File openssl-CVE-2026-28389.patch of Package openssl-3

commit e406df64aea245a4caacf25793df9efa08ea5d8f
Author: Neil Horman <nhorman@openssl.org>
Date:   Mon Mar 16 13:49:07 2026 -0400

    Fix inadvertent NULL deref in [ec]dh_cms_set_shared_info
    
    Two independent reports indicated a SIGSEGV was possible in CMS
    processing when a crafted CMS EnvelopedData message using A Key
    Agreement Recipient Info field.  If they
    KeyEncryptionAlgorithmIdentifier omits the optional parameter field, The
    referenced funcitons above will attempt to dereference the
    alg->parameter data prior to checking if the paramter field is NULL.
    
    Easy fix, just make sure to check if the field is NULL before accessing
    
    Confirmed to resolve the issues using the reproducers provided in the
    security reports.
    
    Fixes CVE-2026-28389

diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c
index a10df73b10..7478a5dd5e 100644
--- a/crypto/cms/cms_dh.c
+++ b/crypto/cms/cms_dh.c
@@ -94,6 +94,9 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
     if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
         goto err;
 
+    if (alg == NULL || alg->parameter == NULL)
+        goto err;
+
     /*
      * For DH we only have one OID permissible. If ever any more get defined
      * we will need something cleverer.
diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c
index ff8adad616..a5a00ca276 100644
--- a/crypto/cms/cms_ec.c
+++ b/crypto/cms/cms_ec.c
@@ -171,6 +171,9 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
     if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
         return 0;
 
+    if (alg == NULL || alg->parameter == NULL)
+        return 0;
+
     if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
         ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
         return 0;