openssl/crypto/cms
Bernd Edlinger 08229ad838 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.

As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.

The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)

(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
2019-09-10 11:41:20 +01:00
..
build.info
cms_asn1.c Fix gcc-7 warnings. 2017-05-11 19:39:38 +02:00
cms_att.c Add the content type attribute to additional CMS signerinfo. 2019-06-03 15:25:10 +10:00
cms_cd.c
cms_dd.c
cms_enc.c Update copyright year 2018-04-17 15:18:40 +02:00
cms_env.c Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 2019-09-10 11:41:20 +01:00
cms_err.c Add the content type attribute to additional CMS signerinfo. 2019-06-03 15:25:10 +10:00
cms_ess.c
cms_io.c
cms_kari.c Update copyright year 2019-02-26 14:05:09 +00:00
cms_lcl.h Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 2019-09-10 11:41:20 +01:00
cms_lib.c Fix spelling errors in CMS. 2017-05-27 14:15:24 +02:00
cms_pwri.c Add missing OPENSSL_clear_free before using ec->key 2018-12-13 10:10:02 +00:00
cms_sd.c Add the content type attribute to additional CMS signerinfo. 2019-06-03 15:25:10 +10:00
cms_smime.c Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 2019-09-10 11:41:20 +01:00