In the function EVP_PBE_CipherInit there are missing checks for
unavailable algorithms (such as when they are not compiled in or when
OpenSSL_add_all_algorithms() is not called).
The attached patch adds the checks although probably new error codes
should be added for these failures.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
diff -up openssl-1.0.0-beta4/crypto/evp/evp_pbe.c.no-cipher openssl-1.0.0-beta4/crypto/evp/evp_pbe.c
--- openssl-1.0.0-beta4/crypto/evp/evp_pbe.c.no-cipher 2008-11-05 19:38:57.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/evp/evp_pbe.c 2009-12-14 22:54:27.000000000 +0100
@@ -174,12 +174,20 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_
if (cipher_nid == -1)
cipher = NULL;
else
- cipher = EVP_get_cipherbynid(cipher_nid);
+ if ((cipher = EVP_get_cipherbynid(cipher_nid)) == NULL)
+ {
+ EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_KEYGEN_FAILURE);
+ return 0;
+ }
if (md_nid == -1)
md = NULL;
else
- md = EVP_get_digestbynid(md_nid);
+ if ((md = EVP_get_digestbynid(md_nid)) == NULL)
+ {
+ EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_KEYGEN_FAILURE);
+ return 0;
+ }
if (!keygen(ctx, pass, passlen, param, cipher, md, en_de))
{
