From 8e1d6b3472243c401a193867020cc8eb0a27aa05 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Fri, 11 Jul 2014 12:12:39 +0000
Subject: Make CMS_decrypt_set1_pkey() return an error if no recipient type
 matches, instead of returning a random key; OpenSSL PR #3348 via OpenSSL
 trunk

---
 src/lib/libcrypto/cms/cms_smime.c         | 7 ++++---
 src/lib/libssl/src/crypto/cms/cms_smime.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index 4f80561e5d..712f08c32f 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.11 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -586,7 +586,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 	STACK_OF(CMS_RecipientInfo) *ris;
 	CMS_RecipientInfo *ri;
 	int i, r;
-	int debug = 0;
+	int debug = 0, match_ri = 0;
 
 	ris = CMS_get0_RecipientInfos(cms);
 	if (ris)
@@ -595,6 +595,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 		ri = sk_CMS_RecipientInfo_value(ris, i);
 		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
 			continue;
+		match_ri = 1;
 		/* If we have a cert try matching RecipientInfo
 		 * otherwise try them all.
 		 */
@@ -627,7 +628,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 		}
 	}
 	/* If no cert and not debugging always return success */
-	if (!cert && !debug) {
+	if (match_ri && !cert && !debug) {
 		ERR_clear_error();
 		return 1;
 	}
diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c
index 4f80561e5d..712f08c32f 100644
--- a/src/lib/libssl/src/crypto/cms/cms_smime.c
+++ b/src/lib/libssl/src/crypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.11 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -586,7 +586,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 	STACK_OF(CMS_RecipientInfo) *ris;
 	CMS_RecipientInfo *ri;
 	int i, r;
-	int debug = 0;
+	int debug = 0, match_ri = 0;
 
 	ris = CMS_get0_RecipientInfos(cms);
 	if (ris)
@@ -595,6 +595,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 		ri = sk_CMS_RecipientInfo_value(ris, i);
 		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
 			continue;
+		match_ri = 1;
 		/* If we have a cert try matching RecipientInfo
 		 * otherwise try them all.
 		 */
@@ -627,7 +628,7 @@ CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 		}
 	}
 	/* If no cert and not debugging always return success */
-	if (!cert && !debug) {
+	if (match_ri && !cert && !debug) {
 		ERR_clear_error();
 		return 1;
 	}
-- 
cgit v1.2.3-55-g6feb