Test for and use AES CSP for RSA if present.

Some keys are attached to the full RSA CSP which doesn't support SHA2 algorithms: uses the AES CSP if present. Reviewed-by: N Tim Hudson <tjh@openssl.org>

Test for and use AES CSP for RSA if present.
Some keys are attached to the full RSA CSP which doesn't support SHA2 algorithms: uses the AES CSP if present. Reviewed-by: N Tim Hudson <tjh@openssl.org>
7b548d3f · Dr Stephen Henson · Dr. Stephen Henson · 64c443e3 · 7b548d3f
隐藏空白更改
内联并排

Showing with 22 addition and 2 deletion

engines/e_capi.c engines/e_capi.c +22 -2

未找到文件。
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -133,6 +133,10 @@
 #  define CALG_SHA_512            (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_512)
 # endif

+# ifndef PROV_RSA_AES
+#  define PROV_RSA_AES 24
+# endif
+
 # include <openssl/engine.h>
 # include <openssl/pem.h>
 # include <openssl/x509v3.h>
@@ -458,11 +462,14 @@ static DSA_METHOD capi_dsa_method = {
    0                           /* dsa_keygen */
 };

+static int use_aes_csp = 0;
+
 static int capi_init(ENGINE *e)
 {
    CAPI_CTX *ctx;
    const RSA_METHOD *ossl_rsa_meth;
    const DSA_METHOD *ossl_dsa_meth;
+    HCRYPTPROV hprov;

    if (capi_idx < 0) {
        capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
@@ -509,6 +516,14 @@ static int capi_init(ENGINE *e)
    }
 # endif

+    /* See if we support AES CSP */
+
+    if (CryptAcquireContext(&hprov, NULL, NULL, PROV_RSA_AES,
+                            CRYPT_VERIFYCONTEXT)) {
+        use_aes_csp = 1;
+        CryptReleaseContext(hprov, 0);
+    }
+
    return 1;

 memerr:
@@ -1454,10 +1469,15 @@ static CAPI_KEY *capi_get_key(CAPI_CTX * ctx, const TCHAR *contname,

    if (key == NULL)
        return NULL;
-    if (sizeof(TCHAR) == sizeof(char))
+    /* If PROV_RSA_AES supported use it instead */
+    if (ptype == PROV_RSA_FULL && use_aes_csp) {
+        provname = NULL;
+        ptype = PROV_RSA_AES;
+        CAPI_trace(ctx, "capi_get_key, contname=%s, RSA_AES_CSP\n", contname);
+    } else if (sizeof(TCHAR) == sizeof(char)) {
        CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
                   contname, provname, ptype);
-    else if (ctx && ctx->debug_level >= CAPI_DBG_TRACE && ctx->debug_file) {
+    } else if (ctx && ctx->debug_level >= CAPI_DBG_TRACE && ctx->debug_file) {
        /* above 'if' is optimization to minimize malloc-ations */
        char *_contname = wide_to_asc((WCHAR *)contname);
        char *_provname = wide_to_asc((WCHAR *)provname);