Check EVP_DigestInit return value in EVP_BytesToKey() and use supported

algorithm in PKCS12_create in FIPS mode.

diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c
index 5f387a94d32141752d21ebc49752cf910bb0cf7f..f8650d5df698dfa886aedb4212ed28f6f89691d4 100644 (file)
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
        EVP_MD_CTX_init(&c);
        for (;;)
                {
-               EVP_DigestInit_ex(&c,md, NULL);
+               if (!EVP_DigestInit_ex(&c,md, NULL))
+                       return 0;
                if (addmd++)
                        EVP_DigestUpdate(&c,&(md_buf[0]),mds);
                EVP_DigestUpdate(&c,data,datal);

diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index 4c36c643ce683b2222126255c637c6066c52a791..40340a7bef6970323d63f411fce2cda3e3c20a2b 100644 (file)
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -76,7 +76,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
        unsigned int keyidlen;
 
        /* Set defaults */
-       if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+       if(!nid_cert)
+               {
+#ifdef OPENSSL_FIPS
+               if (FIPS_mode())
+                       nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+               else
+#endif
+                       nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+               }
        if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
        if(!iter) iter = PKCS12_DEFAULT_ITER;
        if(!mac_iter) mac_iter = 1;