From 80b52a32d57440334a364d1c23155c87f46f2831 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 27 Jan 2026 14:14:20 +0000
Subject: Avoid type confusion in PKCS#12 parsing

A type confusion can lead to a 1-byte read at address 0x00-0xff, so a
crash.

Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-22795

ok jsing
---
 src/lib/libcrypto/pkcs12/p12_kiss.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index f6f09ff2de..4324201598 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_kiss.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: p12_kiss.c,v 1.30 2026/01/27 14:14:20 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -231,11 +231,17 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey,
 	ASN1_BMPSTRING *fname = NULL;
 	ASN1_OCTET_STRING *lkid = NULL;
 
-	if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+	if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+		if (attrib->type != V_ASN1_BMPSTRING)
+			return 0;
 		fname = attrib->value.bmpstring;
+	}
 
-	if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+	if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+		if (attrib->type != V_ASN1_OCTET_STRING)
+			return 0;
 		lkid = attrib->value.octet_string;
+	}
 
 	switch (OBJ_obj2nid(bag->type)) {
 	case NID_keyBag:
-- 
cgit v1.2.3-55-g6feb