diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-03-05 22:11:49 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-03-10 17:12:48 +0100 |
| commit | 762970bd686c4aa8ea7169e7f76d5a4ce665da93 (patch) | |
| tree | acf287acb8166e12129047e936b517a2d01c2542 /crypto/pkcs12 | |
| parent | 18fdebf1743bc89bf82a205468c56c274e7baf3b (diff) | |
Change default algorithms in PKCS12_create() and PKCS12_set_mac()
Use the modern defaults as now set in the pkcs12 app. This also
allows modifying the application to not override the default values
when calling the API.
Fixes #14034
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14450)
Diffstat (limited to 'crypto/pkcs12')
| -rw-r--r-- | crypto/pkcs12/p12_crt.c | 14 | ||||
| -rw-r--r-- | crypto/pkcs12/p12_mutl.c | 7 |
2 files changed, 10 insertions, 11 deletions
diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 9bc53f789b..985b458cda 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -41,18 +41,14 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * unsigned int keyidlen = 0; /* Set defaults */ - if (!nid_cert) -#ifdef OPENSSL_NO_RC2 - nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -#else - nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; -#endif - if (!nid_key) - nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + if (nid_cert == NID_undef) + nid_cert = NID_aes_256_cbc; + if (nid_key == NID_undef) + nid_key = NID_aes_256_cbc; if (!iter) iter = PKCS12_DEFAULT_ITER; if (!mac_iter) - mac_iter = 1; + mac_iter = PKCS12_DEFAULT_ITER; if (pkey == NULL && cert == NULL && ca == NULL) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_NULL_ARGUMENT); diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 4873d43e24..20984055df 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -186,8 +186,11 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, unsigned int maclen; ASN1_OCTET_STRING *macoct; - if (!md_type) - md_type = EVP_sha1(); + if (md_type == NULL) + /* No need to do a fetch as the md_type is used only to get a NID */ + md_type = EVP_sha256(); + if (!iter) + iter = PKCS12_DEFAULT_ITER; if (PKCS12_setup_mac(p12, iter, salt, saltlen, md_type) == PKCS12_ERROR) { ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_SETUP_ERROR); return 0; |