From 6b62d1fdd8a4fd35acfcc0c4bb1bf8b757fa8cda Mon Sep 17 00:00:00 2001
From: djm <>
Date: Sat, 6 Sep 2008 12:17:54 +0000
Subject: resolve conflicts

---
 src/lib/libcrypto/pkcs12/p12_add.c  |   6 +-
 src/lib/libcrypto/pkcs12/p12_crpt.c |  16 +-
 src/lib/libcrypto/pkcs12/p12_crt.c  | 336 +++++++++++++++++++++++++++---------
 src/lib/libcrypto/pkcs12/p12_decr.c |  13 +-
 src/lib/libcrypto/pkcs12/p12_init.c |   2 +-
 src/lib/libcrypto/pkcs12/p12_key.c  |   2 +-
 src/lib/libcrypto/pkcs12/p12_kiss.c |  20 +--
 src/lib/libcrypto/pkcs12/p12_mutl.c |  20 +--
 src/lib/libcrypto/pkcs12/p12_npas.c |  37 ++--
 src/lib/libcrypto/pkcs12/pk12err.c  |  18 +-
 src/lib/libcrypto/pkcs12/pkcs12.h   |  22 ++-
 11 files changed, 341 insertions(+), 151 deletions(-)

(limited to 'src/lib/libcrypto/pkcs12')

diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 27015dd8c3..41bdc00551 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -68,16 +68,16 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid
 	PKCS12_BAGS *bag;
 	PKCS12_SAFEBAG *safebag;
 	if (!(bag = PKCS12_BAGS_new())) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	bag->type = OBJ_nid2obj(nid1);
 	if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	if (!(safebag = PKCS12_SAFEBAG_new())) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	safebag->value.bag = bag;
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 003ec7a33e..3ad33c49d8 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -84,19 +84,25 @@ EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
 #endif
 }
 
-int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 		ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
 {
 	PBEPARAM *pbe;
 	int saltlen, iter, ret;
-	unsigned char *salt, *pbuf;
+	unsigned char *salt;
+	const unsigned char *pbuf;
 	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
 
 	/* Extract useful info from parameter */
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR);
+		return 0;
+	}
+
 	pbuf = param->value.sequence->data;
-	if (!param || (param->type != V_ASN1_SEQUENCE) ||
-	   !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
-		EVPerr(PKCS12_F_PKCS12_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR);
 		return 0;
 	}
 
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 40340a7bef..dbafda17b6 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,9 +1,9 @@
 /* p12_crt.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -60,113 +60,289 @@
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
+
+static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
+
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 	     STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
 	     int keytype)
 {
-	PKCS12 *p12;
-	STACK_OF(PKCS12_SAFEBAG) *bags;
-	STACK_OF(PKCS7) *safes;
-	PKCS12_SAFEBAG *bag;
-	PKCS8_PRIV_KEY_INFO *p8;
-	PKCS7 *authsafe;
-	X509 *tcert;
+	PKCS12 *p12 = NULL;
+	STACK_OF(PKCS7) *safes = NULL;
+	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
+	PKCS12_SAFEBAG *bag = NULL;
 	int i;
 	unsigned char keyid[EVP_MAX_MD_SIZE];
-	unsigned int keyidlen;
+	unsigned int keyidlen = 0;
 
 	/* Set defaults */
-	if(!nid_cert)
-		{
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-		else
-#endif
-			nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
-		}
-	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-	if(!iter) iter = PKCS12_DEFAULT_ITER;
-	if(!mac_iter) mac_iter = 1;
+	if (!nid_cert)
+		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+	if (!nid_key)
+		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+	if (!iter)
+		iter = PKCS12_DEFAULT_ITER;
+	if (!mac_iter)
+		mac_iter = 1;
 
-	if(!pkey || !cert) {
+	if(!pkey && !cert && !ca)
+		{
 		PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
 		return NULL;
-	}
-
-	if(!X509_check_private_key(cert, pkey)) return NULL;
+		}
 
