From: Dmitry Belyavskiy Date: Fri, 15 May 2026 12:09:17 +0000 (+0200) Subject: Enforce implicit rejection for CMS/PKCS#7 decryption X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d5030cdf32d6cd27bd964a0cb7aed2b7cb713369;p=thirdparty%2Fopenssl.git Enforce implicit rejection for CMS/PKCS#7 decryption Drop the disablement of the implicit rejection for RSA PKCS#1 v1.5 decryption. Fixes CVE-2026-42768 Reviewed-by: Neil Horman Reviewed-by: Milan Broz Reviewed-by: Alicja Kario Reviewed-by: Tomas Mraz MergeDate: Mon Jun 8 19:49:19 2026 --- diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 3b0d5070ce5..e702703758a 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -644,13 +644,6 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer CMS code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); - if (evp_pkey_decrypt_alloc(ktri->pctx, &ek, &eklen, fixlen, ktri->encryptedKey->data, ktri->encryptedKey->length) diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index bc8028e1b19..7b6a3b36b4b 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -197,13 +197,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, if (EVP_PKEY_decrypt_init(pctx) <= 0) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer pkcs7 code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); - ret = evp_pkey_decrypt_alloc(pctx, &ek, &eklen, fixlen, ASN1_STRING_get0_data(ri->enc_key), ASN1_STRING_length(ri->enc_key)); if (ret <= 0) diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod index 121b74a30a1..66a94287b6f 100644 --- a/doc/man3/CMS_decrypt.pod +++ b/doc/man3/CMS_decrypt.pod @@ -68,7 +68,7 @@ then the above behaviour is modified and an error B returned if no recipient encrypted key can be decrypted B generating a random content encryption key. Applications should use this flag with B especially in automated gateways as it can leave them -open to attack. +open to attack. See L for more details. It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure @@ -103,7 +103,7 @@ mentioned in CMS_verify() also applies to CMS_decrypt(). =head1 SEE ALSO -L, L +L, L, L =head1 HISTORY diff --git a/doc/man3/PKCS7_decrypt.pod b/doc/man3/PKCS7_decrypt.pod index 5ba3cf1c17c..3534559d595 100644 --- a/doc/man3/PKCS7_decrypt.pod +++ b/doc/man3/PKCS7_decrypt.pod @@ -22,6 +22,14 @@ B is an optional set of flags. Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the PKCS#7 structure. +When RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() +will use implicit rejection mechanism. It always returns the result of RSA +decryption of the symmetric key to avoid Marvin attack. This result is +deterministic and can happen to match the symmetric cipher used for the content +encryption. In case when the certificate is not provided, the last +RecipientInfo producing the key looking valid will be used. It may cause +getting garbage content on decryption. + The following flags can be passed in the B parameter. If the B flag is set MIME headers for type B are deleted @@ -40,7 +48,7 @@ be better if it could look up the correct key and certificate from a database. =head1 SEE ALSO -L, L +L, L, L =head1 COPYRIGHT