Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Blumenthal, Uri - 0553 - MITLL 
My apologies - it appears that the patch was screwed up on my system. When
I just replaced the EVP_CIPHER_asn1_to_param() with your new code, the
tests passed OK.

. . . . . . 
../test/recipes/70-test_verify_extra.t  ok
../test/recipes/80-test_ca.t .. ok
../test/recipes/80-test_cms.t . ok
../test/recipes/80-test_ct.t .. ok
../test/recipes/80-test_dane.t  ok
../test/recipes/80-test_dtlsv1listen.t  ok
../test/recipes/80-test_ocsp.t  ok
../test/recipes/80-test_ssl.t . ok
../test/recipes/80-test_tsa.t . ok
../test/recipes/90-test_async.t ... ok
../test/recipes/90-test_constant_time.t ... ok
../test/recipes/90-test_gmdiff.t .. ok
../test/recipes/90-test_heartbeat.t ... skipped: heartbeats is not
supported by this OpenSSL build
../test/recipes/90-test_ige.t . ok
../test/recipes/90-test_memleak.t . ok
../test/recipes/90-test_networking.t .. ok
../test/recipes/90-test_np.t .. ok
../test/recipes/90-test_p5_crpt2.t  ok
../test/recipes/90-test_secmem.t .. ok
../test/recipes/90-test_srp.t . ok
../test/recipes/90-test_threads.t . ok
../test/recipes/90-test_v3name.t .. ok
All tests successful.
Files=71, Tests=394, 53 wallclock secs ( 0.51 usr  0.17 sys + 32.96 cusr
15.10 csys = 48.74 CPU)
Result: PASS
$ 


-- 
Regards,
Uri Blumenthal





On 3/15/16, 15:54 , "openssl-dev on behalf of Viktor Dukhovni"

wrote:

>On Tue, Mar 15, 2016 at 07:29:04PM +, Viktor Dukhovni wrote:
>
>> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key
>> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key
>
>The underlying test commands amount to:
>
> $ cd test
> $ openssl cms -EncryptedData_encrypt -in smcont.txt -outform PEM -rc2
>-secretkey 000102030405060708090A0B0C0D0E0F -stream -out test.cms
> $ openssl cms -EncryptedData_decrypt -in test.cms -inform PEM -secretkey
>000102030405060708090A0B0C0D0E0F -out smtst.txt
>
>For me these succeed and result in smtst.txt identical to smcont.txt.
>
>-- 
>   Viktor.
>-- 
>openssl-dev mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Blumenthal, Uri - 0553 - MITLL 
On 3/15/16, 15:29 , "openssl-dev on behalf of Viktor Dukhovni"

wrote:

>These days, most people recommend encrypt then sign.  CMS and S/MIME
>natively support sign-then-encrypt, but encapsulating encrypted
>content as signed content as above also works.

Please excuse my ignorance - how do you invoke “openssl cms” to accomplish
native “sign-then-encrypt” (which in some cases is still OK)?


>>The only problem - now I have one test failing:
>> 
>> ../test/recipes/80-test_ca.t .. ok
>> ../test/recipes/80-test_cms.t . 2/4
>
>The CMS tests pass when I run them:
>
>$ HARNESS_VERBOSE=yes make TESTS=test_cms test
>( cd test;  SRCTOP=../.  BLDTOP=../.  EXE_EXT=  /usr/pkg/bin/perl
>.././test/run_tests.pl test_cms )
>../test/recipes/80-test_cms.t ..

Alas, for some reason does not work here:

../test/recipes/80-test_ca.t .. ok
../test/recipes/80-test_cms.t .
#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients'
#   at ../test/recipes/80-test_cms.t line 376.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, 3rd used'
#   at ../test/recipes/80-test_cms.t line 376.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, key only used'
#   at ../test/recipes/80-test_cms.t line 376.

#   Failed test 'enveloped content test streaming S/MIME format,
AES-256 cipher, 3 recipients'
#   at ../test/recipes/80-test_cms.t line 376.
# Looks like you failed 4 tests of 15.
../test/recipes/80-test_cms.t . 1/4
#   Failed test 'CMS => PKCS\#7 compatibility tests
# '
#   at ../test/recipes/80-test_cms.t line 381.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients'
#   at ../test/recipes/80-test_cms.t line 391.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, 3rd used'
#   at ../test/recipes/80-test_cms.t line 391.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, key only used'
#   at ../test/recipes/80-test_cms.t line 391.