-	if(!(bags = sk_PKCS12_SAFEBAG_new_null ())) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
+	if (pkey && cert)
+		{
+		if(!X509_check_private_key(cert, pkey))
+			return NULL;
+		X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+		}
 
-	/* Add user certificate */
-	if(!(bag = PKCS12_x5092certbag(cert))) return NULL;
-	if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
-	X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
-	if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
+	if (cert)
+		{
+		bag = PKCS12_add_cert(&bags, cert);
+		if(name && !PKCS12_add_friendlyname(bag, name, -1))
+			goto err;
+		if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+			goto err;
+		}
 
-	if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	
 	/* Add all other certificates */
-	if(ca) {
-		for(i = 0; i < sk_X509_num(ca); i++) {
-			tcert = sk_X509_value(ca, i);
-			if(!(bag = PKCS12_x5092certbag(tcert))) return NULL;
-			if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
-				PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-				return NULL;
+	for(i = 0; i < sk_X509_num(ca); i++)
+		{
+		if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
+			goto err;
+		}
+
+	if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
+			goto err;
+
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	bags = NULL;
+
+	if (pkey)
+		{
+		int cspidx;
+		bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
+
+		if (!bag)
+			goto err;
+
+		cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
+		if (cspidx >= 0)
+			{
+			X509_ATTRIBUTE *cspattr;
+			cspattr = EVP_PKEY_get_attr(pkey, cspidx);
+			if (!X509at_add1_attr(&bag->attrib, cspattr))
+				goto err;
 			}
+
+		if(name && !PKCS12_add_friendlyname(bag, name, -1))
+			goto err;
+		if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+			goto err;
 		}
-	}
 
-	/* Turn certbags into encrypted authsafe */
-	authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,
-					  iter, bags);
+	if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
+			goto err;
+
 	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	bags = NULL;
 
-	if (!authsafe) return NULL;
+	p12 = PKCS12_add_safes(safes, 0);
+
+	sk_PKCS7_pop_free(safes, PKCS7_free);
+
+	safes = NULL;
+
+	if ((mac_iter != -1) &&
+		!PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
+	    goto err;
+
+	return p12;
+
+	err:
+
+	if (p12)
+		PKCS12_free(p12);
+	if (safes)
+		sk_PKCS7_pop_free(safes, PKCS7_free);
+	if (bags)
+		sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	return NULL;
+
+}
+
+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
+	{
+	PKCS12_SAFEBAG *bag = NULL;
+	char *name;
+	int namelen = -1;
+	unsigned char *keyid;
+	int keyidlen = -1;
+
+	/* Add user certificate */
+	if(!(bag = PKCS12_x5092certbag(cert)))
+		goto err;
+
+	/* Use friendlyName and localKeyID in certificate.
+	 * (if present)
+	 */
+
+	name = (char *)X509_alias_get0(cert, &namelen);
+
+	if(name && !PKCS12_add_friendlyname(bag, name, namelen))
+		goto err;
+
+	keyid = X509_keyid_get0(cert, &keyidlen);
+
+	if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+		goto err;
+
+	if (!pkcs12_add_bag(pbags, bag))
+		goto err;
+
+	return bag;
+
+	err:
+
+	if (bag)
+		PKCS12_SAFEBAG_free(bag);
+
+	return NULL;
 
-	if(!(safes = sk_PKCS7_new_null ())
-	   || !sk_PKCS7_push(safes, authsafe)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
 	}
 
