Browse Source

Changed use of EVP_PKEY_CTX_md() and more specific error codes

Changed HKDF to use EVP_PKEY_CTX_md() (review comment of @snhenson) and
introduced more specific error codes (not only indicating *that* some
parameter is missing, but actually *which* one it is).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
master
Johannes Bauer 5 years ago
committed by Dr. Stephen Henson
parent
commit
f55129c739
5 changed files with 25 additions and 12 deletions
  1. +3
    -0
      crypto/err/openssl.txt
  2. +9
    -10
      crypto/kdf/hkdf.c
  3. +4
    -0
      crypto/kdf/kdf_err.c
  4. +6
    -2
      crypto/kdf/tls1_prf.c
  5. +3
    -0
      include/openssl/kdferr.h

+ 3
- 0
crypto/err/openssl.txt View File

@ -1965,7 +1965,10 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
KDF_R_INVALID_DIGEST:100:invalid digest
KDF_R_MISSING_KEY:104:missing key
KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest
KDF_R_MISSING_PARAMETER:101:missing parameter
KDF_R_MISSING_SEED:106:missing seed
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
KDF_R_VALUE_MISSING:102:value missing
OBJ_R_OID_EXISTS:102:oid exists


+ 9
- 10
crypto/kdf/hkdf.c View File

@ -148,14 +148,9 @@ static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
return EVP_PKEY_CTX_hkdf_mode(ctx, mode);
}
if (strcmp(type, "md") == 0) {
const EVP_MD *md = EVP_get_digestbyname(value);
if (!md) {
KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_INVALID_DIGEST);
return 0;
}
return EVP_PKEY_CTX_set_hkdf_md(ctx, md);
}
if (strcmp(type, "md") == 0)
return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_HKDF_MD, value);
if (strcmp(type, "salt") == 0)
return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
@ -184,8 +179,12 @@ static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
{
HKDF_PKEY_CTX *kctx = ctx->data;
if (kctx->md == NULL || kctx->key == NULL) {
KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_PARAMETER);
if (kctx->md == NULL) {
KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
return 0;
}
if (kctx->key == NULL) {
KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY);
return 0;
}


+ 4
- 0
crypto/kdf/kdf_err.c View File

@ -25,7 +25,11 @@ static const ERR_STRING_DATA KDF_str_functs[] = {
static const ERR_STRING_DATA KDF_str_reasons[] = {
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"},
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"},
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_MESSAGE_DIGEST),
"missing message digest"},
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_PARAMETER), "missing parameter"},
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SEED), "missing seed"},
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_UNKNOWN_PARAMETER_TYPE),
"unknown parameter type"},
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"},


+ 6
- 2
crypto/kdf/tls1_prf.c View File

@ -124,8 +124,12 @@ static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
size_t *keylen)
{
TLS1_PRF_PKEY_CTX *kctx = ctx->data;
if (kctx->md == NULL || kctx->sec == NULL || kctx->seedlen == 0) {
KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_PARAMETER);
if (kctx->md == NULL) {
KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
return 0;
}
if (kctx->sec == NULL || kctx->seedlen == 0) {
KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
return 0;
}
return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen,


+ 3
- 0
include/openssl/kdferr.h View File

@ -31,7 +31,10 @@ int ERR_load_KDF_strings(void);
* KDF reason codes.
*/
# define KDF_R_INVALID_DIGEST 100
# define KDF_R_MISSING_KEY 104
# define KDF_R_MISSING_MESSAGE_DIGEST 105
# define KDF_R_MISSING_PARAMETER 101
# define KDF_R_MISSING_SEED 106
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
# define KDF_R_VALUE_MISSING 102


Loading…
Cancel
Save