From 5e9a8678c5e1442e618ae0abc7b314880ec3ba4e Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 5 Mar 2021 18:08:05 +0100
Subject: apps/pkcs12: Detect missing PKCS12KDF support on import

Report error message with hint to use -nomacver if
MAC verification is not required.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
---
 apps/pkcs12.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'apps')

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 00c5a9bc4b..c729ab5d67 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -19,6 +19,7 @@
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/provider.h>
+#include <openssl/kdf.h>
 
 #define NOKEYS          0x1
 #define NOCERTS         0x2
@@ -733,6 +734,15 @@ int pkcs12_main(int argc, char **argv)
                    tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
     }
     if (macver) {
+        EVP_KDF *pkcs12kdf;
+
+        pkcs12kdf = EVP_KDF_fetch(NULL, "PKCS12KDF", NULL);
+        if (pkcs12kdf == NULL) {
+            BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
+            BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
+            goto end;
+        }
+        EVP_KDF_free(pkcs12kdf);
         /* If we enter empty password try no password first */
         if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
             /* If mac and crypto pass the same set it to NULL too */
-- 
cgit v1.2.3