#   Failed test 'enveloped content test streaming S/MIME format,
AES-256 cipher, 3 recipients'
#   at ../test/recipes/80-test_cms.t line 391.
# Looks like you failed 4 tests of 15.
../test/recipes/80-test_cms.t . 2/4
#   Failed test 'CMS <= PKCS\#7 compatibility tests
# '
#   at ../test/recipes/80-test_cms.t line 396.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients'
#   at ../test/recipes/80-test_cms.t line 407.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, 3rd used'
#   at ../test/recipes/80-test_cms.t line 407.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, key only used'
#   at ../test/recipes/80-test_cms.t line 407.

#   Failed test 'enveloped content test streaming S/MIME format,
AES-256 cipher, 3 recipients'
#   at ../test/recipes/80-test_cms.t line 407.

#   Failed test 'enveloped content test streaming S/MIME format, 3
recipients, keyid'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'enveloped content test streaming PEM format, KEK'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'enveloped content test streaming PEM format, KEK, key
only'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'encrypted content test streaming PEM format, 128 bit
RC2 key'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'encrypted content test streaming PEM format, 40 bit
RC2 key'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'encrypted content test streaming PEM format, triple
DES key'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'encrypted content test streaming PEM format, 128 bit
AES key'
#   at ../test/recipes/80-test_cms.t line 418.
# Looks like you failed 11 tests of 27.
../test/recipes/80-test_cms.t . 3/4
#   Failed test 'CMS <=> CMS consistency tests
# '
#   at ../test/recipes/80-test_cms.t line 423.

#   Failed test 'enveloped content test streaming S/MIME format, OAEP
default parameters'
#   at ../test/recipes/80-test_cms.t line 435.

#   Failed test 'enveloped content test streaming S/MIME format, OAEP
SHA256'
#   at ../test/recipes/80-test_cms.t line 435.

#   Failed test 'enveloped content test streaming S/MIME format, ECDH'
#   at ../test/recipes/80-test_cms.t line 435.

#   Failed test 'enveloped content test streaming S/MIME format, ECDH,
key identifier'
#   at ../test/recipes/80-test_cms.t line 435.

#   Failed test 'enveloped content test streaming S/MIME format, ECDH,
AES128, SHA256 KDF'
#   at

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Viktor Dukhovni 
On Tue, Mar 15, 2016 at 07:29:04PM +, Viktor Dukhovni wrote:

> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key
> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key

The underlying test commands amount to:

 $ cd test
 $ openssl cms -EncryptedData_encrypt -in smcont.txt -outform PEM -rc2 
-secretkey 000102030405060708090A0B0C0D0E0F -stream -out test.cms
 $ openssl cms -EncryptedData_decrypt -in test.cms -inform PEM -secretkey 
000102030405060708090A0B0C0D0E0F -out smtst.txt

For me these succeed and result in smtst.txt identical to smcont.txt.

-- 
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Viktor Dukhovni 
On Tue, Mar 15, 2016 at 07:09:36PM +, Blumenthal, Uri - 0553 - MITLL wrote:

> First of all - thank you! It is great to see useful capabilities added (I
> consider stream ciphers and AEAD modes very useful :). I fully agree that
> unsigned CMS is an invitation to trouble. If I understand correctly, the
> intended openssl use is “openssl cms -encrypt … | openssl cms -sign …” (or
> the other way around :).

These days, most people recommend encrypt then sign.  CMS and S/MIME
natively support sign-then-encrypt, but encapsulating encrypted
content as signed content as above also works.

> The only problem - now I have one test failing:
> 
> ../test/recipes/80-test_ca.t .. ok
> ../test/recipes/80-test_cms.t . 2/4

The CMS tests pass when I run them:

