| 1 |
diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c |
| 2 |
--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100 |
| 3 |
+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100 |
| 4 |
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char |
| 5 |
EVP_KDF *kdf; |
| 6 |
EVP_KDF_CTX *ctx; |
| 7 |
OSSL_PARAM params[6], *p = params; |
| 8 |
+ char *adjusted_propq = NULL; |
| 9 |
|
| 10 |
if (n <= 0) |
| 11 |
return 0; |
| 12 |
|
| 13 |
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq); |
| 14 |
- if (kdf == NULL) |
| 15 |
+ if (ossl_get_kernel_fips_flag()) { |
| 16 |
+ const char *nofips = "-fips"; |
| 17 |
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 : |
| 18 |
+ strlen(nofips) + 1; |
| 19 |
+ char *ptr = NULL; |
| 20 |
+ |
| 21 |
+ adjusted_propq = OPENSSL_zalloc(len); |
| 22 |
+ if (adjusted_propq != NULL) { |
| 23 |
+ ptr = adjusted_propq; |
| 24 |
+ if (propq) { |
| 25 |
+ memcpy(ptr, propq, strlen(propq)); |
| 26 |
+ ptr += strlen(propq); |
| 27 |
+ *ptr = ','; |
| 28 |
+ ptr++; |
| 29 |
+ } |
| 30 |
+ memcpy(ptr, nofips, strlen(nofips)); |
| 31 |
+ } |
| 32 |
+ } |
| 33 |
+ |
| 34 |
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq); |
| 35 |
+ if (kdf == NULL) { |
| 36 |
+ OPENSSL_free(adjusted_propq); |
| 37 |
return 0; |
| 38 |
+ } |
| 39 |
ctx = EVP_KDF_CTX_new(kdf); |
| 40 |
EVP_KDF_free(kdf); |
| 41 |
- if (ctx == NULL) |
| 42 |
+ if (ctx == NULL) { |
| 43 |
+ OPENSSL_free(adjusted_propq); |
| 44 |
return 0; |
| 45 |
+ } |
| 46 |
|
| 47 |
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
| 48 |
(char *)EVP_MD_get0_name(md_type), |
| 49 |
@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char |
| 50 |
} OSSL_TRACE_END(PKCS12_KEYGEN); |
| 51 |
} |
| 52 |
EVP_KDF_CTX_free(ctx); |
| 53 |
+ OPENSSL_free(adjusted_propq); |
| 54 |
return res; |
| 55 |
} |
| 56 |
|
| 57 |
diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c |
| 58 |
--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100 |
| 59 |
+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100 |
| 60 |
@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv) |
| 61 |
} |
| 62 |
if (macver) { |
| 63 |
EVP_KDF *pkcs12kdf; |
| 64 |
+ char *adjusted_propq = NULL; |
| 65 |
+ const char *nofips = "-fips"; |
| 66 |
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 : |
| 67 |
+ strlen(nofips) + 1; |
| 68 |
+ char *ptr = NULL; |
| 69 |
+ |
| 70 |
+ adjusted_propq = OPENSSL_zalloc(len); |
| 71 |
+ if (adjusted_propq != NULL) { |
| 72 |
+ ptr = adjusted_propq; |
| 73 |
+ if (app_get0_propq()) { |
| 74 |
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq())); |
| 75 |
+ ptr += strlen(app_get0_propq()); |
| 76 |
+ *ptr = ','; |
| 77 |
+ ptr++; |
| 78 |
+ } |
| 79 |
+ memcpy(ptr, nofips, strlen(nofips)); |
| 80 |
+ } |
| 81 |
|
| 82 |
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF", |
| 83 |
- app_get0_propq()); |
| 84 |
+ adjusted_propq ? adjusted_propq : app_get0_propq()); |
| 85 |
if (pkcs12kdf == NULL) { |
| 86 |
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n"); |
| 87 |
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); |
| 88 |
+ OPENSSL_free(adjusted_propq); |
| 89 |
goto end; |
| 90 |
} |
| 91 |
EVP_KDF_free(pkcs12kdf); |
| 92 |
+ OPENSSL_free(adjusted_propq); |
| 93 |
/* If we enter empty password try no password first */ |
| 94 |
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { |
| 95 |
/* If mac and crypto pass the same set it to NULL too */ |
Parent Directory
| 
Revision Log
| 
Revision Graph
