Add feature to PKCS12_create() if the encryption NID corresponds to a

supported encryption algorithm instead of a PBE NID then use that
algorithm with PBES2.

1 files changed, 18 insertions, 2 deletions

diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index 41bdc00551..509a5a1770 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -106,6 +106,7 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
 	     PKCS8_PRIV_KEY_INFO *p8)
 {
 	PKCS12_SAFEBAG *bag;
+	const EVP_CIPHER *pbe_ciph;
 
 	/* Set up the safe bag */
 	if (!(bag = PKCS12_SAFEBAG_new())) {
@@ -114,8 +115,14 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
 	}
 
 	bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+
+	pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+
+	if (pbe_ciph)
+		pbe_nid = -1;
+
 	if (!(bag->value.shkeybag = 
-	  PKCS8_encrypt(pbe_nid, NULL, pass, passlen, salt, saltlen, iter,
+	  PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
 									 p8))) {
 		PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
@@ -164,6 +171,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
 {
 	PKCS7 *p7;
 	X509_ALGOR *pbe;
+	const EVP_CIPHER *pbe_ciph;
 	if (!(p7 = PKCS7_new())) {
 		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
 		return NULL;
@@ -173,7 +181,15 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
 				PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
 		return NULL;
 	}
-	if (!(pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen))) {
+
+	pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+
+	if (pbe_ciph)
+		pbe = PKCS5_pbe2_set(pbe_ciph, iter, salt, saltlen);
+	else
+		pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+
+	if (!pbe) {
 		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}