TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c9f4040f7f3356293e90c58d11f6567def641e08^! / . / include
commitc9f4040f7f3356293e90c58d11f6567def641e08[log] [tgz]
authorWaleed Elmelegy <waleed.elmelegy@arm.com>Tue Aug 08 15:28:15 2023 +0100
committerWaleed Elmelegy <waleed.elmelegy@arm.com>Wed Sep 20 19:28:28 2023 +0100
tree8e0c627c19f5797829894978aacc7ee5df158941
parent8a7fb2d7992a0a3db46d825eff90557204e075bf [diff]
Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function

Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function
and deprecate mbedtls_pkcs5_pbes2 function.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>

diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index c0424da..1786dda 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h

@@ -229,6 +229,14 @@
 #define MBEDTLS_PK_HAVE_ECC_KEYS
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
 
+/* Historically pkparse did not check the CBC padding when decrypting
+ * a key. This was a bug, which is now fixed. As a consequence, pkparse
+ * now needs PKCS7 padding support, but existing configurations might not
+ * enable it, so we enable it here. */
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+
 /* The following blocks make it easier to disable all of TLS,
  * or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all
  * key exchanges, options and extensions related to them. */

diff --git a/include/mbedtls/pkcs5.h b/include/mbedtls/pkcs5.h
index be54b25..8b086aa 100644
--- a/include/mbedtls/pkcs5.h
+++ b/include/mbedtls/pkcs5.h

@@ -25,6 +25,7 @@
 #define MBEDTLS_PKCS5_H
 
 #include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include "mbedtls/asn1.h"
 #include "mbedtls/md.h"
@@ -50,12 +51,17 @@
 
 #if defined(MBEDTLS_ASN1_PARSE_C)
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief          PKCS#5 PBES2 function
  *
  * \note           When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
  *                 be enabled at compile time.
  *
+ * \deprecated     This function is deprecated and will be removed in a
+ *                 future version of the library.
+ *                 Please use mbedtls_pkcs5_pbes2_ext() instead.
+ *
  * \warning        When decrypting:
  *                 - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
  *                   time, this function validates the CBC padding and returns
@@ -86,10 +92,11 @@
  *
  * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
  */
-int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
-                        const unsigned char *pwd,  size_t pwdlen,
-                        const unsigned char *data, size_t datalen,
-                        unsigned char *output);
+int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
+                                           const unsigned char *pwd,  size_t pwdlen,
+                                           const unsigned char *data, size_t datalen,
+                                           unsigned char *output);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)