From ab6e3fce040f9ad27cbce44e9038a24f15b601c8 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sun, 15 Aug 2010 18:31:28 +0400 Subject: s4:heimdal: import lorikeet-heimdal-201009250123 (commit 42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett --- source4/heimdal/lib/hx509/crypto.c | 219 ++++++++++++++++++------------------- 1 file changed, 107 insertions(+), 112 deletions(-) (limited to 'source4/heimdal/lib/hx509/crypto.c') diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c index 77be4413ac..c2e5e70748 100644 --- a/source4/heimdal/lib/hx509/crypto.c +++ b/source4/heimdal/lib/hx509/crypto.c @@ -149,11 +149,6 @@ const AlgorithmIdentifier _hx509_signature_md5_data = { { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid) }; -static const unsigned md2_oid_tree[] = { 1, 2, 840, 113549, 2, 2 }; -const AlgorithmIdentifier _hx509_signature_md2_data = { - { 6, rk_UNCONST(md2_oid_tree) }, rk_UNCONST(&null_entry_oid) -}; - static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 }; const AlgorithmIdentifier _hx509_signature_ecPublicKey = { { 6, rk_UNCONST(ecPublicKey) }, NULL @@ -194,11 +189,6 @@ const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = { { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL }; -static const unsigned rsa_with_md2_oid[] ={ 1, 2, 840, 113549, 1, 1, 2 }; -const AlgorithmIdentifier _hx509_signature_rsa_with_md2_data = { - { 7, rk_UNCONST(rsa_with_md2_oid) }, NULL -}; - static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 }; const AlgorithmIdentifier _hx509_signature_rsa_data = { { 7, rk_UNCONST(rsa_oid) }, NULL @@ -283,11 +273,11 @@ heim_oid2ecnid(heim_oid *oid) * Now map to openssl OID fun */ - if (der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp256r1) == 0) + if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0) return NID_X9_62_prime256v1; - else if (der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp160r1) == 0) + else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0) return NID_secp160r1; - else if (der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp160r2) == 0) + else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0) return NID_secp160r2; return -1; @@ -370,7 +360,7 @@ ecdsa_verify_signature(hx509_context context, /* set up EC KEY */ spi = &signer->tbsCertificate.subjectPublicKeyInfo; - if (der_heim_oid_cmp(&spi->algorithm.algorithm, &asn1_oid_id_ecPublicKey) != 0) + if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0) return HX509_CRYPTO_SIG_INVALID_FORMAT; #ifdef HAVE_OPENSSL @@ -431,7 +421,7 @@ ecdsa_create_signature(hx509_context context, unsigned int siglen; int ret; - if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0) + if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0) _hx509_abort("internal error passing private key to wrong ops"); sig_oid = sig_alg->sig_oid; @@ -661,7 +651,7 @@ rsa_create_signature(hx509_context context, size_t size; int ret; - if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_pkcs1_rsaEncryption) != 0) + if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) != 0) return HX509_ALG_NOT_SUPP; if (alg) @@ -669,19 +659,19 @@ rsa_create_signature(hx509_context context, else sig_oid = signer->signature_alg; - if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_sha256WithRSAEncryption) == 0) { + if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA256WITHRSAENCRYPTION) == 0) { digest_alg = hx509_signature_sha256(); - } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_sha1WithRSAEncryption) == 0) { + } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION) == 0) { digest_alg = hx509_signature_sha1(); - } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_md5WithRSAEncryption) == 0) { + } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION) == 0) { digest_alg = hx509_signature_md5(); - } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_md5WithRSAEncryption) == 0) { + } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION) == 