Add tracking ticket and TODO comment

aws · Feb 4, 2025 · fe00662 · fe00662
1 parent 72a0f41
commit fe00662
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c
@@ -1335,6 +1335,8 @@ PKCS12 *PKCS12_create(const char *password, const char *name,
 
   // Compute the MAC. Match OpenSSL in using SHA-1 as the hash function. The MAC
   // covers |auth_safe_data|.
+  // TODO (CryptoAlg-2897): Update the default |md| to SHA-256 to align with
+  //                        OpenSSL 3.x.
   const EVP_MD *mac_md = EVP_sha1();
   uint8_t mac_salt[PKCS5_SALT_LEN];
   if (!CBB_flush(&auth_safe_data) ||
@@ -1391,7 +1393,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *password, int password_len,
   } else {
     OPENSSL_memcpy(mac_salt, salt, salt_len);
   }
-  // Match OpenSSL in using SHA-1 as the default hash function.
+  // TODO (CryptoAlg-2897): Update the default |md| to SHA-256 to align with
+  //                        OpenSSL 3.x.
   if (md == NULL) {
     md = EVP_sha1();
   }

diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
@@ -197,6 +197,9 @@ OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password,
 // If |salt| is NULL, a random salt of |salt_len| bytes is generated. If
 // |salt_len| is zero, a default salt length is used instead.
 // If |md| is NULL, the default is use SHA1 to align with OpenSSL.
+//
+// TODO (CryptoAlg-2897): Update the default |md| to SHA-256 to align with
+//                        OpenSSL 3.x.
 OPENSSL_EXPORT int PKCS12_set_mac(PKCS12 *p12, const char *password,
                                   int password_len, unsigned char *salt,
                                   int salt_len, int mac_iterations,