On Tue, Dec 15, 2009 at 10:18 AM, Tomas Mraz via RT <r...@openssl.org> wrote: > If you call just SSL_library_init() and PKCS12_PBE_add some pkcs12 files > will not be loadable and moreover the openssl will crash due to missing > checks for ciphers not found. I've reported the crash in a separate > report. Perhaps the PKCS12_PBE_add should add the algorithms which are > not added in the SSL_library_init() call but which are used in the > static PBE algorithms table?
It looks like this behaviorwith PKCS12_PBE_add() changed in this commit: (date: 2006-05-15 20:34:35 +0300; author: steve; state: Exp; lines: +0 -2; commitid: AaVb4NIRWO7LR8xr;) | crypto/evp/c_allc.c:1.12, CHANGES:1.1316, crypto/pkcs12/p12_crpt.c:1.20, | crypto/evp/evp_pbe.c:1.21, crypto/evp/p5_crpt.c:1.21 `---------------------------------------- Change builting PBE to use static table. Add entries for HMAC and MD5, GOST. Neither the commit log nor the CHANGES file entry state clearly that this removed some ciphers from being registered with PKCS12_PBE_add() call. As far as PKCS#12 files are concerned, the disappearance of EVP_rc2_40_cbc() is especially unfortunate. Was this removed on purpose, i.e., was it understood that this will require changes in applications that do not register all ciphers by default? I used to call SSL_library_init() (i.e., add SSL ciphers/digests) and PKCS12_PBE_add() (to get whatever else would be needed for PKCS#12 files), but that does not work anymore with OpenSSL 1.0.0-beta4. For now, I'm adding EVP_add_cipher(EVP_rc2_40_cbc()) call to get the behavior closer to what it used to be. While there is a note saying that typical applications will call OpenSSL_add_all_algorithms() (which would avoid this issue), it could be worth documenting the difference in behavior between 0.9.8 and 1.0.0 more explicitly as far as PKCS12_PBE_add() is concerned. - Jouni ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org