Make CMS_decrypt_set1_pkey() return an error if no recipient type matches,

instead of returning a random key; OpenSSL PR #3348 via OpenSSL trunk
author: miod <> 2014-07-11 12:12:39 +0000
committer: miod <> 2014-07-11 12:12:39 +0000
commit: 8e1d6b3472243c401a193867020cc8eb0a27aa05 (patch)
tree: 7eaccff99ac0c0a3fdb7589596528843fd45adb0 /src/lib
parent: cd945b198d1efba5da70b1ca363d862cd0e059cb (diff)
download: openbsd-8e1d6b3472243c401a193867020cc8eb0a27aa05.tar.gz
openbsd-8e1d6b3472243c401a193867020cc8eb0a27aa05.tar.bz2
openbsd-8e1d6b3472243c401a193867020cc8eb0a27aa05.zip
2 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index 4f80561e5d..712f08c32f 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.11 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -586,7 +586,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
        STACK_OF(CMS_RecipientInfo) *ris;
        CMS_RecipientInfo *ri;
        int i, r;
-        int debug = 0;
+        int debug = 0, match_ri = 0;
        ris = CMS_get0_RecipientInfos(cms);
        if (ris)
@@ -595,6 +595,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
                ri = sk_CMS_RecipientInfo_value(ris, i);
                if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
                        continue;
+                match_ri = 1;
                /* If we have a cert try matching RecipientInfo
                 * otherwise try them all.
                 */
@@ -627,7 +628,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
                }
        }
        /* If no cert and not debugging always return success */
-        if (!cert && !debug) {
+        if (match_ri && !cert && !debug) {
                ERR_clear_error();
                return 1;
        }
diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c
index 4f80561e5d..712f08c32f 100644
--- a/src/lib/libssl/src/crypto/cms/cms_smime.c
+++ b/src/lib/libssl/src/crypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.11 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -586,7 +586,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
        STACK_OF(CMS_RecipientInfo) *ris;
        CMS_RecipientInfo *ri;
        int i, r;
-        int debug = 0;
+        int debug = 0, match_ri = 0;
        ris = CMS_get0_RecipientInfos(cms);
        if (ris)
@@ -595,6 +595,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
                ri = sk_CMS_RecipientInfo_value(ris, i);
                if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
                        continue;
+                match_ri = 1;
                /* If we have a cert try matching RecipientInfo
                 * otherwise try them all.
                 */
@@ -627,7 +628,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
                }
        }
        /* If no cert and not debugging always return success */
-        if (!cert && !debug) {
+        if (match_ri && !cert && !debug) {
                ERR_clear_error();
                return 1;
        }
author	miod <>	2014-07-11 12:12:39 +0000
committer	miod <>	2014-07-11 12:12:39 +0000
commit	8e1d6b3472243c401a193867020cc8eb0a27aa05 (patch)
tree	7eaccff99ac0c0a3fdb7589596528843fd45adb0 /src/lib
parent	cd945b198d1efba5da70b1ca363d862cd0e059cb (diff)
download	openbsd-8e1d6b3472243c401a193867020cc8eb0a27aa05.tar.gz openbsd-8e1d6b3472243c401a193867020cc8eb0a27aa05.tar.bz2 openbsd-8e1d6b3472243c401a193867020cc8eb0a27aa05.zip