apps/pkcs12: Properly detect MAC setup failure

The MAC requires PKCS12KDF support which is not present in FIPS provider as it is not an approved KDF algorithm. Suggest using -nomac if MAC is not required. Fixes #14057 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14445)
author: Tomas Mraz <tomas@openssl.org> 2021-03-05 17:22:35 +0100
committer: Pauli <ppzgs1@gmail.com> 2021-03-09 11:12:07 +1000
commit: 913f9d5e52f0541c2fb9c3b60d3fc785f35eacae (patch)
tree: a7470477ed6b180dec28bccd59811381360a1eda /apps/pkcs12.c
parent: 31e2e6e0b1f0f9ab88b9625f841e268766b598d0 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 241122b76a..00c5a9bc4b 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -655,7 +655,11 @@ int pkcs12_main(int argc, char **argv)
         }
 
         if (maciter != -1)
-            PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
+            if (!PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd)) {
+                BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n");
+                BIO_printf(bio_err, "Use -nomac if MAC not required and PKCS12KDF support not available.\n");
+                goto export_end;
+            }
 
         assert(private);
author	Tomas Mraz <tomas@openssl.org>	2021-03-05 17:22:35 +0100
committer	Pauli <ppzgs1@gmail.com>	2021-03-09 11:12:07 +1000
commit	913f9d5e52f0541c2fb9c3b60d3fc785f35eacae (patch)
tree	a7470477ed6b180dec28bccd59811381360a1eda /apps/pkcs12.c
parent	31e2e6e0b1f0f9ab88b9625f841e268766b598d0 (diff)