0) { digest_alg = hx509_signature_md5(); - } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_dsa_with_sha1) == 0) { + } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_DSA_WITH_SHA1) == 0) { digest_alg = hx509_signature_sha1(); - } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_rsaEncryption) == 0) { + } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) { digest_alg = hx509_signature_sha1(); - } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_heim_rsa_pkcs1_x509) == 0) { + } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_HEIM_RSA_PKCS1_X509) == 0) { digest_alg = NULL; } else return HX509_ALG_NOT_SUPP; @@ -767,7 +757,7 @@ rsa_private_key_import(hx509_context context, "Failed to parse RSA key"); return HX509_PARSING_KEY_FAILED; } - private_key->signature_alg = &asn1_oid_id_pkcs1_sha1WithRSAEncryption; + private_key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION; return 0; } @@ -790,7 +780,7 @@ rsa_private_key2SPKI(hx509_context context, } spki->subjectPublicKey.length = len * 8; - ret = set_digest_alg(&spki->algorithm, &asn1_oid_id_pkcs1_rsaEncryption, + ret = set_digest_alg(&spki->algorithm, ASN1_OID_ID_PKCS1_RSAENCRYPTION, "\x05\x00", 2); if (ret) { hx509_set_error_string(context, 0, ret, "malloc - out of memory"); @@ -844,7 +834,7 @@ rsa_generate_private_key(hx509_context context, "Failed to generate RSA key"); return HX509_PARSING_KEY_FAILED; } - private_key->signature_alg = &asn1_oid_id_pkcs1_sha1WithRSAEncryption; + private_key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION; return 0; } @@ -900,7 +890,7 @@ rsa_get_internal(hx509_context context, static hx509_private_key_ops rsa_private_key_ops = { "RSA PRIVATE KEY", - &asn1_oid_id_pkcs1_rsaEncryption, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, NULL, rsa_private_key2SPKI, rsa_private_key_export, @@ -973,7 +963,7 @@ ecdsa_private_key_import(hx509_context context, "Failed to parse EC private key"); return HX509_PARSING_KEY_FAILED; } - private_key->signature_alg = &asn1_oid_id_ecdsa_with_SHA256; + private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256; return 0; } @@ -997,7 +987,7 @@ ecdsa_get_internal(hx509_context context, static hx509_private_key_ops ecdsa_private_key_ops = { "EC PRIVATE KEY", - &asn1_oid_id_ecPublicKey, + ASN1_OID_ID_ECPUBLICKEY, ecdsa_available, ecdsa_private_key2SPKI, ecdsa_private_key_export, @@ -1110,7 +1100,7 @@ dsa_parse_private_key(hx509_context context, d2i_DSAPrivateKey(NULL, &p, len); if (private_key->private_key.dsa == NULL) return EINVAL; - private_key->signature_alg = &asn1_oid_id_dsa_with_sha1; + private_key->signature_alg = ASN1_OID_ID_DSA_WITH_SHA1; return 0; /* else */ @@ -1197,9 +1187,9 @@ evp_md_verify_signature(hx509_context context, static const struct signature_alg ecdsa_with_sha256_alg = { "ecdsa-with-sha256", - &asn1_oid_id_ecdsa_with_SHA256, + ASN1_OID_ID_ECDSA_WITH_SHA256, &_hx509_signature_ecdsa_with_sha256_data, - &asn1_oid_id_ecPublicKey, + ASN1_OID_ID_ECPUBLICKEY, &_hx509_signature_sha256_data, PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, @@ -1211,9 +1201,9 @@ static const struct signature_alg ecdsa_with_sha256_alg = { static const struct signature_alg ecdsa_with_sha1_alg = { "ecdsa-with-sha1", - &asn1_oid_id_ecdsa_with_SHA1, + ASN1_OID_ID_ECDSA_WITH_SHA1, &_hx509_signature_ecdsa_with_sha1_data, - &asn1_oid_id_ecPublicKey, + ASN1_OID_ID_ECPUBLICKEY, &_hx509_signature_sha1_data, PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, @@ -1227,9 +1217,9 @@ static const struct signature_alg ecdsa_with_sha1_alg = { static const struct signature_alg heim_rsa_pkcs1_x509 = { "rsa-pkcs1-x509", - &asn1_oid_id_heim_rsa_pkcs1_x509, + ASN1_OID_ID_HEIM_RSA_PKCS1_X509, &_hx509_signature_rsa_pkcs1_x509_data, - &asn1_oid_id_pkcs1_rsaEncryption, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, NULL, PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG, 0, @@ -1240,9 +1230,9 @@ static const struct signature_alg heim_rsa_pkcs1_x509 = { static const struct signature_alg pkcs1_rsa_sha1_alg = { "rsa", - &asn1_oid_id_pkcs1_rsaEncryption, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, &_hx509_signature_rsa_with_sha1_data, - &asn1_oid_id_pkcs1_rsaEncryption, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, NULL, PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, @@ -1253,9 +1243,9 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = { static const struct signature_alg rsa_with_sha256_alg = { "rsa-with-sha256", - &asn1_oid_id_pkcs1_sha256WithRSAEncryption, + ASN1_OID_ID_PKCS1_SHA256WITHRSAENCRYPTION, &_hx509_signature_rsa_with_sha256_data, - &asn1_oid_id_pkcs1_rsaEncryption, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, &_hx509_signature_sha256_data, PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, @@ -1266,9 +1256,9 @@ static const struct signature_alg rsa_with_sha256_alg = { static const struct signature_alg rsa_with_sha1_alg = { "rsa-with-sha1", - &asn1_oid_id_pkcs1_sha1WithRSAEncryption, + ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION, &_hx509_signature_rsa_with_sha1_data, - &asn1_oid_id_pkcs1_rsaEncryption, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, &_hx509_signature_sha1_data, PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, @@ -1277,25 +1267,25 @@ static const struct signature_alg rsa_with_sha1_alg = { rsa_create_signature }; -static const struct signature_alg rsa_with_md5_alg = { - "rsa-with-md5", - &asn1_oid_id_pkcs1_md5WithRSAEncryption, - &_hx509_signature_rsa_with_md5_data, - &asn1_oid_id_pkcs1_rsaEncryption, - &_hx509_signature_md5_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, - 1230739889, +static const struct signature_alg rsa_with_sha1_alg_secsig = { + "rsa-with-sha1", + ASN1_OID_ID_SECSIG_SHA_1WITHRSAENCRYPTION, + &_hx509_signature_rsa_with_sha1_data, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, + &_hx509_signature_sha1_data, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, + 0, NULL, rsa_verify_signature, rsa_create_signature }; -static const struct signature_alg rsa_with_md2_alg = { - "rsa-with-md2", - &asn1_oid_id_pkcs1_md2WithRSAEncryption, - &_hx509_signature_rsa_with_md2_data, - &asn1_oid_id_pkcs1_rsaEncryption, - &_hx509_signature_md2_data, +static const struct signature_alg rsa_with_md5_alg = { + "rsa-with-md5", + ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION, + &_hx509_signature_rsa_with_md5_data, + ASN1_OID_ID_PKCS1_RSAENCRYPTION, + &_hx509_signature_md5_data, PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, 1230739889, NULL, @@ -1305,9 +1295,9 @@ static const struct signature_alg rsa_with_md2_alg = { static const struct signature_alg dsa_sha1_alg = { "dsa-with-sha1", - &asn1_oid_id_dsa_with_sha1, + ASN1_OID_ID_DSA_WITH_SHA1, NULL, - &asn1_oid_id_dsa, + ASN1_OID_ID_DSA, &_hx509_signature_sha1_data, PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG, 0, @@ -1318,7 +1308,7 @@ static const struct signature_alg dsa_sha1_alg = { static const struct signature_alg sha256_alg = { "sha-256", - &asn1_oid_id_sha256, + ASN1_OID_ID_SHA256, &_hx509_signature_sha256_data, NULL, NULL, @@ -1331,7 +1321,7 @@ static const struct signature_alg sha256_alg = { static const struct signature_alg sha1_alg = { "sha1", - &asn1_oid_id_secsig_sha_1, + ASN1_OID_ID_SECSIG_SHA_1, &_hx509_signature_sha1_data, NULL, NULL, @@ -1344,7 +1334,7 @@ static const struct signature_alg sha1_alg = { static const struct signature_alg md5_alg = { "rsa-md5", - &asn1_oid_id_rsa_digest_md5, + ASN1_OID_ID_RSA_DIGEST_MD5, &_hx509_signature_md5_data, NULL, NULL, @@ -1355,19 +1345,6 @@ static const struct signature_alg md5_alg = { NULL }; -static const struct signature_alg md2_alg = { - "rsa-md2", - &asn1_oid_id_rsa_digest_md2, - &_hx509_signature_md2_data, - NULL, - NULL, - SIG_DIGEST, - 0, - EVP_md2, - evp_md_verify_signature, - NULL -}; - /* * Order matter in this structure, "best" first for each "key * compatible" type (type is