From 2fc71f321f1af7823fd119497c1eebbe5b8e82c6 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 7 Apr 2026 13:15:29 +0000 Subject: [PATCH] Fix NULL deref for malformed OAEP parameters in CMS decryption This converts rsa_cms_decrypt() to use X509_ALGOR_get0() and fixes a NULL deref when a parameter is (invalidly) omitted similar to the fix in ec/ec_ameth.c r1.66 from a couple years back. There is currently an XXX annotating a hairy leak due to trying to be smart and stealing the parameters from the oaep object. Instead, just make a copy of the label string and free it in the exit path. The diff adds an error for labellen == 0 since that is an invalid encoding of pSpecifiedEmpty (see RFC 8017) -- per the DER the default must be omitted. This way we avoid a malloc(0) implementation-defined behavior. This minor issue was assigned CVE-2026-28390 by OpenSSL and was reported by too many to list. The fix is my own. It is similar to OpenSSL's fix only because I rewiewed theirs and suggested an improvement or two. This is the last of the "security fixes" in today's OpenSSL release that "affect" LibreSSL. All the other bugs were already fixed a few years back or we didn't have the code/bugs in the first place. ok beck jsing --- lib/libcrypto/rsa/rsa_ameth.c | 29 ++++++++++++++++++++--------- lib/libcrypto/rsa/rsa_pmeth.c | 4 ++-- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/lib/libcrypto/rsa/rsa_ameth.c b/lib/libcrypto/rsa/rsa_ameth.c index 00fa6afb3da..2aea9c48482 100644 --- a/lib/libcrypto/rsa/rsa_ameth.c +++ b/lib/libcrypto/rsa/rsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_ameth.c,v 1.63 2025/05/10 05:54:38 tb Exp $ */ +/* $OpenBSD: rsa_ameth.c,v 1.64 2026/04/07 13:15:29 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -59,6 +59,7 @@ #include #include #include +#include #include @@ -1148,23 +1149,29 @@ rsa_cms_decrypt(CMS_RecipientInfo *ri) goto err; if (oaep->pSourceFunc != NULL) { - X509_ALGOR *plab = oaep->pSourceFunc; + const ASN1_OBJECT *aobj; + const void *parameter; + int parameter_type; - if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { + X509_ALGOR_get0(&aobj, ¶meter_type, ¶meter, + oaep->pSourceFunc); + if (OBJ_obj2nid(aobj) != NID_pSpecified) { RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE); goto err; } - if (plab->parameter->type != V_ASN1_OCTET_STRING) { + if (parameter_type != V_ASN1_OCTET_STRING) { RSAerror(RSA_R_INVALID_LABEL); goto err; } - label = plab->parameter->value.octet_string->data; + if ((labellen = ASN1_STRING_length(parameter)) == 0) { + RSAerror(RSA_R_INVALID_LABEL); + goto err; + } - /* Stop label being freed when OAEP parameters are freed */ - /* XXX - this leaks label on error... */ - plab->parameter->value.octet_string->data = NULL; - labellen = plab->parameter->value.octet_string->length; + if ((label = calloc(1, labellen)) == NULL) + goto err; + memcpy(label, ASN1_STRING_get0_data(parameter), labellen); } if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) @@ -1175,11 +1182,15 @@ rsa_cms_decrypt(CMS_RecipientInfo *ri) goto err; if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) goto err; + label = NULL; + labellen = 0; rv = 1; err: RSA_OAEP_PARAMS_free(oaep); + freezero(label, labellen); + return rv; } diff --git a/lib/libcrypto/rsa/rsa_pmeth.c b/lib/libcrypto/rsa/rsa_pmeth.c index 518b077dbcf..b1b8e8c6753 100644 --- a/lib/libcrypto/rsa/rsa_pmeth.c +++ b/lib/libcrypto/rsa/rsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pmeth.c,v 1.44 2025/05/10 05:54:38 tb Exp $ */ +/* $OpenBSD: rsa_pmeth.c,v 1.45 2026/04/07 13:15:29 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -583,7 +583,7 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) RSAerror(RSA_R_INVALID_PADDING_MODE); return -2; } - free(rctx->oaep_label); + freezero(rctx->oaep_label, rctx->oaep_labellen); if (p2 != NULL && p1 > 0) { rctx->oaep_label = p2; rctx->oaep_labellen = p1;