Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
My apologies - it appears that the patch was screwed up on my system. When I just replaced the EVP_CIPHER_asn1_to_param() with your new code, the tests passed OK. . . . . . . ../test/recipes/70-test_verify_extra.t ok ../test/recipes/80-test_ca.t .. ok ../test/recipes/80-test_cms.t . ok ../test/recipes/80-test_ct.t .. ok ../test/recipes/80-test_dane.t ok ../test/recipes/80-test_dtlsv1listen.t ok ../test/recipes/80-test_ocsp.t ok ../test/recipes/80-test_ssl.t . ok ../test/recipes/80-test_tsa.t . ok ../test/recipes/90-test_async.t ... ok ../test/recipes/90-test_constant_time.t ... ok ../test/recipes/90-test_gmdiff.t .. ok ../test/recipes/90-test_heartbeat.t ... skipped: heartbeats is not supported by this OpenSSL build ../test/recipes/90-test_ige.t . ok ../test/recipes/90-test_memleak.t . ok ../test/recipes/90-test_networking.t .. ok ../test/recipes/90-test_np.t .. ok ../test/recipes/90-test_p5_crpt2.t ok ../test/recipes/90-test_secmem.t .. ok ../test/recipes/90-test_srp.t . ok ../test/recipes/90-test_threads.t . ok ../test/recipes/90-test_v3name.t .. ok All tests successful. Files=71, Tests=394, 53 wallclock secs ( 0.51 usr 0.17 sys + 32.96 cusr 15.10 csys = 48.74 CPU) Result: PASS $ -- Regards, Uri Blumenthal On 3/15/16, 15:54 , "openssl-dev on behalf of Viktor Dukhovni"wrote: >On Tue, Mar 15, 2016 at 07:29:04PM +, Viktor Dukhovni wrote: > >> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key >> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key > >The underlying test commands amount to: > > $ cd test > $ openssl cms -EncryptedData_encrypt -in smcont.txt -outform PEM -rc2 >-secretkey 000102030405060708090A0B0C0D0E0F -stream -out test.cms > $ openssl cms -EncryptedData_decrypt -in test.cms -inform PEM -secretkey >000102030405060708090A0B0C0D0E0F -out smtst.txt > >For me these succeed and result in smtst.txt identical to smcont.txt. > >-- > Viktor. >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On 3/15/16, 15:29 , "openssl-dev on behalf of Viktor Dukhovni"wrote: >These days, most people recommend encrypt then sign. CMS and S/MIME >natively support sign-then-encrypt, but encapsulating encrypted >content as signed content as above also works. Please excuse my ignorance - how do you invoke “openssl cms” to accomplish native “sign-then-encrypt” (which in some cases is still OK)? >>The only problem - now I have one test failing: >> >> ../test/recipes/80-test_ca.t .. ok >> ../test/recipes/80-test_cms.t . 2/4 > >The CMS tests pass when I run them: > >$ HARNESS_VERBOSE=yes make TESTS=test_cms test >( cd test; SRCTOP=../. BLDTOP=../. EXE_EXT= /usr/pkg/bin/perl >.././test/run_tests.pl test_cms ) >../test/recipes/80-test_cms.t .. Alas, for some reason does not work here: ../test/recipes/80-test_ca.t .. ok ../test/recipes/80-test_cms.t . # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 376. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 376. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 376. # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 376. # Looks like you failed 4 tests of 15. ../test/recipes/80-test_cms.t . 1/4 # Failed test 'CMS => PKCS\#7 compatibility tests # ' # at ../test/recipes/80-test_cms.t line 381. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 391. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 391. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 391. # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 391. # Looks like you failed 4 tests of 15. ../test/recipes/80-test_cms.t . 2/4 # Failed test 'CMS <= PKCS\#7 compatibility tests # ' # at ../test/recipes/80-test_cms.t line 396. