pkcs12: fix PKCS12_set_pbmac1_pbkdf2 error-path leaks

Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> MergeDate: Mon Mar 16 11:12:12 2026 (Merged from https://github.com/openssl/openssl/pull/30347)
2026-05-07 20:12:39 +00:00 · 2026-03-10 11:07:58 -05:00
parent 0152e4f9f7
commit ab9f1b22a5
2 changed files with 34 additions and 0 deletions
@@ -529,6 +529,8 @@ int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
    X509_ALGOR_free(param->messageAuthScheme);
    param->keyDerivationFunc = alg;
    param->messageAuthScheme = hmac_alg;
+    alg = NULL;
+    hmac_alg = NULL;

    X509_SIG_getm(p12->mac->dinfo, &macalg, &macoct);
    if (!ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBMAC1PARAM), param, &macalg->parameter))
@@ -550,6 +552,8 @@ int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
    ret = 1;

 err:
+    X509_ALGOR_free(alg);
+    X509_ALGOR_free(hmac_alg);
    PBMAC1PARAM_free(param);
    OPENSSL_free(known_salt);
    return ret;
@@ -280,6 +280,35 @@ err:
    return ret;
 }

+static int test_PKCS12_set_pbmac1_pbkdf2_invalid_saltlen(void)
+{
+    int ret = 0;
+    unsigned char salt[8] = { 0 };
+    EVP_PKEY *key = NULL;
+    X509 *cert = NULL;
+    STACK_OF(X509) *ca = NULL;
+    PKCS12 *p12 = NULL;
+
+    if (!TEST_ptr(p12 = PKCS12_load(in_file)))
+        return 0;
+    if (!TEST_true(PKCS12_parse(p12, in_pass, &key, &cert, &ca)))
+        goto err;
+    PKCS12_free(p12);
+
+    if (!TEST_ptr(p12 = PKCS12_create_ex2("pass", NULL, key, cert, ca,
+                      NID_undef, NID_undef, 0, -1, 0,
+                      testctx, NULL, NULL, NULL)))
+        goto err;
+    ret = TEST_false(PKCS12_set_pbmac1_pbkdf2(p12, "pass", -1,
+        salt, -1, 0, NULL, NULL));
+err:
+    PKCS12_free(p12);
+    EVP_PKEY_free(key);
+    X509_free(cert);
+    OSSL_STACK_OF_X509_free(ca);
+    return ret;
+}
+
 int setup_tests(void)
 {
    OPTION_CHOICE o;
@@ -320,6 +349,7 @@ int setup_tests(void)
    ADD_TEST(pkcs12_parse_test);
    ADD_ALL_TESTS(pkcs12_create_ex2_test, 3);
    ADD_TEST(test_PKCS12_set_pbmac1_pbkdf2_saltlen_zero);
+    ADD_TEST(test_PKCS12_set_pbmac1_pbkdf2_invalid_saltlen);
    return 1;
 }