ECDSA, RSA, DSA, none, etc) @@ -1380,15 +1357,14 @@ static const struct signature_alg *sig_algs[] = { #endif &rsa_with_sha256_alg, &rsa_with_sha1_alg, + &rsa_with_sha1_alg_secsig, &pkcs1_rsa_sha1_alg, &rsa_with_md5_alg, - &rsa_with_md2_alg, &heim_rsa_pkcs1_x509, &dsa_sha1_alg, &sha256_alg, &sha1_alg, &md5_alg, - &md2_alg, NULL }; @@ -1641,7 +1617,7 @@ _hx509_public_encrypt(hx509_context context, ciphertext->length = ret; ciphertext->data = to; - ret = der_copy_oid(&asn1_oid_id_pkcs1_rsaEncryption, encryption_oid); + ret = der_copy_oid(ASN1_OID_ID_PKCS1_RSAENCRYPTION, encryption_oid); if (ret) { der_free_octet_string(ciphertext); hx509_set_error_string(context, 0, ENOMEM, "out of memory"); @@ -1750,7 +1726,7 @@ _hx509_generate_private_key_init(hx509_context context, { *ctx = NULL; - if (der_heim_oid_cmp(oid, &asn1_oid_id_pkcs1_rsaEncryption) != 0) { + if (der_heim_oid_cmp(oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) != 0) { hx509_set_error_string(context, 0, EINVAL, "private key not an RSA key"); return EINVAL; @@ -1844,10 +1820,6 @@ const AlgorithmIdentifier * hx509_signature_md5(void) { return &_hx509_signature_md5_data; } -const AlgorithmIdentifier * -hx509_signature_md2(void) -{ return &_hx509_signature_md2_data; } - const AlgorithmIdentifier * hx509_signature_ecPublicKey(void) { return &_hx509_signature_ecPublicKey; } @@ -1880,10 +1852,6 @@ const AlgorithmIdentifier * hx509_signature_rsa_with_md5(void) { return &_hx509_signature_rsa_with_md5_data; } -const AlgorithmIdentifier * -hx509_signature_rsa_with_md2(void) -{ return &_hx509_signature_rsa_with_md2_data; } - const AlgorithmIdentifier * hx509_signature_rsa(void) { return &_hx509_signature_rsa_data; } @@ -1961,11 +1929,11 @@ _hx509_private_key_free(hx509_private_key *key) if (--(*key)->ref > 0) return 0; - if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, &asn1_oid_id_pkcs1_rsaEncryption) == 0) { + if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) { if ((*key)->private_key.rsa) RSA_free((*key)->private_key.rsa); #ifdef HAVE_OPENSSL - } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, &asn1_oid_id_ecPublicKey) == 0) { + } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) { if ((*key)->private_key.ecdsa) EC_KEY_free((*key)->private_key.ecdsa); #endif @@ -1982,7 +1950,7 @@ _hx509_private_key_assign_rsa(hx509_private_key key, void *ptr) if (key->private_key.rsa) RSA_free(key->private_key.rsa); key->private_key.rsa = ptr; - key->signature_alg = &asn1_oid_id_pkcs1_sha1WithRSAEncryption; + key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION; key->md = &pkcs1_rsa_sha1_alg; } @@ -2048,7 +2016,11 @@ struct hx509cipher { struct hx509_crypto_data { char *name; int flags; -#define ALLOW_WEAK 1 +#define ALLOW_WEAK 1 + +#define PADDING_NONE 2 +#define PADDING_PKCS7 4 +#define PADDING_FLAGS (2|4) const struct hx509cipher *cipher; const EVP_CIPHER *c; heim_octet_string key; @@ -2204,7 +2176,7 @@ static const struct hx509cipher ciphers[] = { { "rc2-cbc", CIPHER_WEAK, - &asn1_oid_id_pkcs3_rc2_cbc, + ASN1_OID_ID_PKCS3_RC2_CBC, NULL, EVP_rc2_cbc, CMSRC2CBCParam_get, @@ -2213,7 +2185,7 @@ static const struct hx509cipher ciphers[] = { { "rc2-cbc", CIPHER_WEAK, - &asn1_oid_id_rsadsi_rc2_cbc, + ASN1_OID_ID_RSADSI_RC2_CBC, NULL, EVP_rc2_cbc, CMSRC2CBCParam_get, @@ -2231,7 +2203,7 @@ static const struct hx509cipher ciphers[] = { { "des-ede3-cbc", 0, - &asn1_oid_id_pkcs3_des_ede3_cbc, + ASN1_OID_ID_PKCS3_DES_EDE3_CBC, NULL, EVP_des_ede3_cbc, CMSCBCParam_get, @@ -2240,7 +2212,7 @@ static const struct hx509cipher ciphers[] = { { "des-ede3-cbc", 0, - &asn1_oid_id_rsadsi_des_ede3_cbc, + ASN1_OID_ID_RSADSI_DES_EDE3_CBC, hx509_crypto_des_rsdi_ede3_cbc, EVP_des_ede3_cbc, CMSCBCParam_get, @@ -2249,7 +2221,7 @@ static const struct hx509cipher ciphers[] = { { "aes-128-cbc", 0, - &asn1_oid_id_aes_128_cbc, + ASN1_OID_ID_AES_128_CBC, hx509_crypto_aes128_cbc, EVP_aes_128_cbc, CMSCBCParam_get, @@ -2258,7 +2230,7 @@ static const struct hx509cipher