1 files changed, 94 insertions, 49 deletions

diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index cb49b6651d..4ea683036b 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -91,12 +91,10 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
                                  unsigned char *aiv, int prf_nid)
 {
         X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
-        int alg_nid;
+        int alg_nid, keylen;
         EVP_CIPHER_CTX ctx;
         unsigned char iv[EVP_MAX_IV_LENGTH];
-        PBKDF2PARAM *kdf = NULL;
         PBE2PARAM *pbe2 = NULL;
-        ASN1_OCTET_STRING *osalt = NULL;
         ASN1_OBJECT *obj;
 
         alg_nid = EVP_CIPHER_type(cipher);
@@ -127,7 +125,8 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
         EVP_CIPHER_CTX_init(&ctx);
 
         /* Dummy cipherinit to just setup the IV, and PRF */
-        EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
+        if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0))
+                goto err;
         if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
                 ASN1err(ASN1_F_PKCS5_PBE2_SET_IV,
                                         ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
@@ -145,55 +144,21 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
                 }
         EVP_CIPHER_CTX_cleanup(&ctx);
 
-        if(!(kdf = PBKDF2PARAM_new())) goto merr;
-        if(!(osalt = M_ASN1_OCTET_STRING_new())) goto merr;
-
-        if (!saltlen) saltlen = PKCS5_SALT_LEN;
-        if (!(osalt->data = OPENSSL_malloc (saltlen))) goto merr;
-        osalt->length = saltlen;
-        if (salt) memcpy (osalt->data, salt, saltlen);
-        else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0) goto merr;
-
-        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
-        if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
-
-        /* Now include salt in kdf structure */
-        kdf->salt->value.octet_string = osalt;
-        kdf->salt->type = V_ASN1_OCTET_STRING;
-        osalt = NULL;
-
         /* If its RC2 then we'd better setup the key length */
 
-        if(alg_nid == NID_rc2_cbc) {
-                if(!(kdf->keylength = M_ASN1_INTEGER_new())) goto merr;
-                if(!ASN1_INTEGER_set (kdf->keylength,
-                                 EVP_CIPHER_key_length(cipher))) goto merr;
-        }
-
-        /* prf can stay NULL if we are using hmacWithSHA1 */
-        if (prf_nid != NID_hmacWithSHA1)
-                {
-                kdf->prf = X509_ALGOR_new();
-                if (!kdf->prf)
-                        goto merr;
-                X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
-                                        V_ASN1_NULL, NULL);
-                }
-
-        /* Now setup the PBE2PARAM keyfunc structure */
+        if(alg_nid == NID_rc2_cbc)
+                keylen = EVP_CIPHER_key_length(cipher);
+        else
+                keylen = -1;
 
-        pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+        /* Setup keyfunc */
 
-        /* Encode PBKDF2PARAM into parameter of pbe2 */
+        X509_ALGOR_free(pbe2->keyfunc);
 
-        if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
+        pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen);
 
-        if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
-                         &pbe2->keyfunc->parameter->value.sequence)) goto merr;
-        pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
-
-        PBKDF2PARAM_free(kdf);
-        kdf = NULL;
+        if (!pbe2->keyfunc)
+                goto merr;
 
         /* Now set up top level AlgorithmIdentifier */
 
@@ -219,8 +184,6 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
         err:
         PBE2PARAM_free(pbe2);
         /* Note 'scheme' is freed as part of pbe2 */
-        M_ASN1_OCTET_STRING_free(osalt);
-        PBKDF2PARAM_free(kdf);
         X509_ALGOR_free(kalg);
         X509_ALGOR_free(ret);
 
@@ -233,3 +196,85 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
         {
         return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1);
         }
+
+X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
+                                int prf_nid, int keylen)
+        {
+        X509_ALGOR *keyfunc = NULL;
+        PBKDF2PARAM *kdf = NULL;
+        ASN1_OCTET_STRING *osalt = NULL;
+
+        if(!(kdf = PBKDF2PARAM_new()))
+                goto merr;
+        if(!(osalt = M_ASN1_OCTET_STRING_new()))
+                goto merr;
+
+        kdf->salt->value.octet_string = osalt;
+        kdf->salt->type = V_ASN1_OCTET_STRING;
+
+        if (!saltlen)
+                saltlen = PKCS5_SALT_LEN;
+        if (!(osalt->data = OPENSSL_malloc (saltlen)))
+                goto merr;
+
+        osalt->length = saltlen;
+
+        if (salt)
+                memcpy (osalt->data, salt, saltlen);
+        else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
+                goto merr;
+
+        if(iter <= 0)
+                iter = PKCS5_DEFAULT_ITER;
+
+        if(!ASN1_INTEGER_set(kdf->iter, iter))
+                goto merr;
+
+        /* If have a key len set it up */
+
+        if(keylen > 0) 
+                {
+                if(!(kdf->keylength = M_ASN1_INTEGER_new()))
+                        goto merr;
+                if(!ASN1_INTEGER_set (kdf->keylength, keylen))
+                        goto merr;
+                }
+
+        /* prf can stay NULL if we are using hmacWithSHA1 */
+        if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1)
+                {
+                kdf->prf = X509_ALGOR_new();
+                if (!kdf->prf)
+                        goto merr;
+                X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
+                                        V_ASN1_NULL, NULL);
+                }
+
+        /* Finally setup the keyfunc structure */
+
+        keyfunc = X509_ALGOR_new();
+        if (!keyfunc)
+                goto merr;
+
+        keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+
+        /* Encode PBKDF2PARAM into parameter of pbe2 */
+
+        if(!(keyfunc->parameter = ASN1_TYPE_new()))
+                goto merr;
+
+        if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
+                         &keyfunc->parameter->value.sequence))
+                goto merr;
+        keyfunc->parameter->type = V_ASN1_SEQUENCE;
+
+        PBKDF2PARAM_free(kdf);
+        return keyfunc;
+
+        merr:
+        ASN1err(ASN1_F_PKCS5_PBKDF2_SET,ERR_R_MALLOC_FAILURE);
+        PBKDF2PARAM_free(kdf);
+        X509_ALGOR_free(keyfunc);
+        return NULL;
+        }
+