-	/* Make a shrouded key bag */
-	if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;
-	if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;
-	bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);
-	if(!bag) return NULL;
-	PKCS8_PRIV_KEY_INFO_free(p8);
-        if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;
-	if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;
-	if(!(bags = sk_PKCS12_SAFEBAG_new_null())
-	   || !sk_PKCS12_SAFEBAG_push (bags, bag)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
+PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
+						int key_usage, int iter,
+						int nid_key, char *pass)
+	{
+
+	PKCS12_SAFEBAG *bag = NULL;
+	PKCS8_PRIV_KEY_INFO *p8 = NULL;
+
+	/* Make a PKCS#8 structure */
+	if(!(p8 = EVP_PKEY2PKCS8(key)))
+		goto err;
+	if(key_usage && !PKCS8_add_keyusage(p8, key_usage))
+		goto err;
+	if (nid_key != -1)
+		{
+		bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8);
+		PKCS8_PRIV_KEY_INFO_free(p8);
+		}
+	else
+		bag = PKCS12_MAKE_KEYBAG(p8);
+
+	if(!bag)
+		goto err;
+
+	if (!pkcs12_add_bag(pbags, bag))
+		goto err;
+
+	return bag;
+
+	err:
+
+	if (bag)
+		PKCS12_SAFEBAG_free(bag);
+
+	return NULL;
+
 	}
-	/* Turn it into unencrypted safe bag */
-	if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;
-	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-	if(!sk_PKCS7_push(safes, authsafe)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
+
+int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
+						int nid_safe, int iter, char *pass)
+	{
+	PKCS7 *p7 = NULL;
+	int free_safes = 0;
+
+	if (!*psafes)
+		{
+		*psafes = sk_PKCS7_new_null();
+		if (!*psafes)
+			return 0;
+		free_safes = 1;
+		}
+	else
+		free_safes = 0;
+
+	if (nid_safe == 0)
+		nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
+	if (nid_safe == -1)
+		p7 = PKCS12_pack_p7data(bags);
+	else
+		p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0,
+					  iter, bags);
+	if (!p7)
+		goto err;
+
+	if (!sk_PKCS7_push(*psafes, p7))
+		goto err;
+
+	return 1;
+
+	err:
+	if (free_safes)
+		{
+		sk_PKCS7_free(*psafes);
+		*psafes = NULL;
+		}
+
+	if (p7)
+		PKCS7_free(p7);
+
+	return 0;
+
 	}
 
-	if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
+static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag)
+	{
+	int free_bags;
+	if (!pbags)
+		return 1;
+	if (!*pbags)
+		{
+		*pbags = sk_PKCS12_SAFEBAG_new_null();
+		if (!*pbags)
+			return 0;
+		free_bags = 1;
+		}
+	else 
+		free_bags = 0;
 
-	if(!PKCS12_pack_authsafes (p12, safes)) return NULL;
+	if (!sk_PKCS12_SAFEBAG_push(*pbags, bag))
+		{
+		if (free_bags)
+			{
+			sk_PKCS12_SAFEBAG_free(*pbags);
+			*pbags = NULL;
+			}
+		return 0;
+		}
 
-	sk_PKCS7_pop_free(safes, PKCS7_free);
+	return 1;
+
+	}
+		
+
+PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
+	{
+	PKCS12 *p12;
+	if (nid_p7 <= 0)
+		nid_p7 = NID_pkcs7_data;
+	p12 = PKCS12_init(nid_p7);
+
+	if (!p12)
+		return NULL;
 
-	if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))
-	    return NULL;
+	if(!PKCS12_pack_authsafes(p12, safes))
+		{
+		PKCS12_free(p12);
+		return NULL;
+		}
 
 	return p12;
 
-}
+	}
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index b5684a83ba..74c961a92b 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -113,13 +113,14 @@ unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
 void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
 	     const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf)
 {
-	unsigned char *out, *p;
+	unsigned char *out;
+	const unsigned char *p;
 	void *ret;
 	int outlen;
 
 	if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
 			       &out, &outlen, 0)) {
-		PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
 		return NULL;
 	}
 	p = out;
@@ -137,7 +138,7 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
 #endif
 	ret = ASN1_item_d2i(NULL, &p, outlen, it);
 	if (zbuf) OPENSSL_cleanse(out, outlen);
-	if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
+	if(!ret) PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
 	OPENSSL_free(out);
 	return ret;
 }
@@ -154,17 +155,17 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *i
 	unsigned char *in = NULL;
 	int inlen;
 	if (!(oct = M_ASN1_OCTET_STRING_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	inlen = ASN1_item_i2d(obj, &in, it);
 	if (!in) {
-		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
 		return NULL;
 	}
 	if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
 				 &oct->length, 1)) {
-		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
 		OPENSSL_free(in);
 		return NULL;
 	}
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index 5276b12669..6bdc132631 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -62,7 +62,7 @@
 