$ HARNESS_VERBOSE=yes make TESTS=test_cms test
( cd test;  SRCTOP=../.  BLDTOP=../.  EXE_EXT=  /usr/pkg/bin/perl 
.././test/run_tests.pl test_cms )
../test/recipes/80-test_cms.t ..
1..4
# Subtest: CMS => PKCS#7 compatibility tests
1..15
Verification successful
ok 1 - signed content DER format, RSA key
Verification successful
ok 2 - signed detached content DER format, RSA key
Verification successful
ok 3 - signed content test streaming BER format, RSA
Verification successful
ok 4 - signed content DER format, DSA key
Verification successful
ok 5 - signed detached content DER format, DSA key
Verification successful
ok 6 - signed detached content DER format, add RSA signer
Verification successful
ok 7 - signed content test streaming BER format, DSA key
Verification successful
ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys
Verification successful
ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no 
attributes
Verification successful
ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys
Verification successful
ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 
RSA keys
ok 12 - enveloped content test streaming S/MIME format, 3 recipients
ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd 
used
ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key 
only used
ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 
recipients
ok 1 - CMS => PKCS\#7 compatibility tests
#
# Subtest: CMS <= PKCS#7 compatibility tests
1..15
Verification successful
ok 1 - signed content DER format, RSA key
Verification successful
ok 2 - signed detached content DER format, RSA key
Verification successful
ok 3 - signed content test streaming BER format, RSA
Verification successful
ok 4 - signed content DER format, DSA key
Verification successful
ok 5 - signed detached content DER format, DSA key
Verification successful
ok 6 - signed detached content DER format, add RSA signer
Verification successful
ok 7 - signed content test streaming BER format, DSA key
Verification successful
ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys
Verification successful
ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no 
attributes
Verification successful
ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys
Verification successful
ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 
RSA keys
ok 12 - enveloped content test streaming S/MIME format, 3 recipients
ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd 
used
ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key 
only used
ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 
recipients
ok 2 - CMS <= PKCS\#7 compatibility tests
#
# Subtest: CMS <=> CMS consistency tests
1..27
Verification successful
ok 1 - signed content DER format, RSA key
Verification successful
ok 2 - signed detached content DER format, RSA key
Verification successful
ok 3 - signed content test streaming BER format, RSA
Verification successful
ok 4 - signed content DER format, DSA key
Verification successful
ok 5 - signed detached content DER format, DSA key
Verification successful
ok 6 - signed detached content DER format, add RSA signer
Verification successful
ok 7 - signed content test streaming BER format, DSA key
Verification successful
ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys
Verification successful
ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no 
attributes
Verification successful
ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys
Verification successful
ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 
RSA keys
ok 12 - enveloped content test streaming S/MIME format, 3 recipients
ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd 
used
ok

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Blumenthal, Uri - 0553 - MITLL 
First of all - thank you! It is great to see useful capabilities added (I
consider stream ciphers and AEAD modes very useful :). I fully agree that
unsigned CMS is an invitation to trouble. If I understand correctly, the
intended openssl use is “openssl cms -encrypt … | openssl cms -sign …” (or
the other way around :).

$ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new
-x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100
-subj "/CN=RC4 CMS Test"
Generating a 2048 bit RSA private key
..+++
.+++
writing new private key to 'key.pem'
-
$ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial
serial=B83C7468CCE8930E
$ echo sesame > data.txt
$ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in
data.txt -out data.txt.cms -outform DER cert.pem
$ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms
-inform DER -out data2.txt -inkey key.pem -recip cert.pem
$ diff -u data.txt data2.txt
$ openssl asn1parse -inform DER -in data.txt.cms
0:d=0  hl=4 l= 380 cons: SEQUENCE
4:d=1  hl=2 l=   9 prim: OBJECT:pkcs7-envelopedData
   15:d=1  hl=4 l= 365 cons: cont [ 0 ]
. . . . . . . 
   90:d=5  hl=4 l= 256 prim: OCTET STRING  [HEX
DUMP]:362DC32CD6520D3765255D9549BEC058766499C0581430E84929419730B08C31C6E78
D22CB8D8C026EEB75203D19148C97F8F73C7066D158E6E85FEA41972B50EB245ACB15C23209
7DD3046901882B95C9AD102F8E34E0E049B4A374F1EF61C48E1F90F95A3F8E2306161AF0882
99F7A4949D706FBF6A92DB8BB5DF293E1B3BA135BAA8E63FE94C0BBD7A29D31AD28E9137D66
41CF7490257BEE23161A478B6FCBDEE05B1578592272335713196C3F26139A41B76A3EA1371
FA875A4DD09C150D4674AF7A399F886A09D245EE1A81AEC8A96B4647C712D366A0FBC7964FE
C6EF69A076CB58A81ED8DBD466FAA1E9CD072C8242B5D68F3CDB95C5CF04AFE71795
  350:d=3  hl=2 l=  32 cons: SEQUENCE
  352:d=4  hl=2 l=   9 prim: OBJECT:pkcs7-data
  363:d=4  hl=2 l=  10 cons: SEQUENCE
  365:d=5  hl=2 l=   8 prim: OBJECT:rc4
  375:d=4  hl=2 l=   7 prim: cont [ 0 ]
$



The only problem - now I have one test failing:


../test/recipes/80-test_ca.t .. ok
../test/recipes/80-test_cms.t . 2/4
#   Failed test 'encrypted content test streaming PEM format, 128 bit
RC2 key'
#   at ../test/recipes/80-test_cms.t line 418.

