From 8ad98cce41aa8a6278f7ade6ad2f70b80b194b72 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 9 Dec 2024 19:05:33 +0100
Subject: [PATCH] To verify MAC, we need a MAC

Fixes #26106

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26140)
---
 apps/pkcs12.c                                    |   6 ++++++
 test/recipes/80-test_pkcs12.t                    |   9 ++++++++-
 test/recipes/80-test_pkcs12_data/nomac_parse.p12 | Bin 0 -> 1191 bytes
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 test/recipes/80-test_pkcs12_data/nomac_parse.p12

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index afdb719ccd..3b91f132f5 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -829,6 +829,12 @@ int pkcs12_main(int argc, char **argv)
         const ASN1_OBJECT *macobj;
 
         PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
+
+        if (macalgid == NULL) {
+            BIO_printf(bio_err, "Warning: MAC is absent!\n");
+            goto dump;
+        }
+
         X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
 
         if (OBJ_obj2nid(macobj) != NID_pbmac1) {
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 616de23ffb..06fa85af0f 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
-plan tests => $no_fips ? 46 : 52;
+plan tests => $no_fips ? 47 : 53;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -288,6 +288,13 @@ with({ exit_checker => sub { return shift == 1; } },
            "test bad pkcs12 file 3 (info)");
      });
 
+# Test that mac verification doesn't fail when mac is absent in the file
+{
+    my $nomac = srctop_file("test", "recipes", "80-test_pkcs12_data", "nomac_parse.p12");
+    ok(run(app(["openssl", "pkcs12", "-in", $nomac, "-passin", "pass:testpassword"])),
+       "test pkcs12 file without MAC");
+}
+
 # Test with Oracle Trusted Key Usage specified in openssl.cnf
 {
     ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7,
diff --git a/test/recipes/80-test_pkcs12_data/nomac_parse.p12 b/test/recipes/80-test_pkcs12_data/nomac_parse.p12
new file mode 100644
index 0000000000000000000000000000000000000000..d1a025e8bd7ba388106c9b0b69917bcf0d75c981
GIT binary patch
literal 1191
zcmV;Y1X%kpf&`-i0Ru3C1e^v5Duzgg_YDCD0ic2ejRb-Oi7<i$g)o8yfd&aGhDe6@
z4FLxOpn?Q)FoFbb0s#Oq05F0CWd;c<hDe6@4FLxMFcby|Duzgg_YDIF1PJvY)RYyF
zI0Arz1VFeo*Dy4}{O!4=d-4kQxBh11UJEvOENc$<`EZ{55&y+a&j8`-Wo4)OcT>q@
zm`Z3Oq*FzpEwAUgTK!>P0tmf$!rKkJRCN*BGpSYjYzgM!Gc-6XRWeVUUAAN|1nJIT
z`n?9lMQ%vyvf8&JttHg_Q>ZosE<Q)3-1(Bcwu|CtQF42GM(|s@aePNKDXp@ciE%Z>
zp_Y3ncv1g>L6*c(uu<w2)I;^_n{W)?9G6ua@%az;?F2}LRLZBX<CFM!WSyx-@7P*(
zY+_D$IMM;71<DMmd$vtjO3RGeGsJ4G+nRoyytESz;MRP8mB&7*2<Mo*<#LC%uA;pJ
z+i|`HiJq(&U<q5IaHoFAD3uAo;CX<W{0U_Gaq6PO92png9q$m%s)C2<&8T#=2c@kV
zXrRTLDu6whjo$=r8U-Z!{`1Yr<F&oyy9sul^3t#@{U8xSVkeaGXrVMwXXUB*X?*&?
z8)37_Y|;U&@CQPFLcoNVn|sh)|G`xRR<bp4eBI>;OihCtB}=sr@F0RrQbczHighw}
zCHVS#fOk?yDXd&IOQpas5z?eq&{!NIgiVN}QU%q0atzm2pm+t@wbLmMrBxz+v-ftM
zEmW?FTMT-Ji?<-sRocHjA=27rWx(rhRzf%h!jjjWhJ2rs;eAO5ls!`EK8qty##9%P
zs)&B83B+B&hJKktvV71Bq%nV+4=gW69hpiJ+D7;njk2wm)7C(f)UzuwVTiJyokgjc
z*yD)Xpu<kQ3ardjMg0fc@>?U|OyC>0I`OSjoWc|oAoTIiUB_f+!^WWqg&Q3vxFi}l
zW$JtEHd}hpcl63D&2=RD367hZq<-C;kzlr#V6J}dqwIz3h=rqkxlqW<{<*3iXO+Yi
z6h_uyWZ8KSD0kkq-YFa%co5Qbe)OAm47ey6)lo8^c3T{!Z8r;&_vDPpnSkDv&*(f)
z0tQx-e;R~JWoMWB0$+PY(-MY!`asK`F3}w%sy*g)Gn#BPkcvk3t$&6DS&3T&6nnQ<
z=nKV)-MvN}FRLcX>3fL=q4aN3C!Iu^#V4(6mx{i_exS!lUV#^G_zqY&y;m;;7VuV8
zlz+2g1U42cY)DPdjA)rW3)#aZYn%>Ot4ZRw+p6chfWw3F&^CR083G3^i{TvQh%PuL
zI@YS2C2~)e2v!x{5Ll_p1*s@h%^Sc(2?v;@cT&{(#>rWyew_n93d3zt{Ey+9jn7kc
zQ$n&dI(Sw&tA;g=OoTyro}FfEooxJ((fpLliunP1?Q0E(o^QB$Dd7u$4)13nakv(f
zn#_CEaVG5=Qi)oGa8dq|Y@C+9c~*zzJB+EQ`rxJ1dthRxy0$m)y?e)2Q(8lN;ZcFg
zyDMf8IvKYsj=I0O##^~wrSsWEF+>f(#9*eG#!CPO)cQ46{8u*V))|)ggdre%<DR)#
F&9cN@JK_KU

literal 0
HcmV?d00001