 /* Initialise a PKCS12 structure to take data */
 
-PKCS12 *PKCS12_init (int mode)
+PKCS12 *PKCS12_init(int mode)
 {
 	PKCS12 *pkcs12;
 	if (!(pkcs12 = PKCS12_new())) {
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 9196a34b4a..18e72d0a1b 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
-
+#include <openssl/bn.h>
 
 /* Uncomment out this line to get debugging info about key generation */
 /*#define DEBUG_KEYGEN*/
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 2b31999e11..c2ee2cc6f3 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -80,7 +80,7 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
  * passed unitialised.
  */
 
-int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 	     STACK_OF(X509) **ca)
 {
 
@@ -141,7 +141,7 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 
 /* Parse the outer PKCS#12 structure */
 
-static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
+static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
 	     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
 {
 	STACK_OF(PKCS7) *asafes;
@@ -178,10 +178,10 @@ static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
 }
 
 
-static int parse_bags (STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
-		       int passlen, EVP_PKEY **pkey, X509 **cert,
-		       STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
-		       char *keymatch)
+static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
+		      int passlen, EVP_PKEY **pkey, X509 **cert,
+		      STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
+		      char *keymatch)
 {
 	int i;
 	for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
@@ -197,9 +197,9 @@ static int parse_bags (STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
 #define MATCH_ALL  0x3
 
 static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
-		      EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
-		      ASN1_OCTET_STRING **keyid,
-	     char *keymatch)
+		     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+		     ASN1_OCTET_STRING **keyid,
+		     char *keymatch)
 {
 	PKCS8_PRIV_KEY_INFO *p8;
 	X509 *x509;
@@ -221,7 +221,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 			if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
 		} else {
 			if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
-				PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
+				PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILURE);
 				return 0;
 		    }
 		}
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 140d21155e..c408cc8ab8 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -64,12 +64,12 @@
 #include <openssl/pkcs12.h>
 
 /* Generate a MAC */
-int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
-		    unsigned char *mac, unsigned int *maclen)
+int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+		   unsigned char *mac, unsigned int *maclen)
 {
 	const EVP_MD *md_type;
 	HMAC_CTX hmac;
-	unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
+	unsigned char key[EVP_MAX_MD_SIZE], *salt;
 	int saltlen, iter;
 
 	if (!PKCS7_type_is_data(p12->authsafes))
@@ -88,12 +88,12 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
 		return 0;
 	}
 	if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
-				 PKCS12_MAC_KEY_LENGTH, key, md_type)) {
+				 EVP_MD_size(md_type), key, md_type)) {
 		PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR);
 		return 0;
 	}
 	HMAC_CTX_init(&hmac);
-	HMAC_Init_ex(&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type, NULL);
+	HMAC_Init_ex(&hmac, key, EVP_MD_size(md_type), md_type, NULL);
     	HMAC_Update(&hmac, p12->authsafes->d.data->data,
 					 p12->authsafes->d.data->length);
     	HMAC_Final(&hmac, mac, maclen);
@@ -102,16 +102,16 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
 }
 
 /* Verify the mac */
-int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
+int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
 {
 	unsigned char mac[EVP_MAX_MD_SIZE];
 	unsigned int maclen;
 	if(p12->mac == NULL) {
-		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
+		PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
 		return 0;
 	}
 	if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
-		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
 		return 0;
 	}
 	if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
@@ -121,7 +121,7 @@ int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
 
