Add PRF preference ctrl to ciphers.

diff --git a/CHANGES b/CHANGES
index f3cc5046ad5c7849334765730a570d26cd4becd7..a7ea7eb082d803f1610ebe33f593ff869313594b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,7 +6,9 @@
 
   *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
      Reorganize PBE internals to lookup from a static table using NIDs,
-     add support for HMAC PBE OID translation.
+     add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
+     EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
+     PRF which will be automatically used with PBES2.
      [Steve Henson]
 
   *) Replace the algorithm specific calls to generate keys in "req" with the

diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index c834a38ddf3cfa16fec7e961e751d49eb5a8c462..ef2684b6d5d2d07006d756e5995761741ae61f1f 100644 (file)
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -95,6 +95,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        PBE2PARAM *pbe2 = NULL;
        ASN1_OCTET_STRING *osalt = NULL;
        ASN1_OBJECT *obj;
+       int prf_nid;
 
        alg_nid = EVP_CIPHER_type(cipher);
        if(alg_nid == NID_undef) {
@@ -119,7 +120,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 
        EVP_CIPHER_CTX_init(&ctx);
 
-       /* Dummy cipherinit to just setup the IV */
+       /* Dummy cipherinit to just setup the IV, and PRF */
        EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
        if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
                ASN1err(ASN1_F_PKCS5_PBE2_SET,
@@ -127,6 +128,12 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
                EVP_CIPHER_CTX_cleanup(&ctx);
                goto err;
        }
+       /* An error is OK here: just means use default PRF */
+       if (EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0)
+               {
+               ERR_clear_error();
+               prf_nid = NID_hmacWithSHA1;
+               }
        EVP_CIPHER_CTX_cleanup(&ctx);
 
        if(!(kdf = PBKDF2PARAM_new())) goto merr;
@@ -154,7 +161,15 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
                                 EVP_CIPHER_key_length(cipher))) goto merr;
        }
 
-       /* prf can stay NULL because we are using hmacWithSHA1 */
+       /* prf can stay NULL if we are using hmacWithSHA1 */
+       if (prf_nid != NID_hmacWithSHA1)
+               {
+               kdf->prf = X509_ALGOR_new();
+               if (!kdf->prf)
+                       goto merr;
+               X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
+                                       V_ASN1_NULL, NULL);
+               }
 
        /* Now setup the PBE2PARAM keyfunc structure */
 

diff --git a/crypto/evp/e_rc2.c b/crypto/evp/e_rc2.c
index d37726ffae4b26e45abdb2de24ab88014d7fb5c6..4fd8c41bccf6c2d0c9b33208af0736d384107d59 100644 (file)
--- a/crypto/evp/e_rc2.c
+++ b/crypto/evp/e_rc2.c
@@ -223,6 +223,11 @@ static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
                        return 1;
                        }
                return 0;
+#if PBE_PRF_TEST
+       case EVP_CTRL_PBE_PRF_NID:
+               *(int *)ptr = NID_hmacWithMD5;
+               return 1;
+#endif
 
        default:
                return -1;

diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index db33634e4730aac0bffa118317d6629e8dc205b8..2622b53bab61074c8125a79702d90787a61ff992 100644 (file)
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -301,6 +301,7 @@ struct evp_cipher_st
 #define        EVP_CTRL_GET_RC5_ROUNDS         0x4
 #define        EVP_CTRL_SET_RC5_ROUNDS         0x5
 #define        EVP_CTRL_RAND_KEY               0x6
+#define        EVP_CTRL_PBE_PRF_NID            0x7
 
 typedef struct evp_cipher_info_st
        {