commit 14a222cef2699bd3da884662f7e56e097a12b1a0
author Paul Bakker <p.j.bakker@polarssl.org> Tue Jun 18 16:35:48 2013 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Jun 18 16:35:48 2013 +0200
tree 2f177dfa577923e16f32b5554a383398492b698d
parent 2be71faae4df9f97a700e7e813dad7b544492339

Moved PKCS#12 PBE functions to cipher / md layer where possible

The 3-key and 2-key Triple DES PBE functions have been replaced with a
single pkcs12_pbe() function that handles both situations (and more).

In addition this allows for some PASSWORD_MISMATCH checking

library/x509parse.c

diff --git a/library/x509parse.c b/library/x509parse.c
index ce56289..459a983 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -61,10 +61,12 @@
 #include "polarssl/sha4.h"
 #endif
 #include "polarssl/dhm.h"
-#include "polarssl/pkcs12.h"
 #if defined(POLARSSL_PKCS5_C)
 #include "polarssl/pkcs5.h"
 #endif
+#if defined(POLARSSL_PKCS12_C)
+#include "polarssl/pkcs12.h"
+#endif
 
 #include <string.h>
 #include <stdlib.h>
@@ -2278,23 +2280,28 @@
     /*
      * Decrypt EncryptedData with appropriate PDE
      */
+#if defined(POLARSSL_PKCS12_C)
     if( OID_CMP( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, &pbe_alg_oid ) )
     {
-        if( ( ret = pkcs12_pbe_sha1_des3_ede_cbc( &pbe_params,
-                                                   PKCS12_PBE_DECRYPT,
-                                                   pwd, pwdlen,
-                                                   p, len, buf ) ) != 0 )
+        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
+                                POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
         {
+            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
+
             return( ret );
         }
     }
     else if( OID_CMP( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, &pbe_alg_oid ) )
     {
-        if( ( ret = pkcs12_pbe_sha1_des2_ede_cbc( &pbe_params,
-                                                   PKCS12_PBE_DECRYPT,
-                                                   pwd, pwdlen,
-                                                   p, len, buf ) ) != 0 )
+        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
+                                POLARSSL_CIPHER_DES_EDE_CBC, POLARSSL_MD_SHA1,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
         {
+            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
+
             return( ret );
         }
     }
@@ -2307,9 +2314,17 @@
         {
             return( ret );
         }
+
+        // Best guess for password mismatch when using RC4. If first tag is
+        // not ASN1_CONSTRUCTED | ASN1_SEQUENCE
+        //
+        if( *buf != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
+            return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
     }
+    else
+#endif /* POLARSSL_PKCS12_C */
 #if defined(POLARSSL_PKCS5_C)
-    else if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
+    if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
     {
         if( ( ret = pkcs5_pbes2( &pbe_params, PKCS5_DECRYPT, pwd, pwdlen,
                                   p, len, buf ) ) != 0 )
@@ -2320,8 +2335,8 @@
             return( ret );
         }
     }
-#endif /* POLARSSL_PKCS5_C */
     else
+#endif /* POLARSSL_PKCS5_C */
         return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
 
     return x509parse_key_pkcs8_unencrypted_der( rsa, buf, len );