 /* Set a mac */
 
-int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
+int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
 	     unsigned char *salt, int saltlen, int iter, const EVP_MD *md_type)
 {
 	unsigned char mac[EVP_MAX_MD_SIZE];
@@ -145,7 +145,7 @@ int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
 }
 
 /* Set up a mac structure */
-int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
+int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 	     const EVP_MD *md_type)
 {
 	if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR;
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index af708a2743..48eacc5c49 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -77,28 +77,26 @@ static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
 
 int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
 {
+	/* Check for NULL PKCS12 structure */
 
-/* Check for NULL PKCS12 structure */
-
-if(!p12) {
-	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
-	return 0;
-}
-
-/* Check the mac */
-
-if (!PKCS12_verify_mac(p12, oldpass, -1)) {
-	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
-	return 0;
-}
+	if(!p12) {
+		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+		return 0;
+	}
 
-if (!newpass_p12(p12, oldpass, newpass)) {
-	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
-	return 0;
-}
+	/* Check the mac */
+	
+	if (!PKCS12_verify_mac(p12, oldpass, -1)) {
+		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
+		return 0;
+	}
 
-return 1;
+	if (!newpass_p12(p12, oldpass, newpass)) {
+		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
+		return 0;
+	}
 
+	return 1;
 }
 
 /* Parse the outer PKCS#12 structure */
@@ -206,7 +204,8 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
 static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
 {
         PBEPARAM *pbe;
-        unsigned char *p;
+        const unsigned char *p;
+
         p = alg->parameter->value.sequence->data;
         pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
         *pnid = OBJ_obj2nid(alg->algorithm);
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
index a33b37b1c7..07a1fb6907 100644
--- a/src/lib/libcrypto/pkcs12/pk12err.c
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -70,16 +70,18 @@
 
 static ERR_STRING_DATA PKCS12_str_functs[]=
 	{
+{ERR_FUNC(PKCS12_F_PARSE_BAG),	"PARSE_BAG"},
 {ERR_FUNC(PKCS12_F_PARSE_BAGS),	"PARSE_BAGS"},
 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME),	"PKCS12_ADD_FRIENDLYNAME"},
 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC),	"PKCS12_add_friendlyname_asc"},
 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI),	"PKCS12_add_friendlyname_uni"},
 {ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID),	"PKCS12_add_localkeyid"},
 {ERR_FUNC(PKCS12_F_PKCS12_CREATE),	"PKCS12_create"},
-{ERR_FUNC(PKCS12_F_PKCS12_DECRYPT_D2I),	"PKCS12_DECRYPT_D2I"},
 {ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC),	"PKCS12_gen_mac"},
-{ERR_FUNC(PKCS12_F_PKCS12_I2D_ENCRYPT),	"PKCS12_I2D_ENCRYPT"},
 {ERR_FUNC(PKCS12_F_PKCS12_INIT),	"PKCS12_init"},
+{ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I),	"PKCS12_item_decrypt_d2i"},
+{ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT),	"PKCS12_item_i2d_encrypt"},
+{ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG),	"PKCS12_item_pack_safebag"},
 {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC),	"PKCS12_key_gen_asc"},
 {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI),	"PKCS12_key_gen_uni"},
 {ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG),	"PKCS12_MAKE_KEYBAG"},
@@ -87,7 +89,6 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS),	"PKCS12_newpass"},
 {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA),	"PKCS12_pack_p7data"},
 {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA),	"PKCS12_pack_p7encdata"},
-{ERR_FUNC(PKCS12_F_PKCS12_PACK_SAFEBAG),	"PKCS12_PACK_SAFEBAG"},
 {ERR_FUNC(PKCS12_F_PKCS12_PARSE),	"PKCS12_parse"},
 {ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT),	"PKCS12_pbe_crypt"},
 {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN),	"PKCS12_PBE_keyivgen"},
@@ -95,9 +96,9 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC),	"PKCS12_set_mac"},
 {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES),	"PKCS12_unpack_authsafes"},
 {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA),	"PKCS12_unpack_p7data"},
+{ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC),	"PKCS12_verify_mac"},
 {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE),	"PKCS8_add_keyusage"},
 {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT),	"PKCS8_encrypt"},
-{ERR_FUNC(PKCS12_F_VERIFY_MAC),	"VERIFY_MAC"},
 {0,NULL}
 	};
 