#   Failed test 'encrypted content test streaming PEM format, 40 bit
RC2 key'
#   at ../test/recipes/80-test_cms.t line 418.
# Looks like you failed 2 tests of 27.
../test/recipes/80-test_cms.t . 3/4
#   Failed test 'CMS <=> CMS consistency tests
# '
#   at ../test/recipes/80-test_cms.t line 423.
../test/recipes/80-test_cms.t . 4/4 # Looks like you failed 1
test of 4.
../test/recipes/80-test_cms.t . Dubious, test returned 1
(wstat 256, 0x100)
Failed 1/4 subtests
../test/recipes/80-test_ct.t .. Ok




I wonder how difficult would it be to add AEAD support, considering that
they (usually) can take 96-bit nonce (treated as IV), and the
authentication tag often is just appended to the ciphertext (and expected
at the end of the ciphertext during decryption).
-- 
Regards,
Uri Blumenthal





On 3/15/16, 3:47 , "openssl-dev on behalf of Viktor Dukhovni"

wrote:

>On Tue, Mar 15, 2016 at 06:33:32AM +, Viktor Dukhovni wrote:
>
>> This is completely untested, may not even compile!  Enjoy.
>
>It does seem to work, so one key remaining questions is whether it
>is interoperable:
>
>$ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf
>-new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days
>100 -subj "/CN=RC4 CMS Test"
>
>$ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial
>serial=ACD5DEDE758B9AA6
>$ echo sesame > data.txt
>$ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in
>data.txt -out data.txt.cms -outform DER cert.pem
>$ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms
>-inform DER -out data2.txt -inkey key.pem -recip cert.pem
>$ diff -u data.txt data2.txt
>
>$ openssl asn1parse -inform DER -in data.txt.cms
>   0:d=0  hl=4 l= 380 cons: SEQUENCE
>   4:d=1  hl=2 l=   9 prim: OBJECT:pkcs7-envelopedData
>   15:d=1  hl=4 l= 365 cons: cont [ 0 ]
>   19:d=2  hl=4 l= 361 cons: SEQUENCE
>   23:d=3  hl=2 l=   1 prim: INTEGER   :00
>   26:d=3  hl=4 l= 320 cons: SET
>   30:d=4  hl=4 l= 316 cons: SEQUENCE
>   34:d=5  hl=2 l=   1 prim: INTEGER   :00
>   37:d=5  hl=2 l=  36 cons: SEQUENCE
>   39:d=6  hl=2 l=  23 cons: SEQUENCE
>   41:d=7  hl=2 l=  21 cons: SET
>   43:d=8  hl=2 l=  19 cons: SEQUENCE
>   45:d=9  hl=2 l=   3 prim: OBJECT:commonName
>   50:d=9  hl=2 l=  12 prim: UTF8STRING:RC4 CMS Test
>   64:d=6  hl=2 l=   9 prim: INTEGER   :ACD5DEDE758B9AA6
>   75:d=5  hl=2 l=  13

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Viktor Dukhovni 
On Tue, Mar 15, 2016 at 06:33:32AM +, Viktor Dukhovni wrote:

> This is completely untested, may not even compile!  Enjoy.

It does seem to work, so one key remaining questions is whether it
is interoperable:

$ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new 
-x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100 -subj 
"/CN=RC4 CMS Test"

$ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial
serial=ACD5DEDE758B9AA6
$ echo sesame > data.txt
$ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in 
data.txt -out data.txt.cms -outform DER cert.pem
$ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms -inform 
DER -out data2.txt -inkey key.pem -recip cert.pem
$ diff -u data.txt data2.txt

