From cdb6c48445ded3daafab32e5f266943d07bb512b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 30 May 2013 21:39:50 +0100 Subject: [PATCH] Don't use RC2 with PKCS#12 files in FIPS mode. --- apps/pkcs12.c | 9 ++++++++- crypto/pkcs12/p12_crt.c | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index b54c6f84a4..4d62a7b8ca 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -112,7 +112,7 @@ int MAIN(int argc, char **argv) int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; - int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + int cert_pbe; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; @@ -130,6 +130,13 @@ int MAIN(int argc, char **argv) apps_startup(); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 96b131defa..9d9a25d099 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -90,6 +90,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, /* Set defaults */ if (!nid_cert) +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -- 2.25.1