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, keyid' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'enveloped content test streaming PEM format, KEK' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'enveloped content test streaming PEM format, KEK, key only' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 128 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 40 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, triple DES key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 128 bit AES key' # at ../test/recipes/80-test_cms.t line 418. # Looks like you failed 11 tests of 27. ../test/recipes/80-test_cms.t . 3/4 # Failed test 'CMS <=> CMS consistency tests # ' # at ../test/recipes/80-test_cms.t line 423. # Failed test 'enveloped content test streaming S/MIME format, OAEP default parameters' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, OAEP SHA256' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH, key identifier' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF' # at
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Tue, Mar 15, 2016 at 07:29:04PM +, Viktor Dukhovni wrote: > ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key > ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key The underlying test commands amount to: $ cd test $ openssl cms -EncryptedData_encrypt -in smcont.txt -outform PEM -rc2 -secretkey 000102030405060708090A0B0C0D0E0F -stream -out test.cms $ openssl cms -EncryptedData_decrypt -in test.cms -inform PEM -secretkey 000102030405060708090A0B0C0D0E0F -out smtst.txt For me these succeed and result in smtst.txt identical to smcont.txt. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Tue, Mar 15, 2016 at 07:09:36PM +, Blumenthal, Uri - 0553 - MITLL wrote: > First of all - thank you! It is great to see useful capabilities added (I > consider stream ciphers and AEAD modes very useful :). I fully agree that > unsigned CMS is an invitation to trouble. If I understand correctly, the > intended openssl use is “openssl cms -encrypt … | openssl cms -sign …” (or > the other way around :). These days, most people recommend encrypt then sign. CMS and S/MIME natively support sign-then-encrypt, but encapsulating encrypted content as signed content as above also works. > The only problem - now I have one test failing: > > ../test/recipes/80-test_ca.t .. ok > ../test/recipes/80-test_cms.t . 2/4 The CMS tests pass when I run them: $ HARNESS_VERBOSE=yes make TESTS=test_cms test ( cd test; SRCTOP=../. BLDTOP=../. EXE_EXT= /usr/pkg/bin/perl .././test/run_tests.pl test_cms ) ../test/recipes/80-test_cms.t .. 1..4 # Subtest: CMS => PKCS#7 compatibility tests 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 1 - CMS => PKCS\#7 compatibility tests # # Subtest: CMS <= PKCS#7 compatibility tests 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 2 - CMS <= PKCS\#7 compatibility tests # # Subtest: CMS <=> CMS consistency tests 1..27 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
First of all - thank you! It is great to see useful capabilities added (I consider stream ciphers and AEAD modes very useful :). I fully agree that unsigned CMS is an invitation to trouble. If I understand correctly, the intended openssl use is “openssl cms -encrypt … | openssl cms -sign …” (or the other way around :). $ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100 -subj "/CN=RC4 CMS Test" Generating a 2048 bit RSA private key ..+++ .+++ writing new private key to 'key.pem' - $ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial serial=B83C7468CCE8930E $ echo sesame > data.txt $ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in data.txt -out data.txt.cms -outform DER cert.pem $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms -inform DER -out data2.txt -inkey key.pem -recip cert.pem $ diff -u data.txt data2.txt $ openssl asn1parse -inform DER -in data.txt.cms 0:d=0 hl=4 l= 380 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData 15:d=1 hl=4 l= 365 cons: cont [ 0 ] . . . . . . . 90:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:362DC32CD6520D3765255D9549BEC058766499C0581430E84929419730B08C31C6E78 D22CB8D8C026EEB75203D19148C97F8F73C7066D158E6E85FEA41972B50EB245ACB15C23209 7DD3046901882B95C9AD102F8E34E0E049B4A374F1EF61C48E1F90F95A3F8E2306161AF0882 99F7A4949D706FBF6A92DB8BB5DF293E1B3BA135BAA8E63FE94C0BBD7A29D31AD28E9137D66 41CF7490257BEE23161A478B6FCBDEE05B1578592272335713196C3F26139A41B76A3EA1371 FA875A4DD09C150D4674AF7A399F886A09D245EE1A81AEC8A96B4647C712D366A0FBC7964FE C6EF69A076CB58A81ED8DBD466FAA1E9CD072C8242B5D68F3CDB95C5CF04AFE71795 350:d=3 hl=2 l= 32 cons: SEQUENCE 352:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 363:d=4 hl=2 l= 10 cons: SEQUENCE 365:d=5 hl=2 l= 8 prim: OBJECT:rc4 375:d=4 hl=2 l= 7 prim: cont [ 0 ] $ The only problem - now I have one test failing: ../test/recipes/80-test_ca.t .. ok ../test/recipes/80-test_cms.t . 2/4 # Failed test 'encrypted content test streaming PEM format, 128 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 40 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Looks like you failed 2 tests of 27. ../test/recipes/80-test_cms.t . 3/4 # Failed test 'CMS <=> CMS consistency tests # ' # at ../test/recipes/80-test_cms.t line 423. ../test/recipes/80-test_cms.t . 4/4 # Looks like you failed 1 test of 4. ../test/recipes/80-test_cms.t . Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests ../test/recipes/80-test_ct.t .. Ok I wonder how difficult would it be to add AEAD support, considering that they (usually) can take 96-bit nonce (treated as IV), and the authentication tag often is just appended to the ciphertext (and expected at the end of the ciphertext during decryption). -- Regards, Uri Blumenthal On 3/15/16, 3:47 , "openssl-dev on behalf of Viktor Dukhovni"wrote: >On Tue, Mar 15, 2016 at 06:33:32AM +, Viktor Dukhovni wrote: > >> This is completely untested, may not even compile! Enjoy. > >It does seem to work, so one key remaining questions is whether it >is interoperable: > >$ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf >-new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days >100 -subj "/CN=RC4 CMS Test" > >$ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial >serial=ACD5DEDE758B9AA6 >$ echo sesame > data.txt >$ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in >data.txt -out data.txt.cms -outform DER cert.pem >$ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms >-inform DER -out data2.txt -inkey key.pem -recip cert.pem >$ diff -u data.txt data2.txt > >$ openssl asn1parse -inform DER -in data.txt.cms > 0:d=0 hl=4 l= 380 cons: SEQUENCE > 4:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData > 15:d=1 hl=4 l= 365 cons: cont [ 0 ] > 19:d=2 hl=4 l= 361 cons: SEQUENCE > 23:d=3 hl=2 l= 1 prim: INTEGER :00 > 26:d=3 hl=4 l= 320 cons: SET > 30:d=4 hl=4 l= 316 cons: SEQUENCE > 34:d=5 hl=2 l= 1 prim: INTEGER :00 > 37:d=5 hl=2 l= 36 cons: SEQUENCE > 39:d=6 hl=2 l= 23 cons: SEQUENCE > 41:d=7 hl=2 l= 21 cons: SET > 43:d=8 hl=2 l= 19 cons: SEQUENCE > 45:d=9 hl=2 l= 3 prim: OBJECT:commonName > 50:d=9 hl=2 l= 12 prim: UTF8STRING:RC4 CMS Test > 64:d=6 hl=2 l= 9 prim: INTEGER :ACD5DEDE758B9AA6 > 75:d=5 hl=2 l= 13
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Tue, Mar 15, 2016 at 06:33:32AM +, Viktor Dukhovni wrote: > This is completely untested, may not even compile! Enjoy. It does seem to work, so one key remaining questions is whether it is interoperable: $ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100 -subj "/CN=RC4 CMS Test" $ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial serial=ACD5DEDE758B9AA6 $ echo sesame > data.txt $ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in data.txt -out data.txt.cms -outform DER cert.pem $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms -inform DER -out data2.txt -inkey key.pem -recip cert.pem $ diff -u data.txt data2.txt $ openssl asn1parse -inform DER -in data.txt.cms 0:d=0 hl=4 l= 380 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData 15:d=1 hl=4 l= 365 cons: cont [ 0 ] 19:d=2 hl=4 l= 361 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :00 26:d=3 hl=4 l= 320 cons: SET 30:d=4 hl=4 l= 316 cons: SEQUENCE 34:d=5 hl=2 l= 1 prim: INTEGER :00 37:d=5 hl=2 l= 36 cons: SEQUENCE 39:d=6 hl=2 l= 23 cons: SEQUENCE 41:d=7 hl=2 l= 21 cons: SET 43:d=8 hl=2 l= 19 cons: SEQUENCE 45:d=9 hl=2 l= 3 prim: OBJECT:commonName 50:d=9 hl=2 l= 12 prim: UTF8STRING:RC4 CMS Test 64:d=6 hl=2 l= 9 prim: INTEGER :ACD5DEDE758B9AA6 75:d=5 hl=2 l= 13 cons: SEQUENCE 77:d=6 hl=2 l= 9 prim: OBJECT:rsaEncryption 88:d=6 hl=2 l= 0 prim: NULL 90:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:70BD8B31ACD24F8184A54AF52446D10898DC09E4636456B8E14B3073701CAD5226C0AA03C0AD45B7056DB0A10F01487DC4DE0D35FDE7291875D665DEBB76049C6D660C885A011949A051874DF0CCEA181F9D60BC6BB8BD989B69900E917CCE170F60A34DC77A0EEFB935E13578F3AC9703AE02D972F853DBB3302BEB28F1F8E54964E7528E9E24EEA6950535EF2D1027C31CCAEB1FAB8F454ADBEB1DB9FD2A0F61F276498E64931483FDD40E90DD956BF991C3524C9EDA70211A256BEEFED941474B26ED7A4516873A12240C505813B6BD6EDFE6ED367FEAC86AEC2602A8E1C0C5ACE9C2745FA1B6702F1550FD1ECE322CD7F165DA621E984F1186CA981829AE 350:d=3 hl=2 l= 32 cons: SEQUENCE 352:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 363:d=4 hl=2 l= 10 cons: SEQUENCE 365:d=5 hl=2 l= 8 prim: OBJECT:rc4 375:d=4 hl=2 l= 7 prim: cont [ 0 ] $ tail -c8 data.txt.cms | od -tx1 000 07 c3 e2 69 a0 ab 3b ec 010 That said, stream ciphers with unsigned CMS are especially unsafe. Since the payload has no MAC or padding of any kind, it is trivial to XOR any desired mask into the received plaintext: $ < data.txt.cms perl -e ' ($a, $b) = map { unpack("Q", "0$_\n") } qw(sesame unsafe); $/ = undef; $cms = ; substr($cms, -8) = pack("Q", unpack("Q", substr($cms, -8)) ^ $a ^ $b); print $cms' > data.txt.cms2 $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms2 -inform DER -out data3.txt -inkey key.pem -recip cert.pem $ cat data3.txt unsafe In the above example, a ciphertext-only transformation changes 'sesame' to 'unsafe'. That, plus RC4's biases, make it unwise in this context. At the very least the CMS message MUST be signed, and the first 256 bytes should not contain sensitive and yet frequently transmitted content. Don't let your children play with RC4 in CMS. Of course, unsigned CMS payloads are also vulnerable to silent corruption even with block ciphers in CBC mode, XOR of a mask into a ciphertext block randomizes the plaintext of that block, but makes a predictable change in the plaintext of the next block. So, don't expect data integrity from unsigned CMS. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Mon, Mar 14, 2016 at 10:34:17PM +, Dr. Stephen Henson wrote: > > Is there any reason why stream ciphers are not supported with CMS? > > Well one reason is that I'm not aware of any standard which defines how to use > stream ciphers with CMS. > > OpenSSL should really reject these with an appropriate error. Mind you, it seems that e.g. BouncyCastle supports CMS EnvelopedData with RC4 (1.2.840.113549.3.4) as the AlgorithmIdentifier, and that OpenSSL likely produces a compatible encoding (RC4 OID and no parameters). In which case it may suffice to handle absent parameters for ciphers that don't need any, and RC4 might then "just work". In crypto/cms/cms_enc.c we have: unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; ... if (enc) { int ivlen; calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { if (RAND_bytes(iv, ivlen) <= 0) goto err; piv = iv; } } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } ... if (piv) { calg->parameter = ASN1_TYPE_new(); if (calg->parameter == NULL) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE); goto