From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 1 Mar 2006 21:15:24 +0000 (+0000)
Subject: Check EVP_DigestInit return value in EVP_BytesToKey() and use supported
X-Git-Tag: OpenSSL_0_9_7j~13
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e8518f847e44a4cf95bb364d00ec3a2751298fb3;p=openssl

Check EVP_DigestInit return value in EVP_BytesToKey() and use supported
algorithm in PKCS12_create in FIPS mode.
---

diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c
index 5f387a94d3..f8650d5df6 100644
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 	EVP_MD_CTX_init(&c);
 	for (;;)
 		{
-		EVP_DigestInit_ex(&c,md, NULL);
+		if (!EVP_DigestInit_ex(&c,md, NULL))
+			return 0;
 		if (addmd++)
 			EVP_DigestUpdate(&c,&(md_buf[0]),mds);
 		EVP_DigestUpdate(&c,data,datal);
diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index 4c36c643ce..40340a7bef 100644
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -76,7 +76,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 	unsigned int keyidlen;
 
 	/* Set defaults */
-	if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+	if(!nid_cert)
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		else
+#endif
+			nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+		}
 	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 	if(!iter) iter = PKCS12_DEFAULT_ITER;
 	if(!mac_iter) mac_iter = 1;