Don't use RC2 with PKCS#12 files in FIPS mode.

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index b54c6f84a4a095d4fcc93c90a3adb19abf9f1a5e..4d62a7b8cabd3e30465c637ad29707dd50d3cec7 100644 (file)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
     int maciter = PKCS12_DEFAULT_ITER;
     int twopass = 0;
     int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     int ret = 1;
     int macver = 1;
@@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+       cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+#endif
+    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 

diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index 96b131defa0cadb3df00e170698913c5952257f2..9d9a25d0990c7f1c4b977476758cc86ecd73a79f 100644 (file)
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -90,6 +90,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
        /* Set defaults */
        if (!nid_cert)
+#ifdef OPENSSL_FIPS
+               if (FIPS_mode())
+                       nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+               else
+#endif
                nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
        if (!nid_key)
                nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;