From f3652dff2faab0c0a197fa140984103c0b0a5e88 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Olivier=20Ch=C3=A9ron?= <olivier.cheron@gmail.com>
Date: Sun, 29 Sep 2024 17:50:08 +0200
Subject: [PATCH] Handle PBMAC1 with absent PBKDF2 PRF

PRF in PBKDF2-params is optional and defaults to hmacWithSHA1.

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25568)
---
 apps/pkcs12.c            | 12 ++++++++----
 crypto/pkcs12/p12_mutl.c | 11 +++++++++--
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 7ef4d586c33..afdb719ccd4 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -799,16 +799,20 @@ int pkcs12_main(int argc, char **argv)
                 BIO_printf(bio_err, ", Unsupported KDF or params for PBMAC1\n");
             } else {
                 const ASN1_OBJECT *prfobj;
+                int prfnid;
 
                 BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n",
                            ASN1_INTEGER_get(pbkdf2_param->iter));
                 BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n",
                            ASN1_INTEGER_get(pbkdf2_param->keylength),
                            ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
-                X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf);
-                BIO_printf(bio_err, "PBKDF2 PRF: ");
-                i2a_ASN1_OBJECT(bio_err, prfobj);
-                BIO_printf(bio_err, "\n");
+                if (pbkdf2_param->prf == NULL) {
+                    prfnid = NID_hmacWithSHA1;
+                } else {
+                    X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf);
+                    prfnid = OBJ_obj2nid(prfobj);
+                }
+                BIO_printf(bio_err, "PBKDF2 PRF: %s\n", OBJ_nid2sn(prfnid));
             }
             PBKDF2PARAM_free(pbkdf2_param);
         } else {
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index db2b6da6164..b43c82f0ed2 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -111,6 +111,7 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
 {
     PBKDF2PARAM *pbkdf2_param = NULL;
     const ASN1_OBJECT *kdf_hmac_oid;
+    int kdf_hmac_nid;
     int ret = -1;
     int keylen = 0;
     EVP_MD *kdf_md = NULL;
@@ -123,9 +124,15 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
     }
     keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
     pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
-    X509_ALGOR_get0(&kdf_hmac_oid, NULL, NULL, pbkdf2_param->prf);
 
-    kdf_md = EVP_MD_fetch(ctx, OBJ_nid2sn(ossl_hmac2mdnid(OBJ_obj2nid(kdf_hmac_oid))), propq);
+    if (pbkdf2_param->prf == NULL) {
+        kdf_hmac_nid = NID_hmacWithSHA1;
+    } else {
+        X509_ALGOR_get0(&kdf_hmac_oid, NULL, NULL, pbkdf2_param->prf);
+        kdf_hmac_nid = OBJ_obj2nid(kdf_hmac_oid);
+    }
+
+    kdf_md = EVP_MD_fetch(ctx, OBJ_nid2sn(ossl_hmac2mdnid(kdf_hmac_nid)), propq);
     if (kdf_md == NULL) {
         ERR_raise(ERR_LIB_PKCS12, ERR_R_FETCH_FAILED);
         goto err;
-- 
2.47.2