generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't use RC2 with PKCS#12 files in FIPS mode.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2013-05-30 21:39:50 +01:00
parent 04b727b4dd
commit cdb6c48445
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/pkcs12.c
View File

@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
int maciter = PKCS12_DEFAULT_ITER; int maciter = PKCS12_DEFAULT_ITER;
int twopass = 0; int twopass = 0;
int keytype = 0; int keytype = 0;
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; int cert_pbe;
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1; int ret = 1;
int macver = 1; int macver = 1;
@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
apps_startup(); apps_startup();
#ifdef OPENSSL_FIPS
if (FIPS_mode())
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else
#endif
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
enc = EVP_des_ede3_cbc(); enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

5
crypto/pkcs12/p12_crt.c
View File

@ -90,6 +90,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
/* Set defaults */ /* Set defaults */
if (!nid_cert) if (!nid_cert)
#ifdef OPENSSL_FIPS
if (FIPS_mode())
nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else
#endif
nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
if (!nid_key) if (!nid_key)
nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;