:
+ if (pkey)
+ EVP_PKEY_free(pkey);
+ if (pctx)
+ EVP_PKEY_CTX_free(pctx);
+ if (ek)
+ OPENSSL_free(ek);
+ return ret;
+
+ }
+
+
+
BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
{
int i;
STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
X509_ALGOR *xalg=NULL;
PKCS7_RECIP_INFO *ri=NULL;
- EVP_PKEY *pkey;
ASN1_OCTET_STRING *os=NULL;
i=OBJ_obj2nid(p7->type);
unsigned char key[EVP_MAX_KEY_LENGTH];
unsigned char iv[EVP_MAX_IV_LENGTH];
int keylen,ivlen;
- int jj,max;
- unsigned char *tmp;
EVP_CIPHER_CTX *ctx;
if ((btmp=BIO_new(BIO_f_cipher())) == NULL)
}
/* Lets do the pub key stuff :-) */
- max=0;
- for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
- {
- ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
- if (ri->cert == NULL)
- {
- PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_CERIPEND_INFO);
- goto err;
- }
- pkey=X509_get_pubkey(ri->cert);
- jj=EVP_PKEY_size(pkey);
- EVP_PKEY_free(pkey);
- if (max < jj) max=jj;
- }
- if ((tmp=(unsigned char *)OPENSSL_malloc(max)) == NULL)
- {
- PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_MALLOC_FAILURE);
- goto err;
- }
for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
{
ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
- pkey=X509_get_pubkey(ri->cert);
- jj=EVP_PKEY_encrypt_old(tmp,key,keylen,pkey);
- EVP_PKEY_free(pkey);
- if (jj <= 0)
- {
- PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_EVP_LIB);
- OPENSSL_free(tmp);
- goto err;
- }
- if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj))
- {
- PKCS7err(PKCS7_F_PKCS7_DATAINIT,
- ERR_R_MALLOC_FAILURE);
- OPENSSL_free(tmp);
+ if (pkcs7_encode_rinfo(ri, key, keylen) <= 0)
goto err;
- }
}
- OPENSSL_free(tmp);
OPENSSL_cleanse(key, keylen);
if (out == NULL)
#define PKCS7_F_PKCS7_DATASIGN 106
#define PKCS7_F_PKCS7_DATAVERIFY 107
#define PKCS7_F_PKCS7_DECRYPT 114
+#define PKCS7_F_PKCS7_ENCODE_RINFO 132
#define PKCS7_F_PKCS7_ENCRYPT 115
#define PKCS7_F_PKCS7_FIND_DIGEST 127
#define PKCS7_F_PKCS7_GET0_SIGNERS 124
#define PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 144
#define PKCS7_R_CIPHER_NOT_INITIALIZED 116
#define PKCS7_R_CONTENT_AND_DATA_PRESENT 118
+#define PKCS7_R_CTRL_ERROR 152
#define PKCS7_R_DECODE_ERROR 130
#define PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH 100
#define PKCS7_R_DECRYPT_ERROR 119
{ERR_FUNC(PKCS7_F_PKCS7_DATASIGN), "PKCS7_DATASIGN"},
{ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY), "PKCS7_dataVerify"},
{ERR_FUNC(PKCS7_F_PKCS7_DECRYPT), "PKCS7_decrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_ENCODE_RINFO), "PKCS7_ENCODE_RINFO"},
{ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT), "PKCS7_encrypt"},
{ERR_FUNC(PKCS7_F_PKCS7_FIND_DIGEST), "PKCS7_FIND_DIGEST"},
{ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS), "PKCS7_GET0_SIGNERS"},
{ERR_REASON(PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
{ERR_REASON(PKCS7_R_CIPHER_NOT_INITIALIZED),"cipher not initialized"},
{ERR_REASON(PKCS7_R_CONTENT_AND_DATA_PRESENT),"content and data present"},
+{ERR_REASON(PKCS7_R_CTRL_ERROR) ,"ctrl error"},
{ERR_REASON(PKCS7_R_DECODE_ERROR) ,"decode error"},
{ERR_REASON(PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH),"decrypted key is wrong length"},
{ERR_REASON(PKCS7_R_DECRYPT_ERROR) ,"decrypt error"},
rctx->md = p2;
return 1;
+ case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
+ case EVP_PKEY_CTRL_PKCS7_DECRYPT:
+ return 1;
+
default:
return -2;
projects / openssl.git / commitdiff