summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authortb <>2025-05-24 02:54:09 +0000
committertb <>2025-05-24 02:54:09 +0000
commit50a6c66073549c15191d581ac8051a0ca61a70f6 (patch)
tree5fa2f835d99d92293d40e64d194c5c8d23e10037 /src/lib
parentf350ba6f6b4972633e43e05229f0f5afc6b52ac3 (diff)
downloadopenbsd-50a6c66073549c15191d581ac8051a0ca61a70f6.tar.gz
openbsd-50a6c66073549c15191d581ac8051a0ca61a70f6.tar.bz2
openbsd-50a6c66073549c15191d581ac8051a0ca61a70f6.zip
Switch the default PBMAC to hmacWithSHA256
Using hmacWithSHA1 isn't outrageously bad, but newly generated encrypted password files ought to be using something better. Make it so. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok joshua
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/asn1/p5_pbev2.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 21b8b6364f..4c096ac5b9 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p5_pbev2.c,v 1.36 2025/05/10 05:54:38 tb Exp $ */ 1/* $OpenBSD: p5_pbev2.c,v 1.37 2025/05/24 02:54:09 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999-2004. 3 * project 1999-2004.
4 */ 4 */
@@ -187,7 +187,7 @@ PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
187 int saltlen) 187 int saltlen)
188{ 188{
189 X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL; 189 X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
190 int prf_nid = NID_hmacWithSHA1; 190 int prf_nid = NID_hmacWithSHA256;
191 int alg_nid, keylen; 191 int alg_nid, keylen;
192 EVP_CIPHER_CTX ctx; 192 EVP_CIPHER_CTX ctx;
193 unsigned char iv[EVP_MAX_IV_LENGTH]; 193 unsigned char iv[EVP_MAX_IV_LENGTH];
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-24 16:20:00 +0000