From e8518f847e44a4cf95bb364d00ec3a2751298fb3 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 1 Mar 2006 21:15:24 +0000
Subject: [PATCH] Check EVP_DigestInit return value in EVP_BytesToKey() and use
 supported algorithm in PKCS12_create in FIPS mode.

---
 crypto/evp/evp_key.c    |  3 ++-
 crypto/pkcs12/p12_crt.c | 10 +++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c
index 5f387a94d3..f8650d5df6 100644
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 	EVP_MD_CTX_init(&c);
 	for (;;)
 		{
-		EVP_DigestInit_ex(&c,md, NULL);
+		if (!EVP_DigestInit_ex(&c,md, NULL))
+			return 0;
 		if (addmd++)
 			EVP_DigestUpdate(&c,&(md_buf[0]),mds);
 		EVP_DigestUpdate(&c,data,datal);
diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index 4c36c643ce..40340a7bef 100644
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -76,7 +76,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 	unsigned int keyidlen;
 
 	/* Set defaults */
-	if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+	if(!nid_cert)
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		else
+#endif
+			nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+		}
 	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 	if(!iter) iter = PKCS12_DEFAULT_ITER;
 	if(!mac_iter) mac_iter = 1;
-- 
2.25.1