git.ipfire.org Git - thirdparty/openssl.git/commit

author	Nikola Pajkovsky <nikolap@openssl.org>
	Thu, 19 Mar 2026 11:16:08 +0000 (12:16 +0100)
committer	Tomas Mraz <tomas@openssl.foundation>
	Mon, 6 Apr 2026 19:45:59 +0000 (21:45 +0200)
commit	552e01f6a4e39afd41e6d667fb140089c144bd0f
tree	4eb50ecd0e686d73263d86e167ff344b87734ca0	tree \| snapshot
parent	a37ca3bb14b2ba9ae9071512179b30f0bf1d8009	commit \| diff

rsa_kem: validate RSA_public_encrypt() result in RSASVE

RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
encapsulation can incorrectly succeed when the underlying RSA public
encrypt operation fails. In that case the code reports success, returns
lengths as if encapsulation completed normally, and leaves the freshly
generated secret available instead of discarding it.

Tighten the success condition so RSASVE only succeeds when
RSA_public_encrypt() returns a positive value equal to the modulus-sized
output expected for RSA_NO_PADDING. Any other return value is treated as
failure, and the generated secret is cleansed before returning.

Fixes CVE-2026-31790
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:45:38 2026
(cherry picked from commit 89dde74b69debbf0c4d0a0ee925de87638bbfe16)