diff options
author | Johannes Bauer <joe@johannes-bauer.com> | 2017-07-26 21:49:36 +0200 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2017-08-03 01:07:52 +0100 |
commit | f55129c73920a060e813c883d864222482e067c8 (patch) | |
tree | f140821abd6f4c9c32c3f0cb090ec1e521f9c801 | |
parent | a24a5b8cc4103ddd69f21c91c7d7372abc270157 (diff) | |
download | openssl-f55129c73920a060e813c883d864222482e067c8.zip openssl-f55129c73920a060e813c883d864222482e067c8.tar.gz openssl-f55129c73920a060e813c883d864222482e067c8.tar.bz2 |
Changed use of EVP_PKEY_CTX_md() and more specific error codes
Changed HKDF to use EVP_PKEY_CTX_md() (review comment of @snhenson) and
introduced more specific error codes (not only indicating *that* some
parameter is missing, but actually *which* one it is).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
-rw-r--r-- | crypto/err/openssl.txt | 3 | ||||
-rw-r--r-- | crypto/kdf/hkdf.c | 19 | ||||
-rw-r--r-- | crypto/kdf/kdf_err.c | 4 | ||||
-rw-r--r-- | crypto/kdf/tls1_prf.c | 8 | ||||
-rw-r--r-- | include/openssl/kdferr.h | 3 |
5 files changed, 25 insertions, 12 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 1b677d6..3bd1e4c 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1965,7 +1965,10 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length KDF_R_INVALID_DIGEST:100:invalid digest +KDF_R_MISSING_KEY:104:missing key +KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest KDF_R_MISSING_PARAMETER:101:missing parameter +KDF_R_MISSING_SEED:106:missing seed KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_VALUE_MISSING:102:value missing OBJ_R_OID_EXISTS:102:oid exists diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c index 8ffc8a3..25a1738 100644 --- a/crypto/kdf/hkdf.c +++ b/crypto/kdf/hkdf.c @@ -148,14 +148,9 @@ static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, return EVP_PKEY_CTX_hkdf_mode(ctx, mode); } - if (strcmp(type, "md") == 0) { - const EVP_MD *md = EVP_get_digestbyname(value); - if (!md) { - KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_INVALID_DIGEST); - return 0; - } - return EVP_PKEY_CTX_set_hkdf_md(ctx, md); - } + if (strcmp(type, "md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_MD, value); if (strcmp(type, "salt") == 0) return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value); @@ -184,8 +179,12 @@ static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, { HKDF_PKEY_CTX *kctx = ctx->data; - if (kctx->md == NULL || kctx->key == NULL) { - KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_PARAMETER); + if (kctx->md == NULL) { + KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + if (kctx->key == NULL) { + KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY); return 0; } diff --git a/crypto/kdf/kdf_err.c b/crypto/kdf/kdf_err.c index f5d0f7e..3b185c8 100644 --- a/crypto/kdf/kdf_err.c +++ b/crypto/kdf/kdf_err.c @@ -25,7 +25,11 @@ static const ERR_STRING_DATA KDF_str_functs[] = { static const ERR_STRING_DATA KDF_str_reasons[] = { {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_MESSAGE_DIGEST), + "missing message digest"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_PARAMETER), "missing parameter"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SEED), "missing seed"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_UNKNOWN_PARAMETER_TYPE), "unknown parameter type"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, diff --git a/crypto/kdf/tls1_prf.c b/crypto/kdf/tls1_prf.c index 1673b57..f5e1063 100644 --- a/crypto/kdf/tls1_prf.c +++ b/crypto/kdf/tls1_prf.c @@ -124,8 +124,12 @@ static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { TLS1_PRF_PKEY_CTX *kctx = ctx->data; - if (kctx->md == NULL || kctx->sec == NULL || kctx->seedlen == 0) { - KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_PARAMETER); + if (kctx->md == NULL) { + KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + if (kctx->sec == NULL || kctx->seedlen == 0) { + KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); return 0; } return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen, diff --git a/include/openssl/kdferr.h b/include/openssl/kdferr.h index 9c09991..67bd3a3 100644 --- a/include/openssl/kdferr.h +++ b/include/openssl/kdferr.h @@ -31,7 +31,10 @@ int ERR_load_KDF_strings(void); * KDF reason codes. */ # define KDF_R_INVALID_DIGEST 100 +# define KDF_R_MISSING_KEY 104 +# define KDF_R_MISSING_MESSAGE_DIGEST 105 # define KDF_R_MISSING_PARAMETER 101 +# define KDF_R_MISSING_SEED 106 # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 # define KDF_R_VALUE_MISSING 102 |