Commit af908bc4 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Don't use RC2 with PKCS#12 files in FIPS mode. 

(cherry picked from commit cdb6c484)
parent 233ebcb5

apps/pkcs12.c

+8 −1
Original line number Diff line number Diff line
@@ -112,7 +112,7 @@ int MAIN(int argc, char **argv) 
    int maciter = PKCS12_DEFAULT_ITER;

    int twopass = 0;

    int keytype = 0;

    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;

    int cert_pbe;

    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;

    int ret = 1;

    int macver = 1;
@@ -130,6 +130,13 @@ int MAIN(int argc, char **argv) 


    apps_startup();



#ifdef OPENSSL_FIPS

    if (FIPS_mode())

	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;

    else

#endif

    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;



    enc = EVP_des_ede3_cbc();

    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

crypto/pkcs12/p12_crt.c

+5 −0
Original line number Diff line number Diff line
@@ -90,6 +90,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, 


	/* Set defaults */

	if (!nid_cert)

#ifdef OPENSSL_FIPS

		if (FIPS_mode())

			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;

		else

#endif

		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;

	if (!nid_key)

		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;