Rebase to 3.5.7

Resolves: RHEL-179700
Resolves: RHEL-179695
Resolves: RHEL-179692
Resolves: RHEL-179687
Resolves: RHEL-179677
Resolves: RHEL-179660
Resolves: RHEL-179634
Resolves: RHEL-179555
Resolves: RHEL-179551
Resolves: RHEL-179548
Resolves: RHEL-179543
Resolves: RHEL-179540
Resolves: RHEL-179284
Resolves: RHEL-179275
This commit is contained in:
Pavol Žáčik 2026-06-12 09:59:17 +02:00
parent ab36eec4e5
commit e5ce8c77ad
No known key found for this signature in database
GPG Key ID: 4EE16C6E333F70A8
7 changed files with 29 additions and 291 deletions

1
.gitignore vendored
View File

@ -60,3 +60,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.5.0.tar.gz
/openssl-3.5.1.tar.gz
/openssl-3.5.5.tar.gz
/openssl-3.5.7.tar.gz

View File

@ -317,7 +317,7 @@ index 9874e6bad6..76b6befbad 100644
+#endif
ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
#ifndef OPENSSL_NO_TLS1_3
--
2.52.0

View File

@ -1,185 +0,0 @@
From 001e01db3e996e13ffc72386fe79d03a6683b5ac Mon Sep 17 00:00:00 2001
From: Nikola Pajkovsky <nikolap@openssl.org>
Date: Thu, 19 Mar 2026 12:16:08 +0100
Subject: [PATCH 1/2] rsa_kem: validate RSA_public_encrypt() result in RSASVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
encapsulation can incorrectly succeed when the underlying RSA public
encrypt operation fails. In that case the code reports success, returns
lengths as if encapsulation completed normally, and leaves the freshly
generated secret available instead of discarding it.
Tighten the success condition so RSASVE only succeeds when
RSA_public_encrypt() returns a positive value equal to the modulus-sized
output expected for RSA_NO_PADDING. Any other return value is treated as
failure, and the generated secret is cleansed before returning.
Fixes CVE-2026-31790
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:51:30 2026
---
providers/implementations/kem/rsa_kem.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index f7bf368a0d..74dfafddd9 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -316,17 +316,19 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
return 0;
/* Step(3): out = RSAEP((n,e), z) */
- ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
- if (ret) {
- ret = 1;
- if (outlen != NULL)
- *outlen = nlen;
- if (secretlen != NULL)
- *secretlen = nlen;
- } else {
+ ret = RSA_public_encrypt((int)nlen, secret, out, prsactx->rsa,
+ RSA_NO_PADDING);
+ if (ret <= 0 || ret != (int)nlen) {
OPENSSL_cleanse(secret, nlen);
+ return 0;
}
- return ret;
+
+ if (outlen != NULL)
+ *outlen = nlen;
+ if (secretlen != NULL)
+ *secretlen = nlen;
+
+ return 1;
}
/**
--
2.53.0
From c61bbd3f873d28e098f503f0187459ed488977c9 Mon Sep 17 00:00:00 2001
From: Nikola Pajkovsky <nikolap@openssl.org>
Date: Mon, 23 Mar 2026 08:41:20 +0100
Subject: [PATCH 2/2] rsa_kem: test RSA_public_encrypt() result in RSASVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure.
Add regression coverage in evp_extra_test using invalid RSA pubkey
which triggers -1 in RSA_public_encrypt() using encapsulation.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:51:31 2026
---
test/evp_extra_test.c | 67 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 67 insertions(+)
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 5ea95c0dfa..573732bfec 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -929,6 +929,32 @@ static EVP_PKEY *load_example_ec_key(void)
#endif
#ifndef OPENSSL_NO_DEPRECATED_3_0
+
+static EVP_PKEY *make_bad_rsa_pubkey(void)
+{
+ RSA *rsa = NULL;
+ BIGNUM *n = NULL, *e = NULL;
+ EVP_PKEY *pkey = NULL;
+
+ /* Deliberately invalid public key: n = 17, e = 17 */
+ if (!TEST_ptr(pkey = EVP_PKEY_new())
+ || !TEST_ptr(rsa = RSA_new())
+ || !TEST_ptr(n = BN_new())
+ || !TEST_ptr(e = BN_new())
+ || !TEST_true(BN_set_word(n, 17))
+ || !TEST_true(BN_set_word(e, 17))
+ || !TEST_true(RSA_set0_key(rsa, n, e, NULL))
+ || !EVP_PKEY_assign_RSA(pkey, rsa))
+ goto err;
+
+ return pkey;
+err:
+ BN_free(n);
+ BN_free(e);
+ RSA_free(rsa);
+ return NULL;
+}
+
#ifndef OPENSSL_NO_DH
static EVP_PKEY *load_example_dh_key(void)
{
@@ -5898,6 +5924,46 @@ err:
return testresult;
}
+static int test_rsasve_kem_with_invalid_pub_key(void)
+{
+ RSA *rsa = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
+ unsigned char *ct = NULL;
+ unsigned char *secret = NULL;
+ size_t ctlen = 0, secretlen = 0;
+ int testresult = 0;
+
+ if (nullprov != NULL) {
+ testresult = TEST_skip("Test does not support a non-default library context");
+ goto err;
+ }
+
+ if (!TEST_ptr(pkey = make_bad_rsa_pubkey()))
+ goto err;
+
+ if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL))
+ || !TEST_int_eq(EVP_PKEY_encapsulate_init(ctx, NULL), 1)
+ || !TEST_int_eq(EVP_PKEY_CTX_set_kem_op(ctx, "RSASVE"), 1)
+ || !TEST_int_eq(EVP_PKEY_encapsulate(ctx, NULL, &ctlen, NULL, &secretlen), 1)
+ || !TEST_ptr(ct = OPENSSL_malloc(ctlen))
+ || !TEST_ptr(secret = OPENSSL_malloc(secretlen)))
+ goto err;
+
+ if (!TEST_int_eq(EVP_PKEY_encapsulate(ctx, ct, &ctlen, secret, &secretlen), 0))
+ goto err;
+
+ testresult = 1;
+
+err:
+ OPENSSL_free(secret);
+ OPENSSL_free(ct);
+ EVP_PKEY_CTX_free(ctx);
+ RSA_free(rsa);
+ EVP_PKEY_free(pkey);
+ return testresult;
+}
+
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
/* Test we can create a signature keys with an associated ENGINE */
static int test_signatures_with_engine(int tst)
@@ -6893,6 +6959,7 @@ int setup_tests(void)
ADD_TEST(test_evp_md_cipher_meth);
ADD_TEST(test_custom_md_meth);
ADD_TEST(test_custom_ciph_meth);
+ ADD_TEST(test_rsasve_kem_with_invalid_pub_key);
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
/* Tests only support the default libctx */
--
2.53.0

