On Tue, Jun 16, 2009, Carl Young wrote: > > ----- Original Message ----- From: "Dr. Stephen Henson" <st...@openssl.org> >> On Tue, Jun 16, 2009, carlyo...@keycomm.co.uk wrote: >> >>> Hi, >>> >>> I'm getting failures decrypting a CMS (KEK or KTRI) when using an engine >>> (RSA bsafe). >>> >>> It appears that when the IV ( from EVP_cipher_asn1_to_param) is set into >>> the >>> context, the engine is not handling this somehow. >>> >>> The second call to EVP_cipher_init_ex has a NULL IV pointer in >>> CMS_EncryptedContent_init_bio(), and if I change this to pass in ctx->oiv >>> temporarily then the decryption succeeds OK. So - I am guessing that the >>> IV >>> is not being passed to the engine somehow. >>> >>> Is this an OpenSSL issue or an issue with the engine? >>> >>> ctx->cipher->flags is set to 2 (EVP_CIPH_CBC_MODE). Should it have >>> EVP_CIPH_CUSTOM_IV set somehow? >>> >>> Thanks for any guidance/advice. >>> >> >> ENGINE issue, looks like it isn't handling the possible multiple calls to >> EVP_CipherInit_ex() correctly. The default OpenSSL ciphers have no >> problems >> with this. >> > > Thank you Dr Henson. > > CMS_EncryptedContent_init_bio() calls EVP_CipherInit_ex twice() during the > decrypt phase. In neither case does it pass the IV into > EVP_CipherInit_ex(). > > How would the engine be expected to pick up the IV, aside from the cipher > context? >
If you look at EVP_cipher_asn1_to_param() you'll see it calls get_asn1_parameters in the EVP_CIPHER structure. This is supposed to be set to whatever function the EVP_CIPHER would use to decode the ASN1 and set the IV and parameters (if any). The IV isn't passed into the context, the EVP_CIPHER should decode it and pass it into itself in whatever way is appropriate. Some implementations don't bother to handle this case. This means they will work fine in SSL/TLS but will fail in ASN1 cases such as CMS. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
