===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/enc.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -c -r1.14 -r1.15
*** src/usr.bin/openssl/enc.c	2018/02/07 05:47:55	1.14
--- src/usr.bin/openssl/enc.c	2019/01/18 03:45:47	1.15
***************
*** 1,4 ****
! /* $OpenBSD: enc.c,v 1.14 2018/02/07 05:47:55 jsing Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
--- 1,4 ----
! /* $OpenBSD: enc.c,v 1.15 2019/01/18 03:45:47 beck Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
***************
*** 99,104 ****
--- 99,106 ----
  	char *passarg;
  	int printkey;
  	int verbose;
+ 	int iter;
+ 	int pbkdf2;
  } enc_config;
  
  static int
***************
*** 273,278 ****
--- 275,292 ----
  		.type = OPTION_FLAG,
  		.opt.flag = &enc_config.verbose,
  	},
+ 	{
+ 		.name = "iter",
+ 		.desc = "Specify iteration count and force use of PBKDF2",
+ 		.type = OPTION_VALUE,
+ 		.opt.value = &enc_config.iter,
+ 	},
+ 	{
+ 		.name = "pbkdf2",
+ 		.desc = "Use the pbkdf2 key derivation function",
+ 		.type = OPTION_FLAG,
+ 		.opt.flag = &enc_config.pbkdf2,
+ 	},
  #ifdef ZLIB
  	{
  		.name = "z",
***************
*** 416,422 ****
  		goto end;
  	}
  	if (dgst == NULL) {
! 		dgst = EVP_md5();	/* XXX */
  	}
  
  	if (enc_config.bufsize != NULL) {
--- 430,436 ----
  		goto end;
  	}
  	if (dgst == NULL) {
! 		dgst = EVP_sha256();
  	}
  
  	if (enc_config.bufsize != NULL) {
***************
*** 604,613 ****
  				}
  				sptr = salt;
  			}
  
! 			EVP_BytesToKey(enc_config.cipher, dgst, sptr,
! 			    (unsigned char *)enc_config.keystr,
! 			    strlen(enc_config.keystr), 1, key, iv);
  			/*
  			 * zero the complete buffer or the string passed from
  			 * the command line bug picked up by Larry J. Hughes
--- 618,652 ----
  				}
  				sptr = salt;
  			}
+ 			if (enc_config.pbkdf2 == 1 || enc_config.iter > 0) {
+ 				/*
+ 				 * derive key and default iv
+ 				 * concatenated into a temporary buffer
+ 				 */
+ 				unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
+ 				int iklen = EVP_CIPHER_key_length(enc_config.cipher);
+ 				int ivlen = EVP_CIPHER_iv_length(enc_config.cipher);
+ 				/* not needed if HASH_UPDATE() is fixed : */
+ 				int islen = (sptr != NULL ? sizeof(salt) : 0);
  
! 				if (enc_config.iter == 0)
! 					enc_config.iter = 10000;
! 
! 				if (!PKCS5_PBKDF2_HMAC(enc_config.keystr,
! 					strlen(enc_config.keystr), sptr, islen,
! 					enc_config.iter, dgst, iklen+ivlen, tmpkeyiv)) {
! 					BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n");
! 					goto end;
! 				}
! 				/* split and move data back to global buffer */
! 				memcpy(key, tmpkeyiv, iklen);
! 				memcpy(iv, tmpkeyiv+iklen, ivlen);
! 			} else {
! 				EVP_BytesToKey(enc_config.cipher, dgst, sptr,
! 				    (unsigned char *)enc_config.keystr,
! 				    strlen(enc_config.keystr), 1, key, iv);
! 			}
! 
  			/*
  			 * zero the complete buffer or the string passed from
  			 * the command line bug picked up by Larry J. Hughes