Openssl: CMS_decrypt returns success even if CEK decryption failed (not RSA)

Created on 14 Aug 2019  路  1Comment  路  Source: openssl/openssl

In 146b52edd122f55e2b2bfeb486dae8dbe96f739e there was introduced a protection against MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding), but it looks like the behavior introduced affects not only RSA mechanism, but also any mechanism that uses KeyTransRecipientInfo structure to store RecipientInfo, containing encrypted CEK and associated data. One of such mechanisms is GOST34.10-2001/2012 (see https://tools.ietf.org/html/rfc4490#section-4.2 and https://www.cryptopro.ru/sites/default/files/products/tls/tk26cms.pdf (russian)), which is implemented through separate engine (https://github.com/gost-engine/engine). AFAIK GOST34.10 is not vulnerable to MMA attack (moreover, inside of KeyTransRecipientInfo there is a checksum of CEK to check that it is correctly decrypted -- see https://tools.ietf.org/html/rfc4357#section-6.1) and it would be nice if CMS_decrypt returned an error on unsuccessful decryption in this case.

I would like to propose narrowing the protection against MMA attack to RSA decryption only.

help wanted bug
Source
picture Mironenko
👍1

>All comments

Another option would be to just include a header in your content data that contains some form of identifier. On decryption it should then be easy to tell if the content is correct.

This code was added in 2012 - so it has been there for quite some time :)

slontis picture slontis on 25 Aug 2019
👎2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lzsiga picture lzsiga  路  4Comments
nmtitov picture nmtitov  路  3Comments
ruiruige picture ruiruige  路  4Comments
mattcaswell picture mattcaswell  路  4Comments
kirin10000 picture kirin10000  路  3Comments