$ openssl asn1parse -inform DER -in data.txt.cms
0:d=0  hl=4 l= 380 cons: SEQUENCE
4:d=1  hl=2 l=   9 prim: OBJECT:pkcs7-envelopedData
   15:d=1  hl=4 l= 365 cons: cont [ 0 ]
   19:d=2  hl=4 l= 361 cons: SEQUENCE
   23:d=3  hl=2 l=   1 prim: INTEGER   :00
   26:d=3  hl=4 l= 320 cons: SET
   30:d=4  hl=4 l= 316 cons: SEQUENCE
   34:d=5  hl=2 l=   1 prim: INTEGER   :00
   37:d=5  hl=2 l=  36 cons: SEQUENCE
   39:d=6  hl=2 l=  23 cons: SEQUENCE
   41:d=7  hl=2 l=  21 cons: SET
   43:d=8  hl=2 l=  19 cons: SEQUENCE
   45:d=9  hl=2 l=   3 prim: OBJECT:commonName
   50:d=9  hl=2 l=  12 prim: UTF8STRING:RC4 CMS Test
   64:d=6  hl=2 l=   9 prim: INTEGER   :ACD5DEDE758B9AA6
   75:d=5  hl=2 l=  13 cons: SEQUENCE
   77:d=6  hl=2 l=   9 prim: OBJECT:rsaEncryption
   88:d=6  hl=2 l=   0 prim: NULL
   90:d=5  hl=4 l= 256 prim: OCTET STRING  [HEX 
DUMP]:70BD8B31ACD24F8184A54AF52446D10898DC09E4636456B8E14B3073701CAD5226C0AA03C0AD45B7056DB0A10F01487DC4DE0D35FDE7291875D665DEBB76049C6D660C885A011949A051874DF0CCEA181F9D60BC6BB8BD989B69900E917CCE170F60A34DC77A0EEFB935E13578F3AC9703AE02D972F853DBB3302BEB28F1F8E54964E7528E9E24EEA6950535EF2D1027C31CCAEB1FAB8F454ADBEB1DB9FD2A0F61F276498E64931483FDD40E90DD956BF991C3524C9EDA70211A256BEEFED941474B26ED7A4516873A12240C505813B6BD6EDFE6ED367FEAC86AEC2602A8E1C0C5ACE9C2745FA1B6702F1550FD1ECE322CD7F165DA621E984F1186CA981829AE
  350:d=3  hl=2 l=  32 cons: SEQUENCE
  352:d=4  hl=2 l=   9 prim: OBJECT:pkcs7-data
  363:d=4  hl=2 l=  10 cons: SEQUENCE
  365:d=5  hl=2 l=   8 prim: OBJECT:rc4
  375:d=4  hl=2 l=   7 prim: cont [ 0 ]
$ tail -c8 data.txt.cms | od -tx1
000   07  c3  e2  69  a0  ab  3b  ec
010

That said, stream ciphers with unsigned CMS are especially unsafe.
Since the payload has no MAC or padding of any kind, it is trivial
to XOR any desired mask into the received plaintext:

$ < data.txt.cms perl -e '
($a, $b) = map { unpack("Q", "0$_\n") } qw(sesame unsafe);
$/ = undef; $cms = ;
substr($cms, -8) = pack("Q", unpack("Q", substr($cms, -8)) ^ $a ^ $b);
print $cms' > data.txt.cms2
$ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms2 
-inform DER -out data3.txt -inkey key.pem -recip cert.pem
$ cat data3.txt
unsafe

In the above example, a ciphertext-only transformation changes
'sesame' to 'unsafe'.  That, plus RC4's biases, make it unwise in
this context.  At the very least the CMS message MUST be signed,
and the first 256 bytes should not contain sensitive and yet
frequently transmitted content.

Don't let your children play with RC4 in CMS.

Of course, unsigned CMS payloads are also vulnerable to silent
corruption even with block ciphers in CBC mode, XOR of a mask into
a ciphertext block randomizes the plaintext of that block, but
makes a predictable change in the plaintext of the next block.

So, don't expect data integrity from unsigned CMS.

-- 
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-15 Thread Viktor Dukhovni 
On Mon, Mar 14, 2016 at 10:34:17PM +, Dr. Stephen Henson wrote:

> > Is there any reason why stream ciphers are not supported with CMS?
> 
> Well one reason is that I'm not aware of any standard which defines how to use
> stream ciphers with CMS.
> 
> OpenSSL should really reject these with an appropriate error. 

Mind you, it seems that e.g. BouncyCastle supports CMS EnvelopedData
with RC4 (1.2.840.113549.3.4) as the AlgorithmIdentifier, and that
OpenSSL likely produces a compatible encoding (RC4 OID and no
parameters).

In which case it may suffice to handle absent parameters for ciphers
that don't need any, and RC4 might then "just work".

In crypto/cms/cms_enc.c we have:

unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
...
if (enc) {
int ivlen;
calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx));
/* Generate a random IV if we need one */
ivlen = EVP_CIPHER_CTX_iv_length(ctx);
if (ivlen > 0) {
if (RAND_bytes(iv, ivlen) <= 0)
goto err;
piv = iv;
}
} else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) {
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
   CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
goto err;
}
...

if (piv) {
calg->parameter = ASN1_TYPE_new();
if (calg->parameter == NULL) {
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE);
goto err;
}
if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) {
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
   CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
goto err;
}
}

which omits encoding parameters for ciphers with ivlen <= 0 when
encrypting (e.g. with RC4), but the first "else" clause insists on
valid parameters when decrypting.  So stream cipher support basically
boils down to what makes for valid parameters in EVP_CIPHER_asn1_param().

To that end, the below patch might make RC4 "work" (in master).
The semantic diff is quite small just return 1 when type == NULL
and we have a stream cipher with no get_asn1_parameters method.
The patch is larger because I took the opportunity to reorganize
the code a bit:

int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
{
if (c->cipher->get_asn1_parameters != NULL)
return c->cipher->get_asn1_parameters(c, type);

if (!(c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)) {
if (type == NULL &&
EVP_CIPHER_CTX_mode(c) == EVP_CIPH_STREAM_CIPHER)
return 1;
return -1;
}

switch (EVP_CIPHER_CTX_mode(c)) {
default:
return EVP_CIPHER_get_asn1_iv(c, type);

case EVP_CIPH_WRAP_MODE:
return 1;

case EVP_CIPH_GCM_MODE:
case EVP_CIPH_CCM_MODE:
case EVP_CIPH_XTS_MODE:
case EVP_CIPH_OCB_MODE:
return -1;
}
}

This is completely untested, may not even compile!  Enjoy.

-- 
Viktor.

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index bc24d5a..8957de2 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -93,31 +93,29 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE 
*type)
 
 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 {
-int ret;
-
 if (c->cipher->get_asn1_parameters != NULL)
-ret = c->cipher->get_asn1_parameters(c, type);
-else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
-switch (EVP_CIPHER_CTX_mode(c)) {
+return c->cipher->get_asn1_parameters(c, type);
 
-case EVP_CIPH_WRAP_MODE:
-ret = 1;
-break;
+if (!(c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)) {
+if (type == NULL &&
+EVP_CIPHER_CTX_mode(c) == EVP_CIPH_STREAM_CIPHER)
+return 1;
+return -1;
+}
 
-case EVP_CIPH_GCM_MODE:
-case EVP_CIPH_CCM_MODE:
-case EVP_CIPH_XTS_MODE:
-case EVP_CIPH_OCB_MODE:
-ret = -1;
-break;
+switch (EVP_CIPHER_CTX_mode(c)) {
+default:
+return EVP_CIPHER_get_asn1_iv(c, type);
 
-default:
-ret = EVP_CIPHER_get_asn1_iv(c, type);
-break;
-}
-} else
-ret = -1;
-return (ret);
+case EVP_CIPH_WRAP_MODE:
+return 1;
+
+case EVP_CIPH_GCM_MODE:
+case EVP_CIPH_CCM_MODE:
+case EVP_CIPH_XTS_MODE:
+case EVP_CIPH_OCB_MODE:
+return -1;
+}
 }
 
 int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Dr. Stephen Henson 
On Mon, Mar 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:

> On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"
> 
> wrote:
> 
> >On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT
> >wrote:
> >> I had written a message about this issue to openssl-users, but received
> >> no reaction.
> >
> >IIRC RC4 (more generally all stream ciphers) are not supported with
> >CMS, and the bug is that OpenSSL allowed you to use RC4, not that
> >the result failed to decrypt.
> 
> Is there any reason why stream ciphers are not supported with CMS?
> 

Well one reason is that I'm not aware of any standard which defines how to use
stream ciphers with CMS.

OpenSSL should really reject these with an appropriate error. 

> Along the same line, is there any reason why AE(AD) ciphers are not
> supported with ???openssl enc
> 

The require additional handling such setting parameters and how to handle the
tag. That functionality is not currently present in the enc utility.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Jeffrey Walton 
On Mon, Mar 14, 2016 at 3:24 PM, Blumenthal, Uri - 0553 - MITLL
 wrote:
> In that bug description I see a reference to code in “enc.c” that aborts
> if the cipher is AEAD or XTS (and an offer to submit PR that hasn’t
> materialized so far).
>
> Would you be able to elaborate why those checks that forbid AEAD were put
> in?

Also see "v1.0.1g command line gcm error",
https://groups.google.com/forum/#!topic/mailing.openssl.users/hGggWxfrZbA.

Its a bit dated, but its the first time I remember it being discussed
in detail with a canonical answer from Dr. Henson.

Jeff
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Viktor Dukhovni 
On Mon, Mar 14, 2016 at 07:03:04PM +, Blumenthal, Uri - 0553 - MITLL wrote:

> >IIRC RC4 (more generally all stream ciphers) are not supported with
> >CMS, and the bug is that OpenSSL allowed you to use RC4, not that
> >the result failed to decrypt.
> 
> Is there any reason why stream ciphers are not supported with CMS?

At least in part because code does not write itself, and support
was never implemented.

The main issue seems to be related to handling of "parameters",
such as the IV for CBC ciphers.  With RC4 there is no IV, nor any
other parameters, but the CMS decoder expects parameters to be
present.

Would it work if the requirement were relaxed?  Perhaps, but that
requires someone to implement said change.

As for GCM/CCM ciphers with CMS that's described in

https://tools.ietf.org/html/rfc5084

and someone would have to implement that.

-- 
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Salz, Rich 
> Would you be able to elaborate why those checks that forbid AEAD were put
> in?

Because it doesn't work.  I don't know the details why; probably around setting 
the IV or such.  But before that the program would just crash.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Blumenthal, Uri - 0553 - MITLL 
In that bug description I see a reference to code in “enc.c” that aborts
if the cipher is AEAD or XTS (and an offer to submit PR that hasn’t
materialized so far).

Would you be able to elaborate why those checks that forbid AEAD were put
in?
--
Regards,
Uri Blumenthal




On 3/14/16, 15:09, "openssl-dev on behalf of Salz, Rich"
 wrote:

>> Is there any reason why stream ciphers are not supported with CMS?
>
>Go ask CMS folks? :)
> 
>> Along the same line, is there any reason why AE(AD) ciphers are not
>> supported with “openssl enc”?
>
>A known bug.  https://rt.openssl.org/Ticket/Display.html?id=4228 user
>guess / pass guest if needed.
>
>-- 
>openssl-dev mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Salz, Rich 
> Is there any reason why stream ciphers are not supported with CMS?

Go ask CMS folks? :)
 
> Along the same line, is there any reason why AE(AD) ciphers are not
> supported with “openssl enc”?

A known bug.  https://rt.openssl.org/Ticket/Display.html?id=4228 user guess / 
pass guest if needed.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Blumenthal, Uri - 0553 - MITLL 
On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"

wrote:

>On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT
>wrote:
>> I had written a message about this issue to openssl-users, but received
>> no reaction.
>
>IIRC RC4 (more generally all stream ciphers) are not supported with
>CMS, and the bug is that OpenSSL allowed you to use RC4, not that
>the result failed to decrypt.

Is there any reason why stream ciphers are not supported with CMS?

Along the same line, is there any reason why AE(AD) ciphers are not
supported with “openssl enc”?

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Viktor Dukhovni 
On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT wrote:

> I had written a message about this issue to openssl-users, but received 
> no reaction.

IIRC RC4 (more generally all stream ciphers) are not supported with
CMS, and the bug is that OpenSSL allowed you to use RC4, not that
the result failed to decrypt.

-- 
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Salz, Rich via RT 
> Otherwise it would not have been possible to encrypt with RC4 with "openssl
> cms -rc4 -encrypt", would it?

It wasn't clear that it was the same version of openssl :)


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Stephan Mühlstrasser via RT 
Am 14.03.2016 um 18:48 schrieb Salz, Rich via RT:
> Did you enable RC4 when you built openssl?

Yes, more specifically I did not disable it.

Otherwise it would not have been possible to encrypt with RC4 with 
"openssl cms -rc4 -encrypt", would it?


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

2016-03-14 Thread Salz, Rich via RT 
Did you enable RC4 when you built openssl?


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev