Dev news

Commit a65de3d6bc for openssl.org

commit a65de3d6bc393f59c5d14583f99185fb403ba4bd
Author: slontis <shane.lontis@oracle.com>
Date:   Fri Mar 6 15:25:27 2026 +1100

    PKCS12: Document that the range for key length when using PBMAC1 is (1..64).

    Fixes #30246

    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Thu Mar 12 10:47:32 2026
    (Merged from https://github.com/openssl/openssl/pull/30279)

diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index acaf1134ee..c98f890bc1 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -151,7 +151,8 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
     if (pbkdf2_param->keylength != NULL)
         keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
     if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) {
-        ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, "Invalid Key length");
+        ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR,
+            "Invalid Key length (%d is not in the range 1..64)", keylen);
         goto err;
     }

diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 1f153bd326..ab49c95291 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -406,6 +406,10 @@ Although there are a large number of options most of them are very rarely
 used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
 for PKCS#12 file creation B<-export> and B<-name> are also used.

+When loading using B<-in>, An error will occur if the PKCS12 macdata contains
+PBMAC1 and the related PBKDF2 parameters are missing, or if the associated
+key length is not in the range 1 to 64.
+
 If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
 then all certificates will be output in the order they appear in the input
 PKCS#12 files. There is no guarantee that the first certificate present is
diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod
index 752db3bd4a..edcbeb5612 100644
--- a/doc/man3/PKCS12_gen_mac.pod
+++ b/doc/man3/PKCS12_gen_mac.pod
@@ -37,6 +37,8 @@ The default key generation mechanism used is PKCS12KDF.

 PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
 password.
+If the PKCS12 macdata contains PBMAC1 an error will occur if the related PBKDF2
+parameters are missing, or if the associated key length is not in the range 1 to 64.

 PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied
 parameters.