From: Nikola Pajkovsky Date: Thu, 19 Mar 2026 11:16:08 +0000 (+0100) Subject: rsa_kem: validate RSA_public_encrypt() result in RSASVE X-Git-Tag: openssl-4.0.0~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=552e01f6a4e39afd41e6d667fb140089c144bd0f;p=thirdparty%2Fopenssl.git rsa_kem: validate RSA_public_encrypt() result in RSASVE RSA_public_encrypt() returns the number of bytes written on success and -1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM encapsulation can incorrectly succeed when the underlying RSA public encrypt operation fails. In that case the code reports success, returns lengths as if encapsulation completed normally, and leaves the freshly generated secret available instead of discarding it. Tighten the success condition so RSASVE only succeeds when RSA_public_encrypt() returns a positive value equal to the modulus-sized output expected for RSA_NO_PADDING. Any other return value is treated as failure, and the generated secret is cleansed before returning. Fixes CVE-2026-31790 Signed-off-by: Nikola Pajkovsky Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz MergeDate: Mon Apr 6 19:45:38 2026 (cherry picked from commit 89dde74b69debbf0c4d0a0ee925de87638bbfe16) --- diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 78124ba90b8..ab28a3a1a28 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -315,16 +315,17 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, /* Step(3): out = RSAEP((n,e), z) */ ret = RSA_public_encrypt((int)nlen, secret, out, prsactx->rsa, RSA_NO_PADDING); - if (ret) { - ret = 1; - if (outlen != NULL) - *outlen = nlen; - if (secretlen != NULL) - *secretlen = nlen; - } else { + if (ret <= 0 || ret != (int)nlen) { OPENSSL_cleanse(secret, nlen); + return 0; } - return ret; + + if (outlen != NULL) + *outlen = nlen; + if (secretlen != NULL) + *secretlen = nlen; + + return 1; } /**