diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-05-08 13:17:11 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-05-08 13:18:49 +0100 |
commit | 70ddf8ecca780cee6b636515ecb91262fc7d9e8f (patch) | |
tree | 445ad742d762a827ff26f0212305665ad0114dcc /crypto | |
parent | 9febee02720902c195fe929ecfe06362c551422c (diff) |
Return an error if no recipient type matches.
If the key type does not match any CMS recipient type return
an error instead of using a random key (MMA mitigation). This
does not leak any useful information to an attacker.
PR#3348
(cherry picked from commit 83a3182e0560f76548f4378325393461f6275493)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/cms/cms_smime.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 2be07c2099..a3f67df084 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -622,7 +622,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) STACK_OF(CMS_RecipientInfo) *ris; CMS_RecipientInfo *ri; int i, r; - int debug = 0; + int debug = 0, ri_match = 0; ris = CMS_get0_RecipientInfos(cms); if (ris) debug = cms->d.envelopedData->encryptedContentInfo->debug; @@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) ri = sk_CMS_RecipientInfo_value(ris, i); if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS) continue; + ri_match = 1; /* If we have a cert try matching RecipientInfo * otherwise try them all. */ @@ -666,7 +667,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) } } /* If no cert and not debugging always return success */ - if (!cert && !debug) + if (ri_match && !cert && !debug) { ERR_clear_error(); return 1; |