From a26d82c5b141c706bc97455cde511e710c2510a9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 8 Jan 2026 14:31:19 +0100 Subject: [PATCH] pkcs12: Validate salt and keylength in PBMAC1 The keylength value must be present and we accept EVP_MAX_MD_SIZE at maximum. The salt ASN.1 type must be OCTET STRING. Fixes CVE-2025-11187 Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research). Reported independently also by Hamza (Metadust). --- crypto/pkcs12/p12_mutl.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) Index: openssl-3.5.0/crypto/pkcs12/p12_mutl.c =================================================================== --- openssl-3.5.0.orig/crypto/pkcs12/p12_mutl.c +++ openssl-3.5.0/crypto/pkcs12/p12_mutl.c @@ -122,8 +122,6 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_C ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED); goto err; } - keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); - pbkdf2_salt = pbkdf2_param->salt->value.octet_string; if (pbkdf2_param->prf == NULL) { kdf_hmac_nid = NID_hmacWithSHA1; @@ -138,6 +136,22 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_C goto err; } + /* Validate salt is an OCTET STRING choice */ + if (pbkdf2_param->salt == NULL + || pbkdf2_param->salt->type != V_ASN1_OCTET_STRING) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + goto err; + } + pbkdf2_salt = pbkdf2_param->salt->value.octet_string; + + /* RFC 9579 specifies missing key length as invalid */ + if (pbkdf2_param->keylength != NULL) + keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); + if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + goto err; + } + if (PKCS5_PBKDF2_HMAC(pass, passlen, pbkdf2_salt->data, pbkdf2_salt->length, ASN1_INTEGER_get(pbkdf2_param->iter), kdf_md, keylen, key) <= 0) { ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR);