The bug was that to support CMS a cipher needs to be able to handle the ASN.1
associated with the cipher and (AFAIK) no standard exists for RC4. The decrypt
code checked to see if ASN.1 handling was supported and threw the error because
it was not. The encrypt side only tried to use ASN.1 if the
My apologies - it appears that the patch was screwed up on my system. When
I just replaced the EVP_CIPHER_asn1_to_param() with your new code, the
tests passed OK.
. . . . . .
../test/recipes/70-test_verify_extra.t ok
../test/recipes/80-test_ca.t .. ok
On 3/15/16, 15:29 , "openssl-dev on behalf of Viktor Dukhovni"
wrote:
>These days, most people recommend encrypt then sign. CMS and S/MIME
>natively support sign-then-encrypt, but encapsulating encrypted
>content as signed
On Tue, Mar 15, 2016 at 07:29:04PM +, Viktor Dukhovni wrote:
> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key
> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key
The underlying test commands amount to:
$ cd test
$ openssl cms
On Tue, Mar 15, 2016 at 07:09:36PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> First of all - thank you! It is great to see useful capabilities added (I
> consider stream ciphers and AEAD modes very useful :). I fully agree that
> unsigned CMS is an invitation to trouble. If I understand
First of all - thank you! It is great to see useful capabilities added (I
consider stream ciphers and AEAD modes very useful :). I fully agree that
unsigned CMS is an invitation to trouble. If I understand correctly, the
intended openssl use is “openssl cms -encrypt … | openssl cms -sign …” (or
On Tue, Mar 15, 2016 at 06:33:32AM +, Viktor Dukhovni wrote:
> This is completely untested, may not even compile! Enjoy.
It does seem to work, so one key remaining questions is whether it
is interoperable:
$ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new
-x509
On Mon, Mar 14, 2016 at 10:34:17PM +, Dr. Stephen Henson wrote:
> > Is there any reason why stream ciphers are not supported with CMS?
>
> Well one reason is that I'm not aware of any standard which defines how to use
> stream ciphers with CMS.
>
> OpenSSL should really reject these with an
On Mon, Mar 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"
>
> wrote:
>
> >On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT
> >wrote:
>
On Mon, Mar 14, 2016 at 3:24 PM, Blumenthal, Uri - 0553 - MITLL
wrote:
> In that bug description I see a reference to code in “enc.c” that aborts
> if the cipher is AEAD or XTS (and an offer to submit PR that hasn’t
> materialized so far).
>
> Would you be able to elaborate why
On Mon, Mar 14, 2016 at 07:03:04PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> >IIRC RC4 (more generally all stream ciphers) are not supported with
> >CMS, and the bug is that OpenSSL allowed you to use RC4, not that
> >the result failed to decrypt.
>
> Is there any reason why stream ciphers
> Would you be able to elaborate why those checks that forbid AEAD were put
> in?
Because it doesn't work. I don't know the details why; probably around setting
the IV or such. But before that the program would just crash.
--
openssl-dev mailing list
To unsubscribe:
In that bug description I see a reference to code in “enc.c” that aborts
if the cipher is AEAD or XTS (and an offer to submit PR that hasn’t
materialized so far).
Would you be able to elaborate why those checks that forbid AEAD were put
in?
--
Regards,
Uri Blumenthal
On 3/14/16, 15:09,
> Is there any reason why stream ciphers are not supported with CMS?
Go ask CMS folks? :)
> Along the same line, is there any reason why AE(AD) ciphers are not
> supported with “openssl enc”?
A known bug. https://rt.openssl.org/Ticket/Display.html?id=4228 user guess /
pass guest if needed.
On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"
wrote:
>On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT
>wrote:
>> I had written a message about this issue to openssl-users, but received
On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT wrote:
> I had written a message about this issue to openssl-users, but received
> no reaction.
IIRC RC4 (more generally all stream ciphers) are not supported with
CMS, and the bug is that OpenSSL allowed you to use RC4, not
> Otherwise it would not have been possible to encrypt with RC4 with "openssl
> cms -rc4 -encrypt", would it?
It wasn't clear that it was the same version of openssl :)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429
Please log in as guest with password guest if prompted
--
Am 14.03.2016 um 18:48 schrieb Salz, Rich via RT:
> Did you enable RC4 when you built openssl?
Yes, more specifically I did not disable it.
Otherwise it would not have been possible to encrypt with RC4 with
"openssl cms -rc4 -encrypt", would it?
--
Ticket here:
Did you enable RC4 when you built openssl?
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
I had written a message about this issue to openssl-users, but received
no reaction.
As OpenSSL cannot decrypt data encrypted by itself, this looks like a
defect. It is also not possible to decrypt RC4-encrypted CMS objects
created by third-party software.
This was reproduced with the current
20 matches
Mail list logo