Google Git
Sign in
pigweed / third_party / boringssl / boringssl / e7fc7a737cec0a6c932fce3de221bbed8f114555^! / .
commite7fc7a737cec0a6c932fce3de221bbed8f114555[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Nov 19 12:42:12 2021 -0500
committerAdam Langley <agl@google.com>Fri Nov 19 23:31:39 2021 +0000
treea8b30808d74958496e93aabaffe66e368e580e4b
parentb3ed071ecc4efb77afd0a025ea1078da19578bfd [diff]
Export PKCS12_DEFAULT_ITER.

rust-openssl uses this constant to determine PKCS12_create's defaults.
Define it so it does not need to be redefined in
https://boringssl-review.googlesource.com/c/boringssl/+/49645

Change-Id: Ife4a6597de430a411932096618406b9fcd721f43
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50505
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/pkcs8/internal.h b/crypto/pkcs8/internal.h
index b5d42ba..ab84c82 100644
--- a/crypto/pkcs8/internal.h
+++ b/crypto/pkcs8/internal.h

@@ -112,7 +112,6 @@
                       const char *pass, size_t pass_len, CBS *param);
 };
 
-#define PKCS5_DEFAULT_ITERATIONS 2048
 #define PKCS5_SALT_LEN 8
 
 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,

diff --git a/crypto/pkcs8/pkcs8.c b/crypto/pkcs8/pkcs8.c
index a19b4a3..84b7b12 100644
--- a/crypto/pkcs8/pkcs8.c
+++ b/crypto/pkcs8/pkcs8.c

@@ -469,7 +469,7 @@
   }
 
   if (iterations <= 0) {
-    iterations = PKCS5_DEFAULT_ITERATIONS;
+    iterations = PKCS12_DEFAULT_ITER;
   }
 
   // Serialize the input key.

diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c
index e24fb42..e2a02e8 100644
--- a/crypto/pkcs8/pkcs8_x509.c
+++ b/crypto/pkcs8/pkcs8_x509.c

@@ -1161,7 +1161,7 @@
     cert_nid = NID_pbe_WithSHA1And40BitRC2_CBC;
   }
   if (iterations == 0) {
-    iterations = PKCS5_DEFAULT_ITERATIONS;
+    iterations = PKCS12_DEFAULT_ITER;
   }
   if (mac_iterations == 0) {
     mac_iterations = 1;

diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
index 4f21ef3..968640b 100644
--- a/include/openssl/pkcs8.h
+++ b/include/openssl/pkcs8.h

@@ -197,6 +197,10 @@
 OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
                                      int password_len);
 
+// PKCS12_DEFAULT_ITER is the default number of KDF iterations used when
+// creating a |PKCS12| object.
+#define PKCS12_DEFAULT_ITER 2048
+
 // PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|,
 // |cert|, and |chain|, encrypted with the specified password. |name|, if not
 // NULL, specifies a user-friendly name to encode with the key and
@@ -207,7 +211,8 @@
 //
 // Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero
 // to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|,
-// |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively.
+// |NID_pbe_WithSHA1And40BitRC2_CBC|, |PKCS12_DEFAULT_ITER|, and one,
+// respectively.
 //
 // |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or
 // certificate, respectively. This option is not recommended and is only