Commit a191c2de80 for openssl.org

commit a191c2de80a07db754cef3b8cc409b0576e767d8
Author: slontis <shane.lontis@oracle.com>
Date:   Fri Mar 6 15:07:51 2026 +1100

    PKCS12 app fix

    Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
    password.

    In the case of an error in the verify path do not print
    "Mac verify error: invalid password?" if there is already an error on the
    error stack. An error means something failed in PKCS12_verify_mac(),
    If only the password was wrong it does not raise an error.

    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Thu Mar 12 10:47:29 2026
    (Merged from https://github.com/openssl/openssl/pull/30279)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 709a976758..09ed684472 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -910,8 +910,9 @@ int pkcs12_main(int argc, char **argv)
                 goto end;
             }
             OPENSSL_free(utmp);
-            if (!PKCS12_verify_mac(p12, badpass, -1)) {
-                BIO_puts(bio_err, "Mac verify error: invalid password?\n");
+            if (strcmp(mpass, badpass) == 0 || !PKCS12_verify_mac(p12, badpass, -1)) {
+                if (ERR_peek_error() == 0)
+                    BIO_puts(bio_err, "Mac verify error: invalid password?\n");
                 ERR_print_errors(bio_err);
                 goto end;
             } else {