]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fe89f30)
To verify MAC, we need a MAC
authorDmitry Belyavskiy <beldmit@gmail.com>
Mon, 9 Dec 2024 18:05:33 +0000 (19:05 +0100)
committerTomas Mraz <tomas@openssl.org>
Wed, 11 Dec 2024 17:27:54 +0000 (18:27 +0100)
Fixes #26106

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26140)

apps/pkcs12.c patch | blob | blame | history
test/recipes/80-test_pkcs12.t patch | blob | blame | history
test/recipes/80-test_pkcs12_data/nomac_parse.p12 [new file with mode: 0644] patch | blob

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index afdb719ccd4d8eacdbfa3cfabb3178821536d949..3b91f132f53333a3a5a2df01441666d3d2ddc7c2 100644 (file)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -829,6 +829,12 @@ int pkcs12_main(int argc, char **argv)
         const ASN1_OBJECT *macobj;
 
         PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
+
+        if (macalgid == NULL) {
+            BIO_printf(bio_err, "Warning: MAC is absent!\n");
+            goto dump;
+        }
+
         X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
 
         if (OBJ_obj2nid(macobj) != NID_pbmac1) {
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 616de23ffbe310abbd006f8ed2323221a765d952..06fa85af0f3e337ef5846f6974b5c4d29d6421c8 100644 (file)
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
-plan tests => $no_fips ? 46 : 52;
+plan tests => $no_fips ? 47 : 53;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -288,6 +288,13 @@ with({ exit_checker => sub { return shift == 1; } },
            "test bad pkcs12 file 3 (info)");
      });
 
+# Test that mac verification doesn't fail when mac is absent in the file
+{
+    my $nomac = srctop_file("test", "recipes", "80-test_pkcs12_data", "nomac_parse.p12");
+    ok(run(app(["openssl", "pkcs12", "-in", $nomac, "-passin", "pass:testpassword"])),
+       "test pkcs12 file without MAC");
+}
+
 # Test with Oracle Trusted Key Usage specified in openssl.cnf
 {
     ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7,
diff --git a/test/recipes/80-test_pkcs12_data/nomac_parse.p12 b/test/recipes/80-test_pkcs12_data/nomac_parse.p12
new file mode 100644 (file)
index 0000000..d1a025e
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/nomac_parse.p12 differ
Mirror of https://github.com/openssl/openssl.git