err; } if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } } which omits encoding parameters for ciphers with ivlen <= 0 when encrypting (e.g. with RC4), but the first "else" clause insists on valid parameters when decrypting. So stream cipher support basically boils down to what makes for valid parameters in EVP_CIPHER_asn1_param(). To that end, the below patch might make RC4 "work" (in master). The semantic diff is quite small just return 1 when type == NULL and we have a stream cipher with no get_asn1_parameters method. The patch is larger because I took the opportunity to reorganize the code a bit: int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { if (c->cipher->get_asn1_parameters != NULL) return c->cipher->get_asn1_parameters(c, type); if (!(c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)) { if (type == NULL && EVP_CIPHER_CTX_mode(c) == EVP_CIPH_STREAM_CIPHER) return 1; return -1; } switch (EVP_CIPHER_CTX_mode(c)) { default: return EVP_CIPHER_get_asn1_iv(c, type); case EVP_CIPH_WRAP_MODE: return 1; case EVP_CIPH_GCM_MODE: case EVP_CIPH_CCM_MODE: case EVP_CIPH_XTS_MODE: case EVP_CIPH_OCB_MODE: return -1; } } This is completely untested, may not even compile! Enjoy. -- Viktor. diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index bc24d5a..8957de2 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -93,31 +93,29 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { -int ret; - if (c->cipher->get_asn1_parameters != NULL) -ret = c->cipher->get_asn1_parameters(c, type); -else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) { -switch (EVP_CIPHER_CTX_mode(c)) { +return c->cipher->get_asn1_parameters(c, type); -case EVP_CIPH_WRAP_MODE: -ret = 1; -break; +if (!(c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)) { +if (type == NULL && +EVP_CIPHER_CTX_mode(c) == EVP_CIPH_STREAM_CIPHER) +return 1; +return -1; +} -case EVP_CIPH_GCM_MODE: -case EVP_CIPH_CCM_MODE: -case EVP_CIPH_XTS_MODE: -case EVP_CIPH_OCB_MODE: -ret = -1; -break; +switch (EVP_CIPHER_CTX_mode(c)) { +default: +return EVP_CIPHER_get_asn1_iv(c, type); -default: -ret = EVP_CIPHER_get_asn1_iv(c, type); -break; -} -} else -ret = -1; -return (ret); +case EVP_CIPH_WRAP_MODE: +return 1; + +case EVP_CIPH_GCM_MODE: +case EVP_CIPH_CCM_MODE: +case EVP_CIPH_XTS_MODE: +case EVP_CIPH_OCB_MODE: +return -1; +} } int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Mon, Mar 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote: > On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni" >> wrote: > > >On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT > >wrote: > >> I had written a message about this issue to openssl-users, but received > >> no reaction. > > > >IIRC RC4 (more generally all stream ciphers) are not supported with > >CMS, and the bug is that OpenSSL allowed you to use RC4, not that > >the result failed to decrypt. > > Is there any reason why stream ciphers are not supported with CMS? > Well one reason is that I'm not aware of any standard which defines how to use stream ciphers with CMS. OpenSSL should really reject these with an appropriate error. > Along the same line, is there any reason why AE(AD) ciphers are not > supported with ???openssl enc > The require additional handling such setting parameters and how to handle the tag. That functionality is not currently present in the enc utility. