[openssl-users] openssl cms -decrypt failing due to malloc(3) failure

Jakob Bohm jb-openssl at wisemo.com
Tue Jul 31 16:14:18 UTC 2018

On 30/07/2018 20:07, Viktor Dukhovni wrote:
>> On Jul 30, 2018, at 12:46 PM, Jordan Brown <openssl at jordan.maileater.net> wrote:
>> If you can't malloc the space, you probably can't mmap it either.  I have never heard of a malloc implementation that has artificial limits; if it's failing it's because it can't find that much contiguous virtual address space, and mmap won't be able to find it either.
>> If you're a 32-bit process, then malloc'ing or mmap'ing a 2GB object will be difficult at best.
> Getting out of the weeds, the core issue is that CMS message input processing
> doesn't stream.  The entire CMS message has to fit into memory.  A different
> data format is required for streaming large payloads.  The data would need
> to be chunked with integrity protection and protection applied to each
> chunk (packet) and appropriate sequence number integrity in place to
> prevent reordering, insertion or deletion of chunks.
> CMS works fine for small messages, and could even be used to construct
> the integrity-protected chunks in a higher-level protocol.  CMS is
> not appropriate for multi-gigabyte or terabyte, ... datasets.
Actually, the CMS format itself is clearly designed for streamed decoding.

For example, it requires the AlgorithmIdentifier of the hash algorithm(s)
to precede the signed data, so a streaming implementation can set up the
input hashing before knowing the full specification of the signature

A streaming encoder will often need to use the indefinite BER encoding of
some of the outer length fields to cope with unknown input length and
variably sized fields after the data.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list