View File

@ -1,93 +0,0 @@
From 2e39b7a6993be445fddb9fbce316fa756e0397b6 Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Wed, 1 Apr 2026 10:56:44 +0200
Subject: [PATCH] Fix NULL deref in rsa_cms_decrypt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Very simmilar to CVE-2026-28389, ensure that if we are missing
parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
we don't segfault when decrypting.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28390
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Apr 6 19:06:14 2026
---
crypto/cms/cms_rsa.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
index 6b65842cc1..34c739a982 100644
--- a/crypto/cms/cms_rsa.c
+++ b/crypto/cms/cms_rsa.c
@@ -42,10 +42,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
X509_ALGOR *cmsalg;
int nid;
int rv = -1;
- unsigned char *label = NULL;
+ const unsigned char *label = NULL;
int labellen = 0;
const EVP_MD *mgf1md = NULL, *md = NULL;
RSA_OAEP_PARAMS *oaep;
+ const ASN1_OBJECT *aoid;
+ const void *parameter = NULL;
+ int ptype = 0;
pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
if (pkctx == NULL)
@@ -75,21 +78,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
goto err;
if (oaep->pSourceFunc != NULL) {
- X509_ALGOR *plab = oaep->pSourceFunc;
+ X509_ALGOR_get0(&aoid, &ptype, &parameter, oaep->pSourceFunc);
- if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
+ if (OBJ_obj2nid(aoid) != NID_pSpecified) {
ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_LABEL_SOURCE);
goto err;
}
- if (plab->parameter->type != V_ASN1_OCTET_STRING) {
+ if (ptype != V_ASN1_OCTET_STRING) {
ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_LABEL);
goto err;
}
- label = plab->parameter->value.octet_string->data;
- /* Stop label being freed when OAEP parameters are freed */
- plab->parameter->value.octet_string->data = NULL;
- labellen = plab->parameter->value.octet_string->length;
+ label = ASN1_STRING_get0_data(parameter);
+ labellen = ASN1_STRING_length(parameter);
}
if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
@@ -98,10 +99,16 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
goto err;
if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
goto err;
- if (label != NULL
- && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) {
- OPENSSL_free(label);
- goto err;
+ if (label != NULL) {
+ unsigned char *dup_label = OPENSSL_memdup(label, labellen);
+
+ if (dup_label == NULL)
+ goto err;
+
+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
+ OPENSSL_free(dup_label);
+ goto err;
+ }
}
/* Carry on */
rv = 1;
--
2.53.0

View File

@ -1,4 +1,4 @@
From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
From d0f984a8c5d943402f38043ff6898b1b06364bc5 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
@ -156,19 +156,19 @@ index 4b74ee1a34..5f089de107 100644
return ssl_security(s, op, secbits, nid, x);
else
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 700bbd849c..2de1d76b5e 100644
index ab8cdff..84421cc 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
@@ -30,7 +30,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 203;
+plan tests => 202;
-plan tests => 204;
+plan tests => 203;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
@@ -485,8 +485,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
@ -181,4 +181,4 @@ index 700bbd849c..2de1d76b5e 100644
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");
--
2.35.1
2.54.0

View File

@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.5.5
Release: 3%{?dist}
Version: 3.5.7
Release: 1%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@ -98,8 +98,6 @@ Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
Patch0056: 0056-Add-targets-to-skip-build-of-non-installable-program.patch
Patch0057: 0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
Patch0058: 0058-CVE-2026-31790.patch
Patch0059: 0059-CVE-2026-28390.patch
#The patches that are different for RHEL9 and 10 start here
Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@ -458,6 +456,23 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
* Fri Jun 12 2026 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.7-1
- Rebase to OpenSSL 3.5.7
Resolves: RHEL-179700
Resolves: RHEL-179695
Resolves: RHEL-179692
Resolves: RHEL-179687
Resolves: RHEL-179677
Resolves: RHEL-179660
Resolves: RHEL-179634
Resolves: RHEL-179555
Resolves: RHEL-179551
Resolves: RHEL-179548
Resolves: RHEL-179543
Resolves: RHEL-179540
Resolves: RHEL-179284
Resolves: RHEL-179275
* Wed May 13 2026 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.5-3
- Fix CVE-2026-28390
Resolves: RHEL-165870

View File

@ -1 +1 @@
SHA512 (openssl-3.5.5.tar.gz) = 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec
SHA512 (openssl-3.5.7.tar.gz) = de5351d2d532e1a3908a738f7d8aae448d32bc60bdb24808c556a24bc37a3f53daedf12b5d432eeb8c235e16939d842f908332ede8a447ca103ad1c493c820d7