components/library/openssl/common/patches/046-pkcs12-default-cipher.patch

   1 #
   2 # This was developed in house.  The change is internal to Solaris, and
   3 # it will not be contributed upstream.
   4 #
   5 # This patch will change the default cipher used to encrypt certificate
   6 # to 3DES as RC2 is considered weak cipher. The default cipher for 1.1 will
   7 # become 3DES.
   8 #
   9 --- openssl/apps/pkcs12.c       Tue May  3 06:44:42 2016
  10 +++ openssl/apps/pkcs12.c.new   Wed May  4 15:11:00 2016
  11 @@ -142,12 +142,7 @@
  12      if (!load_config(bio_err, NULL))
  13          goto end;
  14
  15 -# ifdef OPENSSL_FIPS
  16 -    if (FIPS_mode())
  17 -        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
  18 -    else
  19 -# endif
  20 -        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
  21 +    cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
  22
  23      args = argv + 1;
  24
  25 @@ -379,9 +374,9 @@
  26          BIO_printf(bio_err,
  27                     "-twopass      separate MAC, encryption passwords\n");
  28          BIO_printf(bio_err,
  29 -                   "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
  30 +                   "-descert      encrypt PKCS#12 certificates with triple DES (default)\n");
  31          BIO_printf(bio_err,
  32 -                   "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");
  33 +                   "-certpbe alg  specify certificate PBE algorithm (default 3DES)\n");
  34          BIO_printf(bio_err,
  35                     "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");
  36          BIO_printf(bio_err,
  37 --- openssl/doc/crypto/PKCS12_create.pod Fri May  6 09:10:00 2016
  38 +++ openssl/doc/crypto/PKCS12_create.pod Fri May  6 09:14:16 2016
  39 @@ -30,9 +30,9 @@
  40  The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype>
  41  can all be set to zero and sensible defaults will be used.
  42
  43 -These defaults are: 40 bit RC2 encryption for certificates, triple DES
  44 -encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER
  45 -(currently 2048) and a MAC iteration count of 1.
  46 +These defaults are: triple DES encryption for certificates and private keys,
  47 +a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC
  48 +iteration count of 1.
  49
  50  The default MAC iteration count is 1 in order to retain compatibility with
  51  old software which did not interpret MAC iteration counts. If such compatibility