Allow for PKCS#12 input without MAC in p12_kiss.c and e_loader_attic.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/4930)

diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 894520be39bcf197bb9a1307ef485e43520027d7..9b2e8a55c5129e2241fdfdcfedb3334b66f16d44 100644 (file)
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -58,7 +58,8 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
      */
 
     if (pass == NULL || *pass == '\0') {
-        if (PKCS12_verify_mac(p12, NULL, 0))
+        if (!PKCS12_mac_present(p12)
+            || PKCS12_verify_mac(p12, NULL, 0))
             pass = NULL;
         else if (PKCS12_verify_mac(p12, "", 0))
             pass = "";

diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c
index 7d059f52563ef2ba724788f806687f3306c3ea60..8a9b86483f4ca6ab1ea4eecb8c1ff2a87c46e7f7 100644 (file)
--- a/engines/e_loader_attic.c
+++ b/engines/e_loader_attic.c
@@ -322,7 +322,8 @@ static OSSL_STORE_INFO *try_decode_PKCS12(const char *pem_name,
 
             *matchcount = 1;
 
-            if (PKCS12_verify_mac(p12, "", 0)
+            if (!PKCS12_mac_present(p12)
+                || PKCS12_verify_mac(p12, "", 0)
                 || PKCS12_verify_mac(p12, NULL, 0)) {
                 pass = "";
             } else {