summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl/cms.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/usr.bin/openssl/cms.c38
1 files changed, 25 insertions, 13 deletions
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index 7420d0ab8c..458ddb0e3b 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */ 1/* $OpenBSD: cms.c,v 1.38 2025/06/07 08:24:15 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -193,15 +193,33 @@ get_cipher_by_name(char *name)
193static int 193static int
194cms_opt_cipher(int argc, char **argv, int *argsused) 194cms_opt_cipher(int argc, char **argv, int *argsused)
195{ 195{
196 const EVP_CIPHER *cipher;
196 char *name = argv[0]; 197 char *name = argv[0];
197 198
198 if (*name++ != '-') 199 if (*name++ != '-')
199 return (1); 200 return (1);
200 201
201 if ((cfg.cipher = get_cipher_by_name(name)) == NULL) 202 if ((cipher = get_cipher_by_name(name)) == NULL)
202 if ((cfg.cipher = EVP_get_cipherbyname(name)) == NULL) 203 if ((cipher = EVP_get_cipherbyname(name)) == NULL)
203 return (1); 204 return (1);
204 205
206 /*
207 * XXX - this should really be done in CMS_{encrypt,decrypt}() until
208 * we have proper support for AuthEnvelopedData (RFC 5084), but this
209 * is good enough for now to avoid outputting garbage with this rusty
210 * swiss army knife.
211 */
212 if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
213 BIO_printf(bio_err, "AuthEnvelopedData is not supported\n");
214 return (1);
215 }
216 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE) {
217 BIO_printf(bio_err, "XTS mode not supported\n");
218 return (1);
219 }
220
221 cfg.cipher = cipher;
222
205 *argsused = 1; 223 *argsused = 1;
206 return (0); 224 return (0);
207} 225}
@@ -475,7 +493,7 @@ static const struct option cms_options[] = {
475 }, 493 },
476 { 494 {
477 .name = "aes256", 495 .name = "aes256",
478 .desc = "Encrypt PEM output with CBC AES", 496 .desc = "Encrypt PEM output with CBC AES (default)",
479 .type = OPTION_ARGV_FUNC, 497 .type = OPTION_ARGV_FUNC,
480 .opt.argvfunc = cms_opt_cipher, 498 .opt.argvfunc = cms_opt_cipher,
481 }, 499 },
@@ -509,7 +527,7 @@ static const struct option cms_options[] = {
509 }, 527 },
510 { 528 {
511 .name = "des3", 529 .name = "des3",
512 .desc = "Encrypt with triple DES (default)", 530 .desc = "Encrypt with triple DES",
513 .type = OPTION_ARGV_FUNC, 531 .type = OPTION_ARGV_FUNC,
514 .opt.argvfunc = cms_opt_cipher, 532 .opt.argvfunc = cms_opt_cipher,
515 }, 533 },
@@ -1291,14 +1309,8 @@ cms_main(int argc, char **argv)
1291 } 1309 }
1292 1310
1293 if (cfg.operation == SMIME_ENCRYPT) { 1311 if (cfg.operation == SMIME_ENCRYPT) {
1294 if (cfg.cipher == NULL) { 1312 if (cfg.cipher == NULL)
1295#ifndef OPENSSL_NO_DES 1313 cfg.cipher = EVP_aes_256_cbc();
1296 cfg.cipher = EVP_des_ede3_cbc();
1297#else
1298 BIO_printf(bio_err, "No cipher selected\n");
1299 goto end;
1300#endif
1301 }
1302 if (cfg.secret_key != NULL && 1314 if (cfg.secret_key != NULL &&
1303 cfg.secret_keyid == NULL) { 1315 cfg.secret_keyid == NULL) {
1304 BIO_printf(bio_err, "No secret key id\n"); 1316 BIO_printf(bio_err, "No secret key id\n");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 00:52:08 +0000