From 63e3676e6811874951f222a1fcbe9e2e7751cfbf Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sat, 26 Jun 2010 12:55:01 +0000
Subject: [PATCH] fix so it is safe to repeatedly add PBE algorithms

---
 CHANGES              |  6 +++++-
 crypto/evp/evp_pbe.c | 51 +++++++++++++++++++++++++++++++++++++-------
 2 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index fd178b9398..4b72bf85d9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,11 @@
 
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
-  *)
+  *) Don't repeatedly append PBE algorithms to table if they already exist.
+     Sort table on each new add. This effectively makes the table read only
+     after all algorithms are added and subsequent calls to PKCS12_pbe_add
+     etc are non-op.
+     [Steve Henson]
 
  Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
 
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index 5e830be65f..278f4858c4 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -116,17 +116,52 @@ static int pbe_cmp(const char * const *a, const char * const *b)
 int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
 	     EVP_PBE_KEYGEN *keygen)
 {
-	EVP_PBE_CTL *pbe_tmp;
-	if (!pbe_algs) pbe_algs = sk_new(pbe_cmp);
-	if (!(pbe_tmp = (EVP_PBE_CTL*) OPENSSL_malloc (sizeof(EVP_PBE_CTL)))) {
-		EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	pbe_tmp->pbe_nid = nid;
+	EVP_PBE_CTL *pbe_tmp, pbelu;
+	int i;
+	if (!pbe_algs)
+		{
+		pbe_algs = sk_new(pbe_cmp);
+		if (!pbe_algs)
+			{
+			EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		}
+	else
+		{
+		/* Check if already present */
+		pbelu.pbe_nid = nid;
+		i = sk_find(pbe_algs, (char *)&pbelu);
+		if (i >= 0)
+			{
+			pbe_tmp = (EVP_PBE_CTL *)sk_value(pbe_algs, i);
+			/* If everything identical leave alone */
+			if (pbe_tmp->cipher == cipher
+				&& pbe_tmp->md == md
+				&& pbe_tmp->keygen == keygen)
+				return 1;
+			}
+		else
+			pbe_tmp = NULL;
+		}
+
+	if (!pbe_tmp)
+		{
+		pbe_tmp = OPENSSL_malloc (sizeof(EVP_PBE_CTL));
+		if (!pbe_tmp)
+			{
+			EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		/* If adding a new PBE, set nid, append and sort */
+		pbe_tmp->pbe_nid = nid;
+		sk_push (pbe_algs, (char *)pbe_tmp);
+		sk_sort(pbe_algs);
+		}
+		
 	pbe_tmp->cipher = cipher;
 	pbe_tmp->md = md;
 	pbe_tmp->keygen = keygen;
-	sk_push (pbe_algs, (char *)pbe_tmp);
 	return 1;
 }
 
-- 
2.25.1