commit 38b50d73a1a0deb56218ff8e7710c1609a608687
author Paul Bakker <p.j.bakker@polarssl.org> Mon Jun 24 19:33:27 2013 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Jun 25 15:06:53 2013 +0200
tree fb2d9a33d987e4fd85e6a81688a9877659993c59
parent 0e34235644883ba8b6b827e0517bd5f55dc33fa9

Moved PKCS#12 PBE functions to cipher / md layer where possible

The 3-key and 2-key Triple DES PBE functions have been replaced with a
single pkcs12_pbe() function that handles both situations (and more).

In addition this allows for some PASSWORD_MISMATCH checking
(cherry picked from commit 14a222cef2699bd3da884662f7e56e097a12b1a0)

library/x509parse.c

diff --git a/library/x509parse.c b/library/x509parse.c
index 0ec5e68..371c470 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -62,10 +62,12 @@
 #include "polarssl/sha4.h"
 #endif
 #include "polarssl/dhm.h"
-#include "polarssl/pkcs12.h"
 #if defined(POLARSSL_PKCS5_C)
 #include "polarssl/pkcs5.h"
 #endif
+#if defined(POLARSSL_PKCS12_C)
+#include "polarssl/pkcs12.h"
+#endif
 
 #include <string.h>
 #include <stdlib.h>
@@ -2253,23 +2255,28 @@
     /*
      * Decrypt EncryptedData with appropriate PDE
      */
+#if defined(POLARSSL_PKCS12_C)
     if( OID_CMP( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, &pbe_alg_oid ) )
     {
-        if( ( ret = pkcs12_pbe_sha1_des3_ede_cbc( &pbe_params,
-                                                   PKCS12_PBE_DECRYPT,
-                                                   pwd, pwdlen,
-                                                   p, len, buf ) ) != 0 )
+        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
+                                POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
         {
+            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
+
             return( ret );
         }
     }
     else if( OID_CMP( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, &pbe_alg_oid ) )
     {
-        if( ( ret = pkcs12_pbe_sha1_des2_ede_cbc( &pbe_params,
-                                                   PKCS12_PBE_DECRYPT,
-                                                   pwd, pwdlen,
-                                                   p, len, buf ) ) != 0 )
+        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
+                                POLARSSL_CIPHER_DES_EDE_CBC, POLARSSL_MD_SHA1,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
         {
+            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
+
             return( ret );
         }
     }
@@ -2282,9 +2289,17 @@
         {
             return( ret );
         }
+
+        // Best guess for password mismatch when using RC4. If first tag is
+        // not ASN1_CONSTRUCTED | ASN1_SEQUENCE
+        //
+        if( *buf != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
+            return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
     }
+    else
+#endif /* POLARSSL_PKCS12_C */
 #if defined(POLARSSL_PKCS5_C)
-    else if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
+    if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
     {
         if( ( ret = pkcs5_pbes2( &pbe_params, PKCS5_DECRYPT, pwd, pwdlen,
                                   p, len, buf ) ) != 0 )
@@ -2295,8 +2310,8 @@
             return( ret );
         }
     }
-#endif /* POLARSSL_PKCS5_C */
     else
+#endif /* POLARSSL_PKCS5_C */
         return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
 
     return x509parse_key_pkcs8_unencrypted_der( rsa, buf, len );