From de09280b2a8314eb98ec9a2b84eebe3eec2f49bd Mon Sep 17 00:00:00 2001

From: Daiki Ueno <ueno@gnu.org>

Date: Thu, 4 Aug 2022 16:37:51 +0900

Subject: [PATCH] _gnutls_decrypt_pbes1_des_md5_data: use public crypto API

This is a follow-up of e7f9267342bc2231149a640163c82b63c86f1dfd.  In

the decryption code path with PBES1, algorithm checks for FIPS was not

applied, because it used internal functions that bypass those checks.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

---

 lib/x509/privkey_pkcs8_pbes1.c | 10 ++++------

 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c

index c296807974..983530e46a 100644

--- a/lib/x509/privkey_pkcs8_pbes1.c

+++ b/lib/x509/privkey_pkcs8_pbes1.c

@@ -140,7 +140,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,

 {

 	int result;

 	gnutls_datum_t dkey, d_iv;

-	cipher_hd_st ch;

+	gnutls_cipher_hd_t ch;

 	uint8_t key[16];

 	const unsigned block_size = 8;

@@ -158,16 +158,14 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,

 	dkey.size = 8;

 	d_iv.data = &key[8];

 	d_iv.size = 8;

-	result =

-	    _gnutls_cipher_init(&ch, cipher_to_entry(GNUTLS_CIPHER_DES_CBC),

-				&dkey, &d_iv, 0);

+	result = gnutls_cipher_init(&ch, GNUTLS_CIPHER_DES_CBC, &dkey, &d_iv);

 	if (result < 0) {

 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);

 		return gnutls_assert_val(result);

 	}

 	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);

-	result = _gnutls_cipher_decrypt(&ch, encrypted_data->data, encrypted_data->size);

+	result = gnutls_cipher_decrypt(ch, encrypted_data->data, encrypted_data->size);

 	if (result < 0) {

 		gnutls_assert();

 		goto error;

@@ -184,7 +182,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,

 	result = 0;

  error:

-	_gnutls_cipher_deinit(&ch);

+	gnutls_cipher_deinit(ch);

 	return result;

 }

-- 

2.37.1