File openssl-CVE-2025-11187.patch of Package openssl-3
From a26d82c5b141c706bc97455cde511e710c2510a9 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 8 Jan 2026 14:31:19 +0100
Subject: [PATCH] pkcs12: Validate salt and keylength in PBMAC1
The keylength value must be present and we accept
EVP_MAX_MD_SIZE at maximum.
The salt ASN.1 type must be OCTET STRING.
Fixes CVE-2025-11187
Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research).
Reported independently also by Hamza (Metadust).
---
crypto/pkcs12/p12_mutl.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
Index: openssl-3.5.0/crypto/pkcs12/p12_mutl.c
===================================================================
--- openssl-3.5.0.orig/crypto/pkcs12/p12_mutl.c
+++ openssl-3.5.0/crypto/pkcs12/p12_mutl.c
@@ -122,8 +122,6 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_C
ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED);
goto err;
}
- keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
- pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
if (pbkdf2_param->prf == NULL) {
kdf_hmac_nid = NID_hmacWithSHA1;
@@ -138,6 +136,22 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_C
goto err;
}
+ /* Validate salt is an OCTET STRING choice */
+ if (pbkdf2_param->salt == NULL
+ || pbkdf2_param->salt->type != V_ASN1_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR);
+ goto err;
+ }
+ pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
+
+ /* RFC 9579 specifies missing key length as invalid */
+ if (pbkdf2_param->keylength != NULL)
+ keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
+ if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR);
+ goto err;
+ }
+
if (PKCS5_PBKDF2_HMAC(pass, passlen, pbkdf2_salt->data, pbkdf2_salt->length,
ASN1_INTEGER_get(pbkdf2_param->iter), kdf_md, keylen, key) <= 0) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR);
