106 lines
4.1 KiB
Diff
106 lines
4.1 KiB
Diff
diff -up openssl-3.5.0-build/openssl-3.5.0/apps/pkcs12.c.xxx openssl-3.5.0-build/openssl-3.5.0/apps/pkcs12.c
|
|
--- openssl-3.5.0/apps/pkcs12.c.xxx 2025-05-09 13:02:55.421755023 +0200
|
|
+++ openssl-3.5.0/apps/pkcs12.c 2025-05-09 13:07:10.393755067 +0200
|
|
@@ -710,9 +710,6 @@ int pkcs12_main(int argc, char **argv)
|
|
}
|
|
|
|
if (maciter != -1) {
|
|
- if (EVP_default_properties_is_fips_enabled(NULL))
|
|
- pbmac1_pbkdf2 = 1;
|
|
-
|
|
if (pbmac1_pbkdf2 == 1) {
|
|
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
|
|
macsaltlen, maciter,
|
|
@@ -844,15 +841,34 @@ int pkcs12_main(int argc, char **argv)
|
|
|
|
if (OBJ_obj2nid(macobj) != NID_pbmac1) {
|
|
EVP_KDF *pkcs12kdf;
|
|
+ char *adjusted_propq = NULL;
|
|
+ const char *nofips = "-fips";
|
|
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
|
|
+ strlen(nofips) + 1;
|
|
+ char *ptr = NULL;
|
|
+
|
|
+ adjusted_propq = OPENSSL_zalloc(len);
|
|
+ if (adjusted_propq != NULL) {
|
|
+ ptr = adjusted_propq;
|
|
+ if (app_get0_propq()) {
|
|
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
|
|
+ ptr += strlen(app_get0_propq());
|
|
+ *ptr = ',';
|
|
+ ptr++;
|
|
+ }
|
|
+ memcpy(ptr, nofips, strlen(nofips));
|
|
+ }
|
|
|
|
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
|
|
- app_get0_propq());
|
|
+ adjusted_propq ? adjusted_propq : app_get0_propq());
|
|
if (pkcs12kdf == NULL) {
|
|
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
|
|
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
|
|
+ OPENSSL_free(adjusted_propq);
|
|
goto end;
|
|
}
|
|
EVP_KDF_free(pkcs12kdf);
|
|
+ OPENSSL_free(adjusted_propq);
|
|
}
|
|
|
|
/* If we enter empty password try no password first */
|
|
diff -up openssl-3.5.0-build/openssl-3.5.0/crypto/pkcs12/p12_key.c.xxx openssl-3.5.0-build/openssl-3.5.0/crypto/pkcs12/p12_key.c
|
|
--- openssl-3.5.0/crypto/pkcs12/p12_key.c.xxx 2025-05-09 13:03:13.573182158 +0200
|
|
+++ openssl-3.5.0/crypto/pkcs12/p12_key.c 2025-05-09 13:04:25.002955528 +0200
|
|
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
|
EVP_KDF *kdf;
|
|
EVP_KDF_CTX *ctx;
|
|
OSSL_PARAM params[6], *p = params;
|
|
+ char *adjusted_propq = NULL;
|
|
|
|
if (n <= 0)
|
|
return 0;
|
|
|
|
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
|
- if (kdf == NULL)
|
|
+ if (ossl_get_kernel_fips_flag()) {
|
|
+ const char *nofips = "-fips";
|
|
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
|
|
+ strlen(nofips) + 1;
|
|
+ char *ptr = NULL;
|
|
+
|
|
+ adjusted_propq = OPENSSL_zalloc(len);
|
|
+ if (adjusted_propq != NULL) {
|
|
+ ptr = adjusted_propq;
|
|
+ if (propq) {
|
|
+ memcpy(ptr, propq, strlen(propq));
|
|
+ ptr += strlen(propq);
|
|
+ *ptr = ',';
|
|
+ ptr++;
|
|
+ }
|
|
+ memcpy(ptr, nofips, strlen(nofips));
|
|
+ }
|
|
+ }
|
|
+
|
|
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
|
+ if (kdf == NULL) {
|
|
+ OPENSSL_free(adjusted_propq);
|
|
return 0;
|
|
+ }
|
|
ctx = EVP_KDF_CTX_new(kdf);
|
|
EVP_KDF_free(kdf);
|
|
- if (ctx == NULL)
|
|
+ if (ctx == NULL) {
|
|
+ OPENSSL_free(adjusted_propq);
|
|
return 0;
|
|
+ }
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
|
(char *)EVP_MD_get0_name(md_type),
|
|
@@ -127,6 +151,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
|
} OSSL_TRACE_END(PKCS12_KEYGEN);
|
|
}
|
|
EVP_KDF_CTX_free(ctx);
|
|
+ OPENSSL_free(adjusted_propq);
|
|
return res;
|
|
}
|
|
|