[openssl-users] openssl cms -decrypt failing due to malloc(3) failure

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Aug 1 13:31:26 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Wednesday, August 01, 2018 06:56
> On Tue, Jul 31, 2018 at 06:14:18PM +0200, Jakob Bohm wrote:
> > Actually, the CMS format itself is clearly designed for streamed decoding.
> It is not, because there is no integrity protection until you reach
> the end of the message.  In a packetized format designed for
> streaming, each chunk and their sequencing is integrity protected,
> streaming extractors are only exposed to (tamper-evident) truncation
> attacks.

And thus falling foul of Moxie Marlinspike's Cryptographic Doom Principle: If you don't verify integrity first, sooner or later you'll be in trouble.

While CMS has been updated, its roots are long - PKCS#7 is 20 years old, after all, and RFC 5652 is nearing the end of its first decade. Back then, deferring the integrity check to the end wasn't seen as a problem. Today we know better - which is why many people prefer AEAD modes.

CMS with an AEAD mode (such as AES128-GCM) ought to avoid the integrity-protection issue for the encrypted content, but not for the other parts of the message, I assume. (I'm no CMS expert so I may be missing something there.) And, of course, both sender and recipient would have to support that algorithm.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list