@@ -132,15 +133,12 @@ static ERR_STRING_DATA PKCS12_str_reasons[]=
 
 void ERR_load_PKCS12_strings(void)
 	{
-	static int init=1;
+#ifndef OPENSSL_NO_ERR
 
-	if (init)
+	if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL)
 		{
-		init=0;
-#ifndef OPENSSL_NO_ERR
 		ERR_load_strings(0,PKCS12_str_functs);
 		ERR_load_strings(0,PKCS12_str_reasons);
-#endif
-
 		}
+#endif
 	}
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index fb8af82d4f..a2d7e359a0 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -249,6 +249,15 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 			 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
 						 int mac_iter, int keytype);
+
+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert);
+PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
+						int key_usage, int iter,
+						int key_nid, char *pass);
+int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
+					int safe_nid, int iter, char *pass);
+PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid);
+
 int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
 PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
@@ -264,16 +273,18 @@ void ERR_load_PKCS12_strings(void);
 /* Error codes for the PKCS12 functions. */
 
 /* Function codes. */
+#define PKCS12_F_PARSE_BAG				 129
 #define PKCS12_F_PARSE_BAGS				 103
 #define PKCS12_F_PKCS12_ADD_FRIENDLYNAME		 100
 #define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC		 127
 #define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI		 102
 #define PKCS12_F_PKCS12_ADD_LOCALKEYID			 104
 #define PKCS12_F_PKCS12_CREATE				 105
-#define PKCS12_F_PKCS12_DECRYPT_D2I			 106
 #define PKCS12_F_PKCS12_GEN_MAC				 107
-#define PKCS12_F_PKCS12_I2D_ENCRYPT			 108
 #define PKCS12_F_PKCS12_INIT				 109
+#define PKCS12_F_PKCS12_ITEM_DECRYPT_D2I		 106
+#define PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT		 108
+#define PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG		 117
 #define PKCS12_F_PKCS12_KEY_GEN_ASC			 110
 #define PKCS12_F_PKCS12_KEY_GEN_UNI			 111
 #define PKCS12_F_PKCS12_MAKE_KEYBAG			 112
@@ -281,17 +292,16 @@ void ERR_load_PKCS12_strings(void);
 #define PKCS12_F_PKCS12_NEWPASS				 128
 #define PKCS12_F_PKCS12_PACK_P7DATA			 114
 #define PKCS12_F_PKCS12_PACK_P7ENCDATA			 115
-#define PKCS12_F_PKCS12_PACK_SAFEBAG			 117
 #define PKCS12_F_PKCS12_PARSE				 118
 #define PKCS12_F_PKCS12_PBE_CRYPT			 119
 #define PKCS12_F_PKCS12_PBE_KEYIVGEN			 120
 #define PKCS12_F_PKCS12_SETUP_MAC			 122
 #define PKCS12_F_PKCS12_SET_MAC				 123
-#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES		 129
-#define PKCS12_F_PKCS12_UNPACK_P7DATA			 130
+#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES		 130
+#define PKCS12_F_PKCS12_UNPACK_P7DATA			 131
+#define PKCS12_F_PKCS12_VERIFY_MAC			 126
 #define PKCS12_F_PKCS8_ADD_KEYUSAGE			 124
 #define PKCS12_F_PKCS8_ENCRYPT				 125
-#define PKCS12_F_VERIFY_MAC				 126
 
 /* Reason codes. */
 #define PKCS12_R_CANT_PACK_STRUCTURE			 100
-- 
cgit v1.2.3-55-g6feb