From 106520eba95dd427fceddb90d7aade730c8b0d41 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 24 May 2025 02:35:25 +0000
Subject: Switch default to PBES2 for openssl pkcs8 -topk8

We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which
we inherited from OpenSSL. This could have been worse - there is also
NID_pbeWithMD2AndDES_CBC...

The way this diff works is that the undocumented PKCS8_encrypt() API
uses the PKCS#5v2 code path when it's passed a NID of -1 and requires
a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in
a sensible cipher, namely AES-CBC-256, and let layers of muppetry
cascade to doing something resembling the right thing.

This still uses the default of hmacWithSHA1 and a somewhat short salt,
which will be improved in a subsequent commit.

https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168

ok kenjiro joshua jsing
---
 src/usr.bin/openssl/pkcs8.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/usr.bin/openssl')

diff --git a/src/usr.bin/openssl/pkcs8.c b/src/usr.bin/openssl/pkcs8.c
index 10fad7aed1..5d7c52f865 100644
--- a/src/usr.bin/openssl/pkcs8.c
+++ b/src/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.18 2025/01/02 12:31:44 tb Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.19 2025/05/24 02:35:25 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -224,8 +224,8 @@ pkcs8_main(int argc, char **argv)
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
 	}
-	if ((cfg.pbe_nid == -1) && !cfg.cipher)
-		cfg.pbe_nid = NID_pbeWithMD5AndDES_CBC;
+	if (cfg.pbe_nid == -1 && cfg.cipher == NULL)
+		cfg.cipher = EVP_aes_256_cbc();
 
 	if (cfg.infile) {
 		if (!(in = BIO_new_file(cfg.infile, "rb"))) {
-- 
cgit v1.2.3-55-g6feb