aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--botan_version.py2
-rw-r--r--doc/relnotes/1_11_8.rst5
-rw-r--r--src/lib/asn1/oid_lookup/default.cpp6
-rw-r--r--src/lib/pbe/get_pbe.cpp51
-rw-r--r--src/lib/pbe/pbes1/info.txt10
-rw-r--r--src/lib/pbe/pbes1/pbes1.cpp193
-rw-r--r--src/lib/pbe/pbes1/pbes1.h69
-rw-r--r--src/tests/data/ecc/ecc_private_with_rfc5915_ext.pem11
-rw-r--r--src/tests/unit_ecdsa.cpp4
9 files changed, 12 insertions, 339 deletions
diff --git a/botan_version.py b/botan_version.py
index ad8fc5c24..78224baec 100644
--- a/botan_version.py
+++ b/botan_version.py
@@ -1,7 +1,7 @@
release_major = 1
release_minor = 11
-release_patch = 7
+release_patch = 8
release_so_abi_rev = release_patch
# These are set by the distribution script
diff --git a/doc/relnotes/1_11_8.rst b/doc/relnotes/1_11_8.rst
new file mode 100644
index 000000000..d25018643
--- /dev/null
+++ b/doc/relnotes/1_11_8.rst
@@ -0,0 +1,5 @@
+Version 1.11.8, Not Yet Released
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The antique PBES1 private key encryption scheme (which only supports
+ DES or 64-bit RC2) has been removed.
diff --git a/src/lib/asn1/oid_lookup/default.cpp b/src/lib/asn1/oid_lookup/default.cpp
index 6904ec0ff..95a700f18 100644
--- a/src/lib/asn1/oid_lookup/default.cpp
+++ b/src/lib/asn1/oid_lookup/default.cpp
@@ -144,12 +144,6 @@ void set_defaults()
OIDS::add_oidstr("2.5.4.65", "X520.Pseudonym");
OIDS::add_oidstr("1.2.840.113549.1.5.12", "PKCS5.PBKDF2");
- OIDS::add_oidstr("1.2.840.113549.1.5.1", "PBE-PKCS5v15(MD2,DES/CBC)");
- OIDS::add_oidstr("1.2.840.113549.1.5.4", "PBE-PKCS5v15(MD2,RC2/CBC)");
- OIDS::add_oidstr("1.2.840.113549.1.5.3", "PBE-PKCS5v15(MD5,DES/CBC)");
- OIDS::add_oidstr("1.2.840.113549.1.5.6", "PBE-PKCS5v15(MD5,RC2/CBC)");
- OIDS::add_oidstr("1.2.840.113549.1.5.10", "PBE-PKCS5v15(SHA-160,DES/CBC)");
- OIDS::add_oidstr("1.2.840.113549.1.5.11", "PBE-PKCS5v15(SHA-160,RC2/CBC)");
OIDS::add_oidstr("1.2.840.113549.1.5.13", "PBE-PKCS5v20");
OIDS::add_oidstr("1.2.840.113549.1.9.1", "PKCS9.EmailAddress");
diff --git a/src/lib/pbe/get_pbe.cpp b/src/lib/pbe/get_pbe.cpp
index 4ec518776..5cb5ccc88 100644
--- a/src/lib/pbe/get_pbe.cpp
+++ b/src/lib/pbe/get_pbe.cpp
@@ -11,10 +11,6 @@
#include <botan/parsing.h>
#include <botan/libstate.h>
-#if defined(BOTAN_HAS_PBE_PKCS_V15)
- #include <botan/pbes1.h>
-#endif
-
#if defined(BOTAN_HAS_PBE_PKCS_V20)
#include <botan/pbes2.h>
#include <botan/hmac.h>
@@ -59,15 +55,6 @@ PBE* get_pbe(const std::string& algo_spec,
if(request.arg_count() != 2)
throw Invalid_Algorithm_Name(algo_spec);
-#if defined(BOTAN_HAS_PBE_PKCS_V15)
- if(pbe == "PBE-PKCS5v15")
- return new PBE_PKCS5v15(block_cipher->clone(),
- hash_function->clone(),
- passphrase,
- msec,
- rng);
-#endif
-
#if defined(BOTAN_HAS_PBE_PKCS_V20)
if(pbe == "PBE-PKCS5v20")
return new PBE_PKCS5v20(block_cipher->clone(),
@@ -91,44 +78,6 @@ PBE* get_pbe(const OID& pbe_oid,
const std::string pbe = request.algo_name();
-#if defined(BOTAN_HAS_PBE_PKCS_V15)
- if(pbe == "PBE-PKCS5v15")
- {
- if(request.arg_count() != 2)
- throw Invalid_Algorithm_Name(request.as_string());
-
- std::string digest_name = request.arg(0);
- const std::string cipher = request.arg(1);
-
- std::vector<std::string> cipher_spec = split_on(cipher, '/');
- if(cipher_spec.size() != 2)
- throw Invalid_Argument("PBE: Invalid cipher spec " + cipher);
-
- const std::string cipher_algo = SCAN_Name::deref_alias(cipher_spec[0]);
- const std::string cipher_mode = cipher_spec[1];
-
- if(cipher_mode != "CBC")
- throw Invalid_Argument("PBE: Invalid cipher mode " + cipher);
-
- Algorithm_Factory& af = global_state().algorithm_factory();
-
- const BlockCipher* block_cipher = af.prototype_block_cipher(cipher_algo);
- if(!block_cipher)
- throw Algorithm_Not_Found(cipher_algo);
-
- const HashFunction* hash_function =
- af.prototype_hash_function(digest_name);
-
- if(!hash_function)
- throw Algorithm_Not_Found(digest_name);
-
- return new PBE_PKCS5v15(block_cipher->clone(),
- hash_function->clone(),
- params,
- passphrase);
- }
-#endif
-
#if defined(BOTAN_HAS_PBE_PKCS_V20)
if(pbe == "PBE-PKCS5v20")
return new PBE_PKCS5v20(params, passphrase);
diff --git a/src/lib/pbe/pbes1/info.txt b/src/lib/pbe/pbes1/info.txt
deleted file mode 100644
index 36d26ecc9..000000000
--- a/src/lib/pbe/pbes1/info.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-define PBE_PKCS_V15 20131128
-
-<requires>
-asn1
-block
-cbc
-filters
-hash
-pbkdf1
-</requires>
diff --git a/src/lib/pbe/pbes1/pbes1.cpp b/src/lib/pbe/pbes1/pbes1.cpp
deleted file mode 100644
index a30f10a6c..000000000
--- a/src/lib/pbe/pbes1/pbes1.cpp
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
-* PKCS #5 PBES1
-* (C) 1999-2007 Jack Lloyd
-*
-* Distributed under the terms of the Botan license
-*/
-
-#include <botan/pbes1.h>
-#include <botan/pbkdf1.h>
-#include <botan/der_enc.h>
-#include <botan/ber_dec.h>
-#include <botan/lookup.h>
-#include <algorithm>
-
-namespace Botan {
-
-/*
-* Encrypt some bytes using PBES1
-*/
-void PBE_PKCS5v15::write(const byte input[], size_t length)
- {
- m_pipe.write(input, length);
- flush_pipe(true);
- }
-
-/*
-* Start encrypting with PBES1
-*/
-void PBE_PKCS5v15::start_msg()
- {
- m_pipe.append(get_cipher(m_block_cipher->name() + "/CBC/PKCS7",
- m_key, m_iv, m_direction));
-
- m_pipe.start_msg();
- if(m_pipe.message_count() > 1)
- m_pipe.set_default_msg(m_pipe.default_msg() + 1);
- }
-
-/*
-* Finish encrypting with PBES1
-*/
-void PBE_PKCS5v15::end_msg()
- {
- m_pipe.end_msg();
- flush_pipe(false);
- m_pipe.reset();
- }
-
-/*
-* Flush the pipe
-*/
-void PBE_PKCS5v15::flush_pipe(bool safe_to_skip)
- {
- if(safe_to_skip && m_pipe.remaining() < 64)
- return;
-
- secure_vector<byte> buffer(DEFAULT_BUFFERSIZE);
- while(m_pipe.remaining())
- {
- size_t got = m_pipe.read(&buffer[0], buffer.size());
- send(buffer, got);
- }
- }
-
-/*
-* Encode PKCS#5 PBES1 parameters
-*/
-std::vector<byte> PBE_PKCS5v15::encode_params() const
- {
- return DER_Encoder()
- .start_cons(SEQUENCE)
- .encode(m_salt, OCTET_STRING)
- .encode(m_iterations)
- .end_cons()
- .get_contents_unlocked();
