diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c --- a/lib/pk11wrap/pk11mech.c +++ b/lib/pk11wrap/pk11mech.c @@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI case CKM_BATON_ECB96: case CKM_BATON_CBC128: case CKM_BATON_COUNTER: case CKM_BATON_SHUFFLE: case CKM_JUNIPER_ECB128: case CKM_JUNIPER_CBC128: case CKM_JUNIPER_COUNTER: case CKM_JUNIPER_SHUFFLE: - newParams = SEC_ASN1EncodeItem(NULL, NULL, param, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (newParams == NULL) - break; + /* if no parameters have been supplied, then encode a NULL params + */ + if (param && param->len > 0) { + newParams = SEC_ASN1EncodeItem(NULL, NULL, param, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (newParams == NULL) + break; + } else { + newParams = NULL; + } rv = SECSuccess; break; } if (rv != SECSuccess) { if (newParams) SECITEM_FreeItem(newParams, PR_TRUE); return rv; diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c --- a/lib/pk11wrap/pk11pbe.c +++ b/lib/pk11wrap/pk11pbe.c @@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg * algorithm is). We use choose this algorithm oid based on the * cipherAlgorithm to determine what this should be (MAC1 or PBES2). */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { /* choose mac or pbes */ algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); } + SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); + /* set the PKCS5v2 specific parameters */ if (keyLength == 0) { - SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); if (hashAlg != SEC_OID_UNKNOWN) { keyLength = HASH_ResultLenByOidTag(hashAlg); } else { keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm); } if (keyLength <= 0) { goto loser; } } /* currently SEC_OID_HMAC_SHA1 is the default */ if (prfAlg == SEC_OID_UNKNOWN) { prfAlg = SEC_OID_HMAC_SHA1; } - /* build the PKCS5v2 cipher algorithm id */ - cipherParams = pk11_GenerateNewParamWithKeyLen( - PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); - if (!cipherParams) { - goto loser; + /* build the PKCS5v2 cipher algorithm id, if cipher + * is an HMAC, the cipherParams should be NULL */ + if (hashAlg == SEC_OID_UNKNOWN) { + cipherParams = pk11_GenerateNewParamWithKeyLen( + PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); + if (!cipherParams) { + goto loser; + } + } else { + cipherParams = NULL; } PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param)); rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, poolp, &pbeV2_param.cipherAlgId); - SECITEM_FreeItem(cipherParams, PR_TRUE); + if (cipherParams) { + SECITEM_FreeItem(cipherParams, PR_TRUE); + } if (rv != SECSuccess) { goto loser; } } /* generate the parameter */ pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration, keyLength, prfAlg); diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c --- a/lib/util/secalgid.c +++ b/lib/util/secalgid.c @@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid)) return SECFailure; if ((secoid_IsRSAPKCS1(which)) || - (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) { + (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* || + (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) { add_null_param = PR_TRUE; } else { add_null_param = PR_FALSE; } if (params) { /* * I am specifically *not* enforcing the following assertion