On Mon, Sep 13, 2004, Steve Hay wrote: > Dr. Stephen Henson wrote: > > OK, I tried that and it works very well. > > However, as the attached program shows, it now turns out that this has > all been a waste of time. If you recall what my original problem was > (namely, EVP_BytesToKey() only supports default key length -- see > http://www.mail-archive.com/[EMAIL PROTECTED]/msg37111.html), > the main reason for switching to EVP_PBE_CipherInit() was that > PKCS5_v2_PBE_keyivgen(), which is called by EVP_PBE_CipherInit(), > supposedly works with non-default key lengths. But now that I've > finally got it working I find that it doesn't support non-default key > lengths after all. > > Walking through the attached program in a debugger, I see that my > EVP_CIPHER_CTX_set_key_length() call correctly sets the key length to 24 > (whereas BF default is 16), but then PKCS5_v2_PBE_keyivgen() does this: > > /* Fixup cipher based on AlgorithmIdentifier */ > EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de); > > (crypto/evp/p5_crpt2.c line 185-6 in openssl-0.9.7d), which has the > effect of resetting the key length in the ctx to the cipher's default, > namely 16 here! > > So now I'm back to square one: How do I do PKCS#5 key derivation using a > non-default key length? >
Urk, yes you are right. There isn't a way to set the key length in PKCS5_pbe2_set(). OK, I'd hoped to avoid this but I don't think there's an option without modifying the API... What you *can* do is to create a new EVP_CIPHER structure which has its default key length set to whatever you want. So something like... EVP_CIPHER new_cipher; new_cipher = *EVP_bf_cbc(); new_cipher.key_len = whatever_key_length; then you pass &new_cipher to the relevant functions. This should work with EVP_BytesToKey() too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
