patches/1.0.2/pkcs12.diff

   1 diff -Nuar openssl-1.0.2d/crypto/evp/evp_pbe.c openssl-work/crypto/evp/evp_pbe.c
   2 --- openssl-1.0.2d/crypto/evp/evp_pbe.c 2015-07-09 15:53:21.000000000 +0400
   3 +++ openssl-work/crypto/evp/evp_pbe.c   2015-03-26 13:00:21.000000000 +0400
   4 @@ -121,6 +121,10 @@
   5      {EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0},
   6      {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
   7      {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
   8 +    {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_256, -1,
   9 +     NID_id_GostR3411_2012_256, 0},
  10 +    {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_512, -1,
  11 +     NID_id_GostR3411_2012_512, 0},
  12  };
  13
  14  #ifdef TEST
  15 diff -Nuar openssl-1.0.2d/crypto/pkcs12/p12_mutl.c openssl-work/crypto/pkcs12/p12_mutl.c
  16 --- openssl-1.0.2d/crypto/pkcs12/p12_mutl.c     2015-07-09 15:53:21.000000000 +0400
  17 +++ openssl-work/crypto/pkcs12/p12_mutl.c       2015-06-17 14:48:18.000000000 +0400
  18 @@ -65,6 +65,28 @@
  19  # include <openssl/rand.h>
  20  # include <openssl/pkcs12.h>
  21
  22 +# define TK26_MAC_KEY_LEN 32
  23 +
  24 +static int PKCS12_gen_gost_mac_key(const char *pass, int passlen,
  25 +                                   const unsigned char *salt, int saltlen,
  26 +                                   int iter, const EVP_MD *digest, int keylen,
  27 +                                   unsigned char *key)
  28 +{
  29 +    unsigned char out[96];
  30 +
  31 +    if (keylen != TK26_MAC_KEY_LEN) {
  32 +        return 0;
  33 +    }
  34 +
  35 +    if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
  36 +                           digest, 96, out)) {
  37 +        return 0;
  38 +    }
  39 +    memcpy(key, out + 64, TK26_MAC_KEY_LEN);
  40 +    OPENSSL_cleanse(out, 96);
  41 +    return 1;
  42 +}
  43 +
  44  /* Generate a MAC */
  45  int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
  46                     unsigned char *mac, unsigned int *maclen)
  47 @@ -73,7 +95,7 @@
  48      HMAC_CTX hmac;
  49      unsigned char key[EVP_MAX_MD_SIZE], *salt;
  50      int saltlen, iter;
  51 -    int md_size;
  52 +    int md_size = 0;
  53
  54      if (!PKCS7_type_is_data(p12->authsafes)) {
  55          PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
  56 @@ -93,8 +115,19 @@
  57      md_size = EVP_MD_size(md_type);
  58      if (md_size < 0)
  59          return 0;
  60 -    if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
  61 -                        md_size, key, md_type)) {
  62 +    if ((md_type->type == NID_id_GostR3411_94
  63 +         || md_type->type == NID_id_GostR3411_2012_256
  64 +         || md_type->type == NID_id_GostR3411_2012_512)
  65 +        && !getenv("LEGACY_GOST_PKCS12")) {
  66 +        md_size = TK26_MAC_KEY_LEN;
  67 +        if (!PKCS12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
  68 +                                     md_type, md_size, key)) {
  69 +            PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
  70 +            return 0;
  71 +        }
  72 +    } else
  73 +        if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
  74 +                            md_size, key, md_type)) {
  75          PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
  76          return 0;
  77      }
  78