87 lines
3.8 KiB
Diff
87 lines
3.8 KiB
Diff
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
|
|
index 3b0d5070ce5..e702703758a 100644
|
|
--- a/crypto/cms/cms_env.c
|
|
+++ b/crypto/cms/cms_env.c
|
|
@@ -644,13 +644,6 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
|
if (!ossl_cms_env_asn1_ctrl(ri, 1))
|
|
goto err;
|
|
|
|
- if (EVP_PKEY_is_a(pkey, "RSA"))
|
|
- /* upper layer CMS code incorrectly assumes that a successful RSA
|
|
- * decryption means that the key matches ciphertext (which never
|
|
- * was the case, implicit rejection or not), so to make it work
|
|
- * disable implicit rejection for RSA keys */
|
|
- EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0");
|
|
-
|
|
if (evp_pkey_decrypt_alloc(ktri->pctx, &ek, &eklen, fixlen,
|
|
ktri->encryptedKey->data,
|
|
ktri->encryptedKey->length)
|
|
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
|
index bc8028e1b19..7b6a3b36b4b 100644
|
|
--- a/crypto/pkcs7/pk7_doit.c
|
|
+++ b/crypto/pkcs7/pk7_doit.c
|
|
@@ -197,13 +197,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
|
if (EVP_PKEY_decrypt_init(pctx) <= 0)
|
|
goto err;
|
|
|
|
- if (EVP_PKEY_is_a(pkey, "RSA"))
|
|
- /* upper layer pkcs7 code incorrectly assumes that a successful RSA
|
|
- * decryption means that the key matches ciphertext (which never
|
|
- * was the case, implicit rejection or not), so to make it work
|
|
- * disable implicit rejection for RSA keys */
|
|
- EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0");
|
|
-
|
|
ret = evp_pkey_decrypt_alloc(pctx, &ek, &eklen, fixlen,
|
|
ri->enc_key->data, ri->enc_key->length);
|
|
if (ret <= 0)
|
|
diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod
|
|
index 121b74a30a1..66a94287b6f 100644
|
|
--- a/doc/man3/CMS_decrypt.pod
|
|
+++ b/doc/man3/CMS_decrypt.pod
|
|
@@ -68,7 +68,7 @@ then the above behaviour is modified and an error B<is> returned if no
|
|
recipient encrypted key can be decrypted B<without> generating a random
|
|
content encryption key. Applications should use this flag with
|
|
B<extreme caution> especially in automated gateways as it can leave them
|
|
-open to attack.
|
|
+open to attack. See L<EVP_PKEY_decrypt(3)> for more details.
|
|
|
|
It is possible to determine the correct recipient key by other means (for
|
|
example looking them up in a database) and setting them in the CMS structure
|
|
@@ -103,7 +103,7 @@ mentioned in CMS_verify() also applies to CMS_decrypt().
|
|
|
|
=head1 SEE ALSO
|
|
|
|
-L<ERR_get_error(3)>, L<CMS_encrypt(3)>
|
|
+L<ERR_get_error(3)>, L<CMS_encrypt(3)>, L<EVP_PKEY_decrypt(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
diff --git a/doc/man3/PKCS7_decrypt.pod b/doc/man3/PKCS7_decrypt.pod
|
|
index 5ba3cf1c17c..3534559d595 100644
|
|
--- a/doc/man3/PKCS7_decrypt.pod
|
|
+++ b/doc/man3/PKCS7_decrypt.pod
|
|
@@ -22,6 +22,14 @@ B<flags> is an optional set of flags.
|
|
Although the recipients certificate is not needed to decrypt the data it is needed
|
|
to locate the appropriate (of possible several) recipients in the PKCS#7 structure.
|
|
|
|
+When RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt()
|
|
+will use implicit rejection mechanism. It always returns the result of RSA
|
|
+decryption of the symmetric key to avoid Marvin attack. This result is
|
|
+deterministic and can happen to match the symmetric cipher used for the content
|
|
+encryption. In case when the certificate is not provided, the last
|
|
+RecipientInfo producing the key looking valid will be used. It may cause
|
|
+getting garbage content on decryption.
|
|
+
|
|
The following flags can be passed in the B<flags> parameter.
|
|
|
|
If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are deleted
|
|
@@ -40,7 +48,7 @@ be better if it could look up the correct key and certificate from a database.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
-L<ERR_get_error(3)>, L<PKCS7_encrypt(3)>
|
|
+L<ERR_get_error(3)>, L<PKCS7_encrypt(3)>, L<EVP_PKEY_decrypt(3)>
|
|
|
|
=head1 COPYRIGHT
|
|
|