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Mon, Mar 14, 2016 at 3:24 PM, Blumenthal, Uri - 0553 - MITLLwrote: > In that bug description I see a reference to code in “enc.c” that aborts > if the cipher is AEAD or XTS (and an offer to submit PR that hasn’t > materialized so far). > > Would you be able to elaborate why those checks that forbid AEAD were put > in? Also see "v1.0.1g command line gcm error", https://groups.google.com/forum/#!topic/mailing.openssl.users/hGggWxfrZbA. Its a bit dated, but its the first time I remember it being discussed in detail with a canonical answer from Dr. Henson. Jeff -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Mon, Mar 14, 2016 at 07:03:04PM +, Blumenthal, Uri - 0553 - MITLL wrote: > >IIRC RC4 (more generally all stream ciphers) are not supported with > >CMS, and the bug is that OpenSSL allowed you to use RC4, not that > >the result failed to decrypt. > > Is there any reason why stream ciphers are not supported with CMS? At least in part because code does not write itself, and support was never implemented. The main issue seems to be related to handling of "parameters", such as the IV for CBC ciphers. With RC4 there is no IV, nor any other parameters, but the CMS decoder expects parameters to be present. Would it work if the requirement were relaxed? Perhaps, but that requires someone to implement said change. As for GCM/CCM ciphers with CMS that's described in https://tools.ietf.org/html/rfc5084 and someone would have to implement that. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
> Would you be able to elaborate why those checks that forbid AEAD were put > in? Because it doesn't work. I don't know the details why; probably around setting the IV or such. But before that the program would just crash. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
In that bug description I see a reference to code in “enc.c” that aborts if the cipher is AEAD or XTS (and an offer to submit PR that hasn’t materialized so far). Would you be able to elaborate why those checks that forbid AEAD were put in? -- Regards, Uri Blumenthal On 3/14/16, 15:09, "openssl-dev on behalf of Salz, Rich"wrote: >> Is there any reason why stream ciphers are not supported with CMS? > >Go ask CMS folks? :) > >> Along the same line, is there any reason why AE(AD) ciphers are not >> supported with “openssl enc”? > >A known bug. https://rt.openssl.org/Ticket/Display.html?id=4228 user >guess / pass guest if needed. > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
> Is there any reason why stream ciphers are not supported with CMS? Go ask CMS folks? :) > Along the same line, is there any reason why AE(AD) ciphers are not > supported with “openssl enc”? A known bug. https://rt.openssl.org/Ticket/Display.html?id=4228 user guess / pass guest if needed. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"wrote: >On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT >wrote: >> I had written a message about this issue to openssl-users, but received >> no reaction. > >IIRC RC4 (more generally all stream ciphers) are not supported with >CMS, and the bug is that OpenSSL allowed you to use RC4, not that >the result failed to decrypt. Is there any reason why stream ciphers are not supported with CMS? Along the same line, is there any reason why AE(AD) ciphers are not supported with “openssl enc”? -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT wrote: > I had written a message about this issue to openssl-users, but received > no reaction. IIRC RC4 (more generally all stream ciphers) are not supported with CMS, and the bug is that OpenSSL allowed you to use RC4, not that the result failed to decrypt. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
> Otherwise it would not have been possible to encrypt with RC4 with "openssl > cms -rc4 -encrypt", would it? It wasn't clear that it was the same version of openssl :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
Am 14.03.2016 um 18:48 schrieb Salz, Rich via RT: > Did you enable RC4 when you built openssl? Yes, more specifically I did not disable it. Otherwise it would not have been possible to encrypt with RC4 with "openssl cms -rc4 -encrypt", would it? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object
Did you enable RC4 when you built openssl? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev