Backport of password based CMS support from HEAD.
[openssl.git] / crypto / asn1 / p5_pbev2.c
index 377edaf..b053a6e 100644 (file)
@@ -91,12 +91,10 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
                                 unsigned char *aiv, int prf_nid)
 {
        X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
-       int alg_nid;
+       int alg_nid, keylen;
        EVP_CIPHER_CTX ctx;
        unsigned char iv[EVP_MAX_IV_LENGTH];
-       PBKDF2PARAM *kdf = NULL;
        PBE2PARAM *pbe2 = NULL;
-       ASN1_OCTET_STRING *osalt = NULL;
        ASN1_OBJECT *obj;
 
        alg_nid = EVP_CIPHER_type(cipher);
@@ -146,55 +144,19 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
                }
        EVP_CIPHER_CTX_cleanup(&ctx);
 
-       if(!(kdf = PBKDF2PARAM_new())) goto merr;
-       if(!(osalt = M_ASN1_OCTET_STRING_new())) goto merr;
-
-       if (!saltlen) saltlen = PKCS5_SALT_LEN;
-       if (!(osalt->data = OPENSSL_malloc (saltlen))) goto merr;
-       osalt->length = saltlen;
-       if (salt) memcpy (osalt->data, salt, saltlen);
-       else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0) goto merr;
-
-       if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
-       if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
-
-       /* Now include salt in kdf structure */
-       kdf->salt->value.octet_string = osalt;
-       kdf->salt->type = V_ASN1_OCTET_STRING;
-       osalt = NULL;
-
        /* If its RC2 then we'd better setup the key length */
 
-       if(alg_nid == NID_rc2_cbc) {
-               if(!(kdf->keylength = M_ASN1_INTEGER_new())) goto merr;
-               if(!ASN1_INTEGER_set (kdf->keylength,
-                                EVP_CIPHER_key_length(cipher))) goto merr;
-       }
-
-       /* prf can stay NULL if we are using hmacWithSHA1 */
-       if (prf_nid != NID_hmacWithSHA1)
-               {
-               kdf->prf = X509_ALGOR_new();
-               if (!kdf->prf)
-                       goto merr;
-               X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
-                                       V_ASN1_NULL, NULL);
-               }
-
-       /* Now setup the PBE2PARAM keyfunc structure */
+       if(alg_nid == NID_rc2_cbc)
+               keylen = EVP_CIPHER_key_length(cipher);
+       else
+               keylen = -1;
 
-       pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+       /* Setup keyfunc */
 
-       /* Encode PBKDF2PARAM into parameter of pbe2 */
+       pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen);
 
-       if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
-
-       if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
-                        &pbe2->keyfunc->parameter->value.sequence)) goto merr;
-       pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
-
-       PBKDF2PARAM_free(kdf);
-       kdf = NULL;
+       if (!pbe2->keyfunc)
+               goto merr;
 
        /* Now set up top level AlgorithmIdentifier */
 
@@ -220,8 +182,6 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
        err:
        PBE2PARAM_free(pbe2);
        /* Note 'scheme' is freed as part of pbe2 */
-       M_ASN1_OCTET_STRING_free(osalt);
-       PBKDF2PARAM_free(kdf);
        X509_ALGOR_free(kalg);
        X509_ALGOR_free(ret);
 
@@ -234,3 +194,85 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        {
        return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1);
        }
+
+X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
+                               int prf_nid, int keylen)
+       {
+       X509_ALGOR *keyfunc = NULL;
+       PBKDF2PARAM *kdf = NULL;
+       ASN1_OCTET_STRING *osalt = NULL;
+
+       if(!(kdf = PBKDF2PARAM_new()))
+               goto merr;
+       if(!(osalt = M_ASN1_OCTET_STRING_new()))
+               goto merr;
+
+       kdf->salt->value.octet_string = osalt;
+       kdf->salt->type = V_ASN1_OCTET_STRING;
+
+       if (!saltlen)
+               saltlen = PKCS5_SALT_LEN;
+       if (!(osalt->data = OPENSSL_malloc (saltlen)))
+               goto merr;
+
+       osalt->length = saltlen;
+
+       if (salt)
+               memcpy (osalt->data, salt, saltlen);
+       else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
+               goto merr;
+
+       if(iter <= 0)
+               iter = PKCS5_DEFAULT_ITER;
+
+       if(!ASN1_INTEGER_set(kdf->iter, iter))
+               goto merr;
+
+       /* If have a key len set it up */
+
+       if(keylen > 0) 
+               {
+               if(!(kdf->keylength = M_ASN1_INTEGER_new()))
+                       goto merr;
+               if(!ASN1_INTEGER_set (kdf->keylength, keylen))
+                       goto merr;
+               }
+
+       /* prf can stay NULL if we are using hmacWithSHA1 */
+       if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1)
+               {
+               kdf->prf = X509_ALGOR_new();
+               if (!kdf->prf)
+                       goto merr;
+               X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
+                                       V_ASN1_NULL, NULL);
+               }
+
+       /* Finally setup the keyfunc structure */
+
+       keyfunc = X509_ALGOR_new();
+       if (!keyfunc)
+               goto merr;
+
+       keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+
+       /* Encode PBKDF2PARAM into parameter of pbe2 */
+
+       if(!(keyfunc->parameter = ASN1_TYPE_new()))
+               goto merr;
+
+       if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
+                        &keyfunc->parameter->value.sequence))
+               goto merr;
+       keyfunc->parameter->type = V_ASN1_SEQUENCE;
+
+       PBKDF2PARAM_free(kdf);
+       return keyfunc;
+
+       merr:
+       ASN1err(ASN1_F_PKCS5_PBKDF2_SET,ERR_R_MALLOC_FAILURE);
+       PBKDF2PARAM_free(kdf);
+       X509_ALGOR_free(keyfunc);
+       return NULL;
+       }
+