openssl 1.0.1l
It seems that the default algorithm selection for pkcs12 is incorrect when
FIPS mode is in use. The root cause appears to be that the FIPS_mode()
check is performed prior to the load_config() call. A patch is attached
that changes this ordering.
Feedback on this issue would be much appreciated.
Thanks
diff --git a/vendor/openssl/apps/pkcs12.c b/vendor/openssl/apps/pkcs12.c
index 4d62a7b..8a55a41 100644
--- a/vendor/openssl/apps/pkcs12.c
+++ b/vendor/openssl/apps/pkcs12.c
@@ -130,21 +130,20 @@ int MAIN(int argc, char **argv)
apps_startup();
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- else
-#endif
- cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
-
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
- args = argv + 1;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ else
+#endif
+ cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ args = argv + 1;
while (*args) {
if (*args[0] == '-') {
_______________________________________________
openssl-bugs-mod mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