- }
-
-/*
-* Return an OID for this PBES1 type
-*/
-OID PBE_PKCS5v15::get_oid() const
- {
- const OID base_pbes1_oid("1.2.840.113549.1.5");
-
- const std::string cipher = m_block_cipher->name();
- const std::string digest = m_hash_function->name();
-
- if(cipher == "DES" && digest == "MD2")
- return (base_pbes1_oid + 1);
- else if(cipher == "DES" && digest == "MD5")
- return (base_pbes1_oid + 3);
- else if(cipher == "DES" && digest == "SHA-160")
- return (base_pbes1_oid + 10);
- else if(cipher == "RC2" && digest == "MD2")
- return (base_pbes1_oid + 4);
- else if(cipher == "RC2" && digest == "MD5")
- return (base_pbes1_oid + 6);
- else if(cipher == "RC2" && digest == "SHA-160")
- return (base_pbes1_oid + 11);
- else
- throw Internal_Error("PBE-PKCS5 v1.5: get_oid() has run out of options");
- }
-
-std::string PBE_PKCS5v15::name() const
- {
- return "PBE-PKCS5v15(" + m_block_cipher->name() + "," +
- m_hash_function->name() + ")";
- }
-
-PBE_PKCS5v15::PBE_PKCS5v15(BlockCipher* cipher,
- HashFunction* hash,
- const std::string& passphrase,
- std::chrono::milliseconds msec,
- RandomNumberGenerator& rng) :
- m_direction(ENCRYPTION),
- m_block_cipher(cipher),
- m_hash_function(hash),
- m_salt(rng.random_vec(8))
- {
- if(cipher->name() != "DES" && cipher->name() != "RC2")
- {
- throw Invalid_Argument("PBE_PKCS5v1.5: Unknown cipher " +
- cipher->name());
- }
-
- if(hash->name() != "MD2" && hash->name() != "MD5" &&
- hash->name() != "SHA-160")
- {
- throw Invalid_Argument("PBE_PKCS5v1.5: Unknown hash " +
- hash->name());
- }
-
- PKCS5_PBKDF1 pbkdf(m_hash_function->clone());
-
- secure_vector<byte> key_and_iv =
- pbkdf.derive_key(16, passphrase,
- &m_salt[0], m_salt.size(),
- msec, m_iterations).bits_of();
-
- m_key.assign(&key_and_iv[0], &key_and_iv[8]);
- m_iv.assign(&key_and_iv[8], &key_and_iv[16]);
-
- }
-
-PBE_PKCS5v15::PBE_PKCS5v15(BlockCipher* cipher,
- HashFunction* hash,
- const std::vector<byte>& params,
- const std::string& passphrase) :
- m_direction(DECRYPTION),
- m_block_cipher(cipher),
- m_hash_function(hash)
- {
- if(cipher->name() != "DES" && cipher->name() != "RC2")
- {
- throw Invalid_Argument("PBE_PKCS5v1.5: Unknown cipher " +
- cipher->name());
- }
-
- if(hash->name() != "MD2" && hash->name() != "MD5" &&
- hash->name() != "SHA-160")
- {
- throw Invalid_Argument("PBE_PKCS5v1.5: Unknown hash " +
- hash->name());
- }
-
- BER_Decoder(params)
- .start_cons(SEQUENCE)
- .decode(m_salt, OCTET_STRING)
- .decode(m_iterations)
- .verify_end()
- .end_cons();
-
- if(m_salt.size() != 8)
- throw Decoding_Error("PBES1: Encoded salt is not 8 octets");
-
- PKCS5_PBKDF1 pbkdf(m_hash_function->clone());
-
- secure_vector<byte> key_and_iv =
- pbkdf.derive_key(16, passphrase,
- &m_salt[0], m_salt.size(),
- m_iterations).bits_of();
-
- m_key.assign(&key_and_iv[0], &key_and_iv[8]);
- m_iv.assign(&key_and_iv[8], &key_and_iv[16]);
- }
-
-PBE_PKCS5v15::~PBE_PKCS5v15()
- {
- delete m_block_cipher;
- delete m_hash_function;
- }
-
-}
diff --git a/src/lib/pbe/pbes1/pbes1.h b/src/lib/pbe/pbes1/pbes1.h
