root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Don't use RC2 with PKCS#12 files in FIPS mode. 

(cherry picked from commit cdb6c48445)
This commit is contained in:
Dr. Stephen Henson 2013-05-30 21:39:50 +01:00
parent 233ebcb543
commit af908bc48b
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/pkcs12.c
View File

@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
int maciter = PKCS12_DEFAULT_ITER;
int twopass = 0;
int keytype = 0;
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
int cert_pbe;
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1;
int macver = 1;
@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
apps_startup();
#ifdef OPENSSL_FIPS
if (FIPS_mode())
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else
#endif
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

5
crypto/pkcs12/p12_crt.c
View File

@ -90,6 +90,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
/* Set defaults */
if (!nid_cert)
#ifdef OPENSSL_FIPS
if (FIPS_mode())
nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else
#endif
nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
if (!nid_key)
nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;