Commit 65ce85b7e3 for openssl.org
commit 65ce85b7e3e07a9ff7e46cc7f74fa068f737c0f1
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Jan 8 15:25:18 2026 +0100
Add testcase for PKCS12 with invalid PBMAC1 key length
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Alicja Kario <hkario@redhat.com>
MergeDate: Mon Jan 26 16:14:18 2026
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 06fa85af0f..ff720894c9 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-plan tests => $no_fips ? 47 : 53;
+plan tests => $no_fips ? 53 : 59;
# Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -235,8 +235,12 @@ unless ($no_fips) {
}
}
-# Test pbmac1 pkcs12 bad files, RFC 9579
-for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
+# Test pbmac1 pkcs12 bad files, RFC 9579 and CVE-2025-11187
+for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12",
+ "pbmac1_256_256.no-len.p12", "pbmac1_256_256.bad-len.p12",
+ "pbmac1_256_256.bad-salt-type.p12", "pbmac1_256_256.negative-len.p12",
+ "pbmac1_256_256.no-salt.p12", "pbmac1_256_256.very-big-len.p12",
+ "pbmac1_256_256.zero-len.p12")
{
my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
with({ exit_checker => sub { return shift == 1; } },
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
new file mode 100644
index 0000000000..7548d0f29e
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12 differ