deleted file mode 100644
index 8d1a6f877..000000000
--- a/src/lib/pbe/pbes1/pbes1.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
-* PKCS #5 v1.5 PBE
-* (C) 1999-2007 Jack Lloyd
-*
-* Distributed under the terms of the Botan license
-*/
-
-#ifndef BOTAN_PBE_PKCS_V15_H__
-#define BOTAN_PBE_PKCS_V15_H__
-
-#include <botan/pbe.h>
-#include <botan/block_cipher.h>
-#include <botan/hash.h>
-#include <botan/pipe.h>
-#include <chrono>
-
-namespace Botan {
-
-/**
-* PKCS #5 v1.5 PBE
-*/
-class BOTAN_DLL PBE_PKCS5v15 : public PBE
- {
- public:
- OID get_oid() const;
-
- std::vector<byte> encode_params() const;
-
- std::string name() const;
-
- void write(const byte[], size_t);
- void start_msg();
- void end_msg();
-
- /**
- * @param cipher the block cipher to use (DES or RC2)
- * @param hash the hash function to use
- * @param passphrase the passphrase to use
- * @param msec how many milliseconds to run the PBKDF
- * @param rng a random number generator
- */
- PBE_PKCS5v15(BlockCipher* cipher,
- HashFunction* hash,
- const std::string& passphrase,
- std::chrono::milliseconds msec,
- RandomNumberGenerator& rng);
-
- PBE_PKCS5v15(BlockCipher* cipher,
- HashFunction* hash,
- const std::vector<byte>& params,
- const std::string& passphrase);
-
- ~PBE_PKCS5v15();
- private:
-
- void flush_pipe(bool);
-
- Cipher_Dir m_direction;
- BlockCipher* m_block_cipher;
- HashFunction* m_hash_function;
-
- secure_vector<byte> m_salt, m_key, m_iv;
- size_t m_iterations;
- Pipe m_pipe;
- };
-
-}
-
-#endif
diff --git a/src/tests/data/ecc/ecc_private_with_rfc5915_ext.pem b/src/tests/data/ecc/ecc_private_with_rfc5915_ext.pem
index a8699fce7..75ef9d0f3 100644
--- a/src/tests/data/ecc/ecc_private_with_rfc5915_ext.pem
+++ b/src/tests/data/ecc/ecc_private_with_rfc5915_ext.pem
@@ -1,6 +1,5 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIGwMBsGCSqGSIb3DQEFAzAOBAhLqOHiUDFjTwICCAAEgZD1k1BiBROTLBRoFQG5
-gNEipqwBXlKKv+cen7laWHdABXBPGSXBTZGiwsfVPitW+mT3kLHjPZOwJ+55Chka
-QkBardzHxD2LwX8BXxDqiv61R/NsGh376+KXxTbZApobC3p40T24wMvX0O04HXaZ
-6qPBsRo1byuhn0jM6Qr0O/HnYHH4/fiIN6Iq2HF6/QaUnak=
------END ENCRYPTED PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfKBDxcP88OEfI4v6
+k8JFIQquWzap0+HHXE7N6DzuvamhRANCAAR7M3jrGYZXDSqbcSAmd0wO+V8Wx49D
+jqUVeAbI24rCMk3+mUTTFwwQn0p9nTdf56a1VNl4P9XUM5cbJnqwh5Yl
+-----END PRIVATE KEY-----
diff --git a/src/tests/unit_ecdsa.cpp b/src/tests/unit_ecdsa.cpp
index 436d9dca6..2953073d2 100644
--- a/src/tests/unit_ecdsa.cpp
+++ b/src/tests/unit_ecdsa.cpp
@@ -440,14 +440,12 @@ size_t test_read_pkcs8(RandomNumberGenerator& rng)
size_t test_ecc_key_with_rfc5915_extensions(RandomNumberGenerator& rng)
{
- const std::string pw = "G3bz1L1gmB5ULietOZdoLPu63D7uwTLMEk";
-
size_t fails = 0;
try
{
std::unique_ptr<PKCS8_PrivateKey> pkcs8(
- PKCS8::load_key(ECC_TEST_DATA_DIR "/ecc_private_with_rfc5915_ext.pem", rng, pw));
+ PKCS8::load_key(ECC_TEST_DATA_DIR "/ecc_private_with_rfc5915_ext.pem", rng));
if(!dynamic_cast<ECDSA_PrivateKey*>(pkcs8.get()))
{
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 00:42:23 +0000