From: David von Oheimb Date: Thu, 10 May 2018 19:14:12 +0000 (+0200) Subject: add 'unsupported cipher mode' diagnostics to evp_lib.c and genpkey.c X-Git-Tag: OpenSSL_1_1_1-pre8~19 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=49c9c1b3d05782fe76bef2eef8c5224baf843240 add 'unsupported cipher mode' diagnostics to evp_lib.c and genpkey.c Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6217) --- diff --git a/apps/genpkey.c b/apps/genpkey.c index ce6de94ff2..39fa73c91c 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -120,6 +120,13 @@ int genpkey_main(int argc, char **argv) if (!opt_cipher(opt_unknown(), &cipher) || do_param == 1) goto opthelp; + if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE || + EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE || + EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE || + EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) { + BIO_printf(bio_err, "%s: cipher mode not supported\n", prog); + goto end; + } } } argc = opt_num_rest(); diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 22bf06f032..5907c94bc9 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -322,6 +322,8 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_TAG), "unknown tag"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE), "unsupported any defined by type"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_CIPHER), + "unsupported cipher"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "unsupported public key type"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_TYPE), "unsupported type"}, diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index 14e8700b7a..5b65adc2b7 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -78,7 +78,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, /* Dummy cipherinit to just setup the IV, and PRF */ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0)) goto err; - if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) { + if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) { ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); goto err; } diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 21d74da5b1..1491d96ec8 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -93,7 +93,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, /* Dummy cipherinit to just setup the IV */ if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0) goto err; - if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) { + if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) { ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); goto err; diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index a7e63c7f2c..eac9c2fc86 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -326,7 +326,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de)) goto err; EVP_CIPHER_CTX_set_padding(kekctx, 0); - if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) < 0) { + if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) { CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index bd54c8bfc2..2a9804c5db 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -716,9 +716,11 @@ EVP_F_DES_EDE3_WRAP_CIPHER:171:des_ede3_wrap_cipher EVP_F_DO_SIGVER_INIT:161:do_sigver_init EVP_F_ENC_NEW:199:enc_new EVP_F_EVP_CIPHERINIT_EX:123:EVP_CipherInit_ex +EVP_F_EVP_CIPHER_ASN1_TO_PARAM:202:EVP_CIPHER_asn1_to_param EVP_F_EVP_CIPHER_CTX_COPY:163:EVP_CIPHER_CTX_copy EVP_F_EVP_CIPHER_CTX_CTRL:124:EVP_CIPHER_CTX_ctrl EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH:122:EVP_CIPHER_CTX_set_key_length +EVP_F_EVP_CIPHER_PARAM_TO_ASN1:203:EVP_CIPHER_param_to_asn1 EVP_F_EVP_DECRYPTFINAL_EX:101:EVP_DecryptFinal_ex EVP_F_EVP_DECRYPTUPDATE:166:EVP_DecryptUpdate EVP_F_EVP_DIGESTFINALXOF:174:EVP_DigestFinalXOF @@ -1831,6 +1833,7 @@ ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE:163:unknown public key type ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM:199:unknown signature algorithm ASN1_R_UNKNOWN_TAG:194:unknown tag ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE:164:unsupported any defined by type +ASN1_R_UNSUPPORTED_CIPHER:228:unsupported cipher ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE:167:unsupported public key type ASN1_R_UNSUPPORTED_TYPE:196:unsupported type ASN1_R_WRONG_INTEGER_TYPE:225:wrong integer type diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 809adff288..4403fa5746 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -35,12 +35,16 @@ static const ERR_STRING_DATA EVP_str_functs[] = { {ERR_PACK(ERR_LIB_EVP, EVP_F_DO_SIGVER_INIT, 0), "do_sigver_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ENC_NEW, 0), "enc_new"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_ASN1_TO_PARAM, 0), + "EVP_CIPHER_asn1_to_param"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_COPY, 0), "EVP_CIPHER_CTX_copy"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_CTRL, 0), "EVP_CIPHER_CTX_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, 0), "EVP_CIPHER_CTX_set_key_length"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_PARAM_TO_ASN1, 0), + "EVP_CIPHER_param_to_asn1"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTFINAL_EX, 0), "EVP_DecryptFinal_ex"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTUPDATE, 0), "EVP_DecryptUpdate"}, diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index c337dca6e8..8ef3f8ee2b 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -32,7 +32,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) case EVP_CIPH_CCM_MODE: case EVP_CIPH_XTS_MODE: case EVP_CIPH_OCB_MODE: - ret = -1; + ret = -2; break; default: @@ -40,6 +40,12 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) } } else ret = -1; + if (ret <= 0) + EVPerr(EVP_F_EVP_CIPHER_PARAM_TO_ASN1, ret == -2 ? + ASN1_R_UNSUPPORTED_CIPHER : + EVP_R_CIPHER_PARAMETER_ERROR); + if (ret < -1) + ret = -1; return ret; } @@ -60,7 +66,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) case EVP_CIPH_CCM_MODE: case EVP_CIPH_XTS_MODE: case EVP_CIPH_OCB_MODE: - ret = -1; + ret = -2; break; default: @@ -69,6 +75,12 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) } } else ret = -1; + if (ret <= 0) + EVPerr(EVP_F_EVP_CIPHER_ASN1_TO_PARAM, ret == -2 ? + EVP_R_UNSUPPORTED_CIPHER : + EVP_R_CIPHER_PARAMETER_ERROR); + if (ret < -1) + ret = -1; return ret; } diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 2e3a45a799..5fdbc33ac1 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -316,7 +316,7 @@ OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. EVP_CIPHER_CTX_cipher() returns an B structure. EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater -than zero for success and zero or a negative number. +than zero for success and zero or a negative number on failure. EVP_CIPHER_CTX_rand_key() returns 1 for success. diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index 0dcd2ab2a2..1587ea53e3 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -22,7 +22,8 @@ the structure and B its corresponding certificates. B, if not B is an optional set of certificates to also include in the structure. B and B are the encryption algorithms that should be used -for the key and certificate respectively. B is the encryption algorithm +for the key and certificate respectively. The modes +GCM, CCM, XTS, and OCB are unsupported. B is the encryption algorithm iteration count to use and B is the MAC iteration count to use. B is the type of key. diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h index 048a737b14..8001120bdf 100644 --- a/include/openssl/asn1err.h +++ b/include/openssl/asn1err.h @@ -241,6 +241,7 @@ int ERR_load_ASN1_strings(void); # define ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM 199 # define ASN1_R_UNKNOWN_TAG 194 # define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 164 +# define ASN1_R_UNSUPPORTED_CIPHER 228 # define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 167 # define ASN1_R_UNSUPPORTED_TYPE 196 # define ASN1_R_WRONG_INTEGER_TYPE 225 diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index a8f79c74a9..c742ea54f0 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -38,9 +38,11 @@ int ERR_load_EVP_strings(void); # define EVP_F_DO_SIGVER_INIT 161 # define EVP_F_ENC_NEW 199 # define EVP_F_EVP_CIPHERINIT_EX 123 +# define EVP_F_EVP_CIPHER_ASN1_TO_PARAM 202 # define EVP_F_EVP_CIPHER_CTX_COPY 163 # define EVP_F_EVP_CIPHER_CTX_CTRL 124 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 +# define EVP_F_EVP_CIPHER_PARAM_TO_ASN1 203 # define EVP_F_EVP_DECRYPTFINAL_EX 101 # define EVP_F_EVP_DECRYPTUPDATE 166 # define EVP_F_EVP_DIGESTFINALXOF 174