From: Dr. Stephen Henson Date: Thu, 30 May 2013 20:39:50 +0000 (+0100) Subject: Don't use RC2 with PKCS#12 files in FIPS mode. X-Git-Tag: OpenSSL_1_0_1f~68 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cdb6c48445ded3daafab32e5f266943d07bb512b;p=oweals%2Fopenssl.git Don't use RC2 with PKCS#12 files in FIPS mode. --- diff --git a/apps/pkcs12.c b/apps/pkcs12.c index b54c6f84a4..4d62a7b8ca 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -112,7 +112,7 @@ int MAIN(int argc, char **argv) int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; - int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + int cert_pbe; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; @@ -130,6 +130,13 @@ int MAIN(int argc, char **argv) apps_startup(); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 96b131defa..9d9a25d099 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -90,6 +90,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, /* Set defaults */ if (!nid_cert) +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;