Fix PKCS#12 use with OpenSSL 1.0.0

Add 40-bit RC2 CBC explicitly since OpenSSL 1.0.0 does not seem to that
anymore with PKCS12_PBE_add(). Furthermore, at least 1.0.0-beta4 crashes
if the needed cipher is not registered when parsing the PKCS#12 data
(this crashing part should be fixed in newer 1.0.0 versions)

Following bug reports are related to the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=541924
https://bugzilla.redhat.com/show_bug.cgi?id=538851
http://rt.openssl.org/Ticket/Display.html?id=2127
http://rt.openssl.org/Ticket/Display.html?id=2128

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1914b5d..1c00252 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -695,6 +695,15 @@ void * tls_init(const struct tls_config *conf)
                 * be added here. */
 
 #ifdef PKCS12_FUNCS
+#ifndef OPENSSL_NO_RC2
+               /*
+                * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
+                * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
+                * versions, but it looks like OpenSSL 1.0.0 does not do that
+                * anymore.
+                */
+               EVP_add_cipher(EVP_rc2_40_cbc());
+#endif /* OPENSSL_NO_RC2 */
                PKCS12_PBE_add();
 #endif  /* PKCS12_FUNCS */
        }