diff options
author | David Benjamin <davidben@google.com> | 2021-11-19 12:42:12 -0500 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2021-11-19 23:31:39 +0000 |
commit | e7fc7a737cec0a6c932fce3de221bbed8f114555 (patch) | |
tree | a8b30808d74958496e93aabaffe66e368e580e4b | |
parent | b3ed071ecc4efb77afd0a025ea1078da19578bfd (diff) | |
download | boringssl-e7fc7a737cec0a6c932fce3de221bbed8f114555.zip boringssl-e7fc7a737cec0a6c932fce3de221bbed8f114555.tar.gz boringssl-e7fc7a737cec0a6c932fce3de221bbed8f114555.tar.bz2 |
Export PKCS12_DEFAULT_ITER.
rust-openssl uses this constant to determine PKCS12_create's defaults.
Define it so it does not need to be redefined in
https://boringssl-review.googlesource.com/c/boringssl/+/49645
Change-Id: Ife4a6597de430a411932096618406b9fcd721f43
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50505
Reviewed-by: Adam Langley <agl@google.com>
-rw-r--r-- | crypto/pkcs8/internal.h | 1 | ||||
-rw-r--r-- | crypto/pkcs8/pkcs8.c | 2 | ||||
-rw-r--r-- | crypto/pkcs8/pkcs8_x509.c | 2 | ||||
-rw-r--r-- | include/openssl/pkcs8.h | 7 |
4 files changed, 8 insertions, 4 deletions
diff --git a/crypto/pkcs8/internal.h b/crypto/pkcs8/internal.h index b5d42ba..ab84c82 100644 --- a/crypto/pkcs8/internal.h +++ b/crypto/pkcs8/internal.h @@ -112,7 +112,6 @@ struct pbe_suite { const char *pass, size_t pass_len, CBS *param); }; -#define PKCS5_DEFAULT_ITERATIONS 2048 #define PKCS5_SALT_LEN 8 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, diff --git a/crypto/pkcs8/pkcs8.c b/crypto/pkcs8/pkcs8.c index a19b4a3..84b7b12 100644 --- a/crypto/pkcs8/pkcs8.c +++ b/crypto/pkcs8/pkcs8.c @@ -469,7 +469,7 @@ int PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid, } if (iterations <= 0) { - iterations = PKCS5_DEFAULT_ITERATIONS; + iterations = PKCS12_DEFAULT_ITER; } // Serialize the input key. diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index e24fb42..e2a02e8 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c @@ -1161,7 +1161,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, cert_nid = NID_pbe_WithSHA1And40BitRC2_CBC; } if (iterations == 0) { - iterations = PKCS5_DEFAULT_ITERATIONS; + iterations = PKCS12_DEFAULT_ITER; } if (mac_iterations == 0) { mac_iterations = 1; diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h index 4f21ef3..968640b 100644 --- a/include/openssl/pkcs8.h +++ b/include/openssl/pkcs8.h @@ -197,6 +197,10 @@ OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password, OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password, int password_len); +// PKCS12_DEFAULT_ITER is the default number of KDF iterations used when +// creating a |PKCS12| object. +#define PKCS12_DEFAULT_ITER 2048 + // PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|, // |cert|, and |chain|, encrypted with the specified password. |name|, if not // NULL, specifies a user-friendly name to encode with the key and @@ -207,7 +211,8 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password, // // Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero // to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|, -// |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively. +// |NID_pbe_WithSHA1And40BitRC2_CBC|, |PKCS12_DEFAULT_ITER|, and one, +// respectively. // // |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or // certificate, respectively. This option is not recommended and is only |