ciphers[] = { { "aes-192-cbc", 0, - &asn1_oid_id_aes_192_cbc, + ASN1_OID_ID_AES_192_CBC, NULL, EVP_aes_192_cbc, CMSCBCParam_get, @@ -2267,7 +2239,7 @@ static const struct hx509cipher ciphers[] = { { "aes-256-cbc", 0, - &asn1_oid_id_aes_256_cbc, + ASN1_OID_ID_AES_256_CBC, hx509_crypto_aes256_cbc, EVP_aes_256_cbc, CMSCBCParam_get, @@ -2334,6 +2306,7 @@ hx509_crypto_init(hx509_context context, return ENOMEM; } + (*crypto)->flags = PADDING_PKCS7; (*crypto)->cipher = cipher; (*crypto)->c = (*cipher->evp_func)(); @@ -2379,6 +2352,23 @@ hx509_crypto_allow_weak(hx509_crypto crypto) crypto->flags |= ALLOW_WEAK; } +void +hx509_crypto_set_padding(hx509_crypto crypto, int padding_type) +{ + switch (padding_type) { + case HX509_CRYPTO_PADDING_PKCS7: + crypto->flags &= ~PADDING_FLAGS; + crypto->flags |= PADDING_PKCS7; + break; + case HX509_CRYPTO_PADDING_NONE: + crypto->flags &= ~PADDING_FLAGS; + crypto->flags |= PADDING_NONE; + break; + default: + _hx509_abort("Invalid padding"); + } +} + int hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length) { @@ -2497,12 +2487,17 @@ hx509_crypto_encrypt(hx509_crypto crypto, goto out; } - if (EVP_CIPHER_block_size(crypto->c) == 1) { + assert(crypto->flags & PADDING_FLAGS); + if (crypto->flags & PADDING_NONE) { padsize = 0; - } else { - int bsize = EVP_CIPHER_block_size(crypto->c); - padsize = bsize - (length % bsize); + } else if (crypto->flags & PADDING_PKCS7) { + if (EVP_CIPHER_block_size(crypto->c) == 1) { + } else { + int bsize = EVP_CIPHER_block_size(crypto->c); + padsize = bsize - (length % bsize); + } } + (*ciphertext)->length = length + padsize; (*ciphertext)->data = malloc(length + padsize); if ((*ciphertext)->data == NULL) { @@ -2592,7 +2587,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, } EVP_CIPHER_CTX_cleanup(&evp); - if (EVP_CIPHER_block_size(crypto->c) > 1) { + if ((crypto->flags & PADDING_PKCS7) && EVP_CIPHER_block_size(crypto->c) > 1) { int padsize; unsigned char *p; int j, bsize = EVP_CIPHER_block_size(crypto->c); @@ -2704,33 +2699,33 @@ find_string2key(const heim_oid *oid, const EVP_MD **md, PBE_string2key_func *s2k) { - if (der_heim_oid_cmp(oid, &asn1_oid_id_pbewithSHAAnd40BitRC2_CBC) == 0) { + if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC2_CBC) == 0) { *c = EVP_rc2_40_cbc(); *md = EVP_sha1(); *s2k = PBE_string2key; return &asn1_oid_private_rc2_40; - } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd128BitRC2_CBC) == 0) { + } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC2_CBC) == 0) { *c = EVP_rc2_cbc(); *md = EVP_sha1(); *s2k = PBE_string2key; - return &asn1_oid_id_pkcs3_rc2_cbc; + return ASN1_OID_ID_PKCS3_RC2_CBC; #if 0 - } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd40BitRC4) == 0) { + } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC4) == 0) { *c = EVP_rc4_40(); *md = EVP_sha1(); *s2k = PBE_string2key; return NULL; - } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd128BitRC4) == 0) { + } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC4) == 0) { *c = EVP_rc4(); *md = EVP_sha1(); *s2k = PBE_string2key; - return &asn1_oid_id_pkcs3_rc4; + return ASN1_OID_ID_PKCS3_RC4; #endif - } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd3_KeyTripleDES_CBC) == 0) { + } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND3_KEYTRIPLEDES_CBC) == 0) { *c = EVP_des_ede3_cbc(); *md = EVP_sha1(); *s2k = PBE_string2key; - return &asn1_oid_id_pkcs3_des_ede3_cbc; + return ASN1_OID_ID_PKCS3_DES_EDE3_CBC; } return NULL; @@ -2907,9 +2902,9 @@ match_keys_ec(hx509_cert c, hx509_private_key private_key) int _hx509_match_keys(hx509_cert c, hx509_private_key key) { - if (der_heim_oid_cmp(key->ops->key_oid, &asn1_oid_id_pkcs1_rsaEncryption) == 0) + if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) return match_keys_rsa(c, key); - if (der_heim_oid_cmp(key->ops->key_oid, &asn1_oid_id_ecPublicKey) == 0) + if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) return match_keys_ec(c, key); return 0; -- cgit