Fix NULL deref for malformed OAEP parameters in CMS decryption

This converts rsa_cms_decrypt() to use X509_ALGOR_get0() and fixes a NULL deref when a parameter is (invalidly) omitted similar to the fix in ec/ec_ameth.c r1.66 from a couple years back. There is currently an XXX annotating a hairy leak due to trying to be smart and stealing the parameters from the oaep object. Instead, just make a copy of the label string and free it in the exit path. The diff adds an error for labellen == 0 since that is an invalid encoding of pSpecifiedEmpty (see RFC 8017) -- per the DER the default must be omitted. This way we avoid a malloc(0) implementation-defined behavior. This minor issue was assigned CVE-2026-28390 by OpenSSL and was reported by too many to list. The fix is my own. It is similar to OpenSSL's fix only because I rewiewed theirs and suggested an improvement or two. This is the last of the "security fixes" in today's OpenSSL release that "affect" LibreSSL. All the other bugs were already fixed a few years back or we didn't have the code/bugs in the first place. ok beck jsing
author: tb <> 2026-04-07 13:15:29 +0000
committer: tb <> 2026-04-07 13:15:29 +0000
commit: e783182e57d664df5859c6b6cbd65563cdc26528 (patch)
tree: 74e40050fa87c5fc08859ab1090ca3949b48d15e /src/lib/libcrypto
parent: bd035cb5927e4f4359c2ecd94226a2536b0d7773 (diff)
download: openbsd-e783182e57d664df5859c6b6cbd65563cdc26528.tar.gz
openbsd-e783182e57d664df5859c6b6cbd65563cdc26528.tar.bz2
openbsd-e783182e57d664df5859c6b6cbd65563cdc26528.zip
2 files changed, 22 insertions, 11 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 00fa6afb3d..2aea9c4848 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.63 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.64 2026/04/07 13:15:29 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -59,6 +59,7 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -1148,23 +1149,29 @@ rsa_cms_decrypt(CMS_RecipientInfo *ri)
                goto err;
        if (oaep->pSourceFunc != NULL) {
-                X509_ALGOR *plab = oaep->pSourceFunc;
+                const ASN1_OBJECT *aobj;
+                const void *parameter;
+                int parameter_type;
-                if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
+                X509_ALGOR_get0(&aobj, &parameter_type, &parameter,
+                    oaep->pSourceFunc);
+                if (OBJ_obj2nid(aobj) != NID_pSpecified) {
                        RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
                        goto err;
                }
-                if (plab->parameter->type != V_ASN1_OCTET_STRING) {
+                if (parameter_type != V_ASN1_OCTET_STRING) {
                        RSAerror(RSA_R_INVALID_LABEL);
                        goto err;
                }
-                label = plab->parameter->value.octet_string->data;
+                if ((labellen = ASN1_STRING_length(parameter)) == 0) {
+                        RSAerror(RSA_R_INVALID_LABEL);
+                        goto err;
+                }
-                /* Stop label being freed when OAEP parameters are freed */
+                if ((label = calloc(1, labellen)) == NULL)
-                /* XXX - this leaks label on error... */
+                        goto err;
-                plab->parameter->value.octet_string->data = NULL;
+                memcpy(label, ASN1_STRING_get0_data(parameter), labellen);
-                labellen = plab->parameter->value.octet_string->length;
        }
        if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
@@ -1175,11 +1182,15 @@ rsa_cms_decrypt(CMS_RecipientInfo *ri)
                goto err;
        if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
                goto err;
+        label = NULL;
+        labellen = 0;
        rv = 1;
 err:
        RSA_OAEP_PARAMS_free(oaep);
+        freezero(label, labellen);
        return rv;
 }
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 518b077dbc..b1b8e8c675 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.44 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.45 2026/04/07 13:15:29 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -583,7 +583,7 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                        RSAerror(RSA_R_INVALID_PADDING_MODE);
                        return -2;
                }
-                free(rctx->oaep_label);
+                freezero(rctx->oaep_label, rctx->oaep_labellen);
                if (p2 != NULL && p1 > 0) {
                        rctx->oaep_label = p2;
                        rctx->oaep_labellen = p1;
author	tb <>	2026-04-07 13:15:29 +0000
committer	tb <>	2026-04-07 13:15:29 +0000
commit	e783182e57d664df5859c6b6cbd65563cdc26528 (patch)
tree	74e40050fa87c5fc08859ab1090ca3949b48d15e /src/lib/libcrypto
parent	bd035cb5927e4f4359c2ecd94226a2536b0d7773 (diff)
download	openbsd-e783182e57d664df5859c6b6cbd65563cdc26528.tar.gz openbsd-e783182e57d664df5859c6b6cbd65563cdc26528.tar.bz2 openbsd-e783182e57d664df5859c6b6cbd65563cdc26528.zip