Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssl/common/patches/046-pkcs12-default-cipher.patch
author Ronald Jordan <ron.jordan@oracle.com>
Wed, 26 Oct 2016 13:19:33 -0700
branchs11u3-sru
changeset 7163 ee09edbd5876
permissions -rw-r--r--
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2 20358335 memory leak in libcrypto 21297601 32-bit FIPS openssl(1) should link to the mediator link 21791492 Workaround to suppress the link check error should be removed 22021385 openssl ts sub-command dumps core 22021787 openssl s_client sub-command dumps core 22445522 openssl makefile contains undeclared dependency on rsync 22859741 Update OpenSSL FIPS module to 2.0.12 23230454 Use DES3 for pkcs12 certificate encryption 23285559 ssh libcrypto`solaris_locking_setup() atfork handler calls malloc() 24377801 solaris_dynlock_create() should check for a ret val of 0 from pthread_mutex_init 24943813 problem in LIBRARY/OPENSSL

#
# This was developed in house.  The change is internal to Solaris, and
# it will not be contributed upstream.
#
# This patch will change the default cipher used to encrypt certificate
# to 3DES as RC2 is considered weak cipher. The default cipher for 1.1 will
# become 3DES.
#
--- openssl/apps/pkcs12.c	Tue May  3 06:44:42 2016
+++ openssl/apps/pkcs12.c.new	Wed May  4 15:11:00 2016
@@ -142,12 +142,7 @@
     if (!load_config(bio_err, NULL))
         goto end;
 
-# ifdef OPENSSL_FIPS
-    if (FIPS_mode())
-        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-    else
-# endif
-        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 
     args = argv + 1;
 
@@ -379,9 +374,9 @@
         BIO_printf(bio_err,
                    "-twopass      separate MAC, encryption passwords\n");
         BIO_printf(bio_err,
-                   "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
+                   "-descert      encrypt PKCS#12 certificates with triple DES (default)\n");
         BIO_printf(bio_err,
-                   "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");
+                   "-certpbe alg  specify certificate PBE algorithm (default 3DES)\n");
         BIO_printf(bio_err,
                    "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");
         BIO_printf(bio_err,
--- openssl/doc/crypto/PKCS12_create.pod Fri May  6 09:10:00 2016
+++ openssl/doc/crypto/PKCS12_create.pod Fri May  6 09:14:16 2016
@@ -30,9 +30,9 @@
 The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype>
 can all be set to zero and sensible defaults will be used.
 
-These defaults are: 40 bit RC2 encryption for certificates, triple DES
-encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER
-(currently 2048) and a MAC iteration count of 1.
+These defaults are: triple DES encryption for certificates and private keys,
+a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC
+iteration count of 1.
 
 The default MAC iteration count is 1 in order to retain compatibility with
 old software which did not interpret MAC iteration counts. If such compatibility
upstream/oracle/userland-gate