diff options
| author | Richard Levitte <levitte@openssl.org> | 2023-06-13 20:06:04 +0200 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2023-06-26 08:00:52 +1000 |
| commit | 7a520619c997146639f42ce8595162ac34c2ad41 (patch) | |
| tree | 7f5610cb31129f1e509395e0a8a4a0c203ab81a8 /crypto/store | |
| parent | c5f55a4605a56655b2706c72388c1d59141fd243 (diff) | |
OSSL_STORE and PKCS#12: Check if there is a MAC to verify before prompting
When a DER object with unknown contents comes all the way to
ossl_store_handle_load_result(), and it attempts to decode them as different
objects, the PKCS#12 decoding attempt would (almost) always prompt for a
passphrase, even if there isn't a MAC to verify it against in the PKCS#12
object.
This change checks if there is a MAC to verify against before attempting to
prompt for a passphrase, leading to less surprising behavior.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21197)
Diffstat (limited to 'crypto/store')
| -rw-r--r-- | crypto/store/store_result.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index e3d6599955..6fe2b71bc1 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -553,8 +553,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, ok = 0; /* Assume decryption or parse error */ - if (PKCS12_verify_mac(p12, "", 0) + if (!PKCS12_mac_present(p12) || PKCS12_verify_mac(p12, NULL, 0)) { + pass = NULL; + } else if (PKCS12_verify_mac(p12, "", 0)) { pass = ""; } else { static char prompt_info[] = "PKCS12 import pass phrase"; |