From: slontis <shane.lontis@oracle.com>
Date: Fri, 6 Mar 2026 04:07:51 +0000 (+1100)
Subject: PKCS12 app fix
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a191c2de80a07db754cef3b8cc409b0576e767d8;p=thirdparty%2Fopenssl.git

PKCS12 app fix

Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
password.

In the case of an error in the verify path do not print
"Mac verify error: invalid password?" if there is already an error on the
error stack. An error means something failed in PKCS12_verify_mac(),
If only the password was wrong it does not raise an error.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:29 2026
(Merged from https://github.com/openssl/openssl/pull/30279)
---

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 709a9767582..09ed684472c 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -910,8 +910,9 @@ int pkcs12_main(int argc, char **argv)
                 goto end;
             }
             OPENSSL_free(utmp);
-            if (!PKCS12_verify_mac(p12, badpass, -1)) {
-                BIO_puts(bio_err, "Mac verify error: invalid password?\n");
+            if (strcmp(mpass, badpass) == 0 || !PKCS12_verify_mac(p12, badpass, -1)) {
+                if (ERR_peek_error() == 0)
+                    BIO_puts(bio_err, "Mac verify error: invalid password?\n");
                 ERR_print_errors(bio_err);
                 goto end;
             } else {