pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2 (PKCS#5 v2.0). This means that keys encrypted and authenticated using another algorithm of the SHA family cannot be decrypted. This deficiency has become particularly incumbent now that PKIs created with OpenSSL1.1 are encrypting keys using hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default and even if v2 was forced, it would still use hmacSHA1). Enable support for all the digest algorithms of the SHA family for PKCS#5 v2.0. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This commit is contained in:
Antonio Quartulli
Antonio Quartulli
parent
32605dc830
commit
12ccef2761
5 changed files with 73 additions and 5 deletions
|
|
@ -625,6 +625,51 @@ static const oid_md_alg_t oid_md_alg[] =
|
|||
FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
|
||||
FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md, oid_md_alg_t, oid_md_alg, mbedtls_md_type_t, md_alg)
|
||||
|
||||
/*
|
||||
* For HMAC digestAlgorithm
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_md_type_t md_hmac;
|
||||
} oid_md_hmac_t;
|
||||
|
||||
static const oid_md_hmac_t oid_md_hmac[] =
|
||||
{
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{
|
||||
{ ADD_LEN( MBEDTLS_OID_HMAC_SHA1 ), "hmacSHA1", "HMAC-SHA-1" },
|
||||
MBEDTLS_MD_SHA1,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
{
|
||||
{ ADD_LEN( MBEDTLS_OID_HMAC_SHA224 ), "hmacSHA224", "HMAC-SHA-224" },
|
||||
MBEDTLS_MD_SHA224,
|
||||
},
|
||||
{
|
||||
{ ADD_LEN( MBEDTLS_OID_HMAC_SHA256 ), "hmacSHA256", "HMAC-SHA-256" },
|
||||
MBEDTLS_MD_SHA256,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
{
|
||||
{ ADD_LEN( MBEDTLS_OID_HMAC_SHA384 ), "hmacSHA384", "HMAC-SHA-384" },
|
||||
MBEDTLS_MD_SHA384,
|
||||
},
|
||||
{
|
||||
{ ADD_LEN( MBEDTLS_OID_HMAC_SHA512 ), "hmacSHA512", "HMAC-SHA-512" },
|
||||
MBEDTLS_MD_SHA512,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
{
|
||||
{ NULL, 0, NULL, NULL },
|
||||
MBEDTLS_MD_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
|
||||
#endif /* MBEDTLS_MD_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS12_C)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue