Add support for mac-less password-base PKCS12 files to PKCS12_parse API.

Fixes openssl#17720. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17882)
author: Daniel Fiala <daniel@openssl.org> 2022-03-13 06:56:13 +0100
committer: Tomas Mraz <tomas@openssl.org> 2022-03-24 08:54:39 +0100
commit: cfd24cde81aa5f63dba41ddcde0fa3c5d64e1db0 (patch)
tree: 1fd44e7c626187bbe4f30233128e5e73fb40f2ae /crypto
parent: fecae608a9ad366a1bc740ad94628520cdf38d25 (diff)
1 files changed, 19 insertions, 18 deletions
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index ed1105cee4..6d99900077 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -49,27 +49,28 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
     }
 
     /* Check the mac */
-
-    /*
-     * If password is zero length or NULL then try verifying both cases to
-     * determine which password is correct. The reason for this is that under
-     * PKCS#12 password based encryption no password and a zero length
-     * password are two different things...
-     */
-
-    if (pass == NULL || *pass == '\0') {
-        if (!PKCS12_mac_present(p12)
-            || PKCS12_verify_mac(p12, NULL, 0))
-            pass = NULL;
-        else if (PKCS12_verify_mac(p12, "", 0))
-            pass = "";
-        else {
+    if (PKCS12_mac_present(p12)) {
+        /*
+         * If password is zero length or NULL then try verifying both cases to
+         * determine which password is correct. The reason for this is that under
+         * PKCS#12 password based encryption no password and a zero length
+         * password are two different things...
+         */
+        if (pass == NULL || *pass == '\0') {
+            if (PKCS12_verify_mac(p12, NULL, 0))
+                pass = NULL;
+            else if (PKCS12_verify_mac(p12, "", 0))
+                pass = "";
+            else {
+                ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_VERIFY_FAILURE);
+                goto err;
+            }
+        } else if (!PKCS12_verify_mac(p12, pass, -1)) {
             ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_VERIFY_FAILURE);
             goto err;
         }
-    } else if (!PKCS12_verify_mac(p12, pass, -1)) {
-        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_VERIFY_FAILURE);
-        goto err;
+    } else if (pass == NULL || *pass == '\0') {
+        pass = NULL;
     }
 
     /* If needed, allocate stack for other certificates */
author	Daniel Fiala <daniel@openssl.org>	2022-03-13 06:56:13 +0100
committer	Tomas Mraz <tomas@openssl.org>	2022-03-24 08:54:39 +0100
commit	cfd24cde81aa5f63dba41ddcde0fa3c5d64e1db0 (patch)
tree	1fd44e7c626187bbe4f30233128e5e73fb40f2ae /crypto
parent	fecae608a9ad366a1bc740ad94628520cdf38d25 (diff)