openssl

mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00

History

Bernd Edlinger 5840ed0cd1 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777)		2019-09-10 11:31:25 +01:00
..
bio_pk7.c
build.info
pk7_asn1.c
pk7_attr.c
pk7_doit.c	Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey	2019-09-10 11:31:25 +01:00
pk7_lib.c
pk7_mime.c
pk7_smime.c
pkcs7err.c