[openssl-dev] Discrepancy between docs and actual behavior: CMS in 1.0.2
Dr. Stephen Henson
steve at openssl.org
Mon Jul 25 18:30:52 UTC 2016
On Mon, Jul 25, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> I confess I did not test this with 1.1.x. But in 1.0.2h there???s a problem.
>
> CMS man page says:
>
> If the -decrypt option is used without a recipient certificate then an
> attempt is made to locate the
> recipient by trying each potential recipient in turn using the supplied
> private key. To thwart the MMA
> attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients
> are tried whether they
> succeed or not and if no recipients match the message is "decrypted" using a
> random key which will
> typically output garbage. The -debug_decrypt option can be used to disable
> the MMA attack protection
> and return an error if no recipient can be found: this option should be used
> with caution.
That's a bug in the documentation. Currently that only works for RSA keys, not
EC or DH.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list