diff options
| -rw-r--r-- | src/lib/libcrypto/cms/cms_env.c | 21 | ||||
| -rw-r--r-- | src/lib/libcrypto/cms/cms_lcl.h | 4 | ||||
| -rw-r--r-- | src/lib/libcrypto/cms/cms_smime.c | 6 | ||||
| -rw-r--r-- | src/lib/libcrypto/pkcs7/pk7_doit.c | 15 |
4 files changed, 35 insertions, 11 deletions
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c index 8640f459fb..74d957eee0 100644 --- a/src/lib/libcrypto/cms/cms_env.c +++ b/src/lib/libcrypto/cms/cms_env.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: cms_env.c,v 1.22 2019/08/11 11:07:40 jsing Exp $ */ | 1 | /* $OpenBSD: cms_env.c,v 1.23 2019/10/04 18:03:56 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 4 | * project. | 4 | * project. |
| @@ -426,6 +426,7 @@ cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) | |||
| 426 | EVP_PKEY *pkey = ktri->pkey; | 426 | EVP_PKEY *pkey = ktri->pkey; |
| 427 | unsigned char *ek = NULL; | 427 | unsigned char *ek = NULL; |
| 428 | size_t eklen; | 428 | size_t eklen; |
| 429 | size_t fixlen = 0; | ||
| 429 | int ret = 0; | 430 | int ret = 0; |
| 430 | CMS_EncryptedContentInfo *ec; | 431 | CMS_EncryptedContentInfo *ec; |
| 431 | 432 | ||
| @@ -436,6 +437,19 @@ cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) | |||
| 436 | return 0; | 437 | return 0; |
| 437 | } | 438 | } |
| 438 | 439 | ||
| 440 | if (cms->d.envelopedData->encryptedContentInfo->havenocert && | ||
| 441 | !cms->d.envelopedData->encryptedContentInfo->debug) { | ||
| 442 | X509_ALGOR *calg = ec->contentEncryptionAlgorithm; | ||
| 443 | const EVP_CIPHER *ciph; | ||
| 444 | |||
| 445 | if ((ciph = EVP_get_cipherbyobj(calg->algorithm)) == NULL) { | ||
| 446 | CMSerror(CMS_R_UNKNOWN_CIPHER); | ||
| 447 | return 0; | ||
| 448 | } | ||
| 449 | |||
| 450 | fixlen = EVP_CIPHER_key_length(ciph); | ||
| 451 | } | ||
| 452 | |||
| 439 | ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); | 453 | ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); |
| 440 | if (ktri->pctx == NULL) | 454 | if (ktri->pctx == NULL) |
| 441 | return 0; | 455 | return 0; |
| @@ -453,8 +467,11 @@ cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) | |||
| 453 | } | 467 | } |
| 454 | 468 | ||
| 455 | if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, ktri->encryptedKey->data, | 469 | if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, ktri->encryptedKey->data, |
| 456 | ktri->encryptedKey->length) <= 0) | 470 | ktri->encryptedKey->length) <= 0 || eklen == 0 || |
| 471 | (fixlen != 0 && eklen != fixlen)) { | ||
| 472 | CMSerror(CMS_R_CMS_LIB); | ||
| 457 | goto err; | 473 | goto err; |
| 474 | } | ||
| 458 | 475 | ||
| 459 | ek = malloc(eklen); | 476 | ek = malloc(eklen); |
| 460 | 477 | ||
diff --git a/src/lib/libcrypto/cms/cms_lcl.h b/src/lib/libcrypto/cms/cms_lcl.h index a8ccaf4488..8083e5537d 100644 --- a/src/lib/libcrypto/cms/cms_lcl.h +++ b/src/lib/libcrypto/cms/cms_lcl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: cms_lcl.h,v 1.11 2019/08/11 10:26:04 jsing Exp $ */ | 1 | /* $OpenBSD: cms_lcl.h,v 1.12 2019/10/04 18:03:56 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 4 | * project. | 4 | * project. |
| @@ -170,6 +170,8 @@ struct CMS_EncryptedContentInfo_st { | |||
| 170 | size_t keylen; | 170 | size_t keylen; |
| 171 | /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ | 171 | /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ |
| 172 | int debug; | 172 | int debug; |
| 173 | /* Set to 1 if we have no cert and need exta safety measures for MMA */ | ||
| 174 | int havenocert; | ||
| 173 | }; | 175 | }; |
| 174 | 176 | ||
| 175 | struct CMS_RecipientInfo_st { | 177 | struct CMS_RecipientInfo_st { |
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c index d39ee19aa5..367810f40e 100644 --- a/src/lib/libcrypto/cms/cms_smime.c +++ b/src/lib/libcrypto/cms/cms_smime.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: cms_smime.c,v 1.23 2019/08/11 14:51:15 jsing Exp $ */ | 1 | /* $OpenBSD: cms_smime.c,v 1.24 2019/10/04 18:03:56 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 4 | * project. | 4 | * project. |
| @@ -823,6 +823,10 @@ CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, BIO *dcont, | |||
| 823 | cms->d.envelopedData->encryptedContentInfo->debug = 1; | 823 | cms->d.envelopedData->encryptedContentInfo->debug = 1; |
| 824 | else | 824 | else |
| 825 | cms->d.envelopedData->encryptedContentInfo->debug = 0; | 825 | cms->d.envelopedData->encryptedContentInfo->debug = 0; |
| 826 | if (!cert) | ||
| 827 | cms->d.envelopedData->encryptedContentInfo->havenocert = 1; | ||
| 828 | else | ||
| 829 | cms->d.envelopedData->encryptedContentInfo->havenocert = 0; | ||
| 826 | if (!pk && !cert && !dcont && !out) | 830 | if (!pk && !cert && !dcont && !out) |
| 827 | return 1; | 831 | return 1; |
| 828 | if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) | 832 | if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) |
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c index d0c27e98a9..81a72f6815 100644 --- a/src/lib/libcrypto/pkcs7/pk7_doit.c +++ b/src/lib/libcrypto/pkcs7/pk7_doit.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pk7_doit.c,v 1.43 2019/03/13 20:34:00 tb Exp $ */ | 1 | /* $OpenBSD: pk7_doit.c,v 1.44 2019/10/04 18:03:55 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -191,7 +191,7 @@ err: | |||
| 191 | 191 | ||
| 192 | static int | 192 | static int |
| 193 | pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, | 193 | pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, |
| 194 | EVP_PKEY *pkey) | 194 | EVP_PKEY *pkey, size_t fixlen) |
| 195 | { | 195 | { |
| 196 | EVP_PKEY_CTX *pctx = NULL; | 196 | EVP_PKEY_CTX *pctx = NULL; |
| 197 | unsigned char *ek = NULL; | 197 | unsigned char *ek = NULL; |
| @@ -222,8 +222,9 @@ pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, | |||
| 222 | goto err; | 222 | goto err; |
| 223 | } | 223 | } |
| 224 | 224 | ||
| 225 | if (EVP_PKEY_decrypt(pctx, ek, &eklen, | 225 | if (EVP_PKEY_decrypt(pctx, ek, &eklen, ri->enc_key->data, |
| 226 | ri->enc_key->data, ri->enc_key->length) <= 0) { | 226 | ri->enc_key->length) <= 0 || eklen == 0 || |
| 227 | (fixlen != 0 && eklen != fixlen)) { | ||
| 227 | ret = 0; | 228 | ret = 0; |
| 228 | PKCS7error(ERR_R_EVP_LIB); | 229 | PKCS7error(ERR_R_EVP_LIB); |
| 229 | goto err; | 230 | goto err; |
| @@ -535,14 +536,14 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) | |||
| 535 | for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { | 536 | for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { |
| 536 | ri = sk_PKCS7_RECIP_INFO_value(rsk, i); | 537 | ri = sk_PKCS7_RECIP_INFO_value(rsk, i); |
| 537 | 538 | ||
| 538 | if (pkcs7_decrypt_rinfo(&ek, &eklen, | 539 | if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, |
| 539 | ri, pkey) < 0) | 540 | EVP_CIPHER_key_length(evp_cipher)) < 0) |
| 540 | goto err; | 541 | goto err; |
| 541 | ERR_clear_error(); | 542 | ERR_clear_error(); |
| 542 | } | 543 | } |
| 543 | } else { | 544 | } else { |
| 544 | /* Only exit on fatal errors, not decrypt failure */ | 545 | /* Only exit on fatal errors, not decrypt failure */ |
| 545 | if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) | 546 | if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) |
| 546 | goto err; | 547 | goto err; |
| 547 | ERR_clear_error(); | 548 | ERR_clear_error(); |
| 548 | } | 549 | } |