Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index eff1121106fb2bfbc1edd9453c83e68259f268d0..dbe5c1d0432e1990d22d9931536f0f64f339b6e0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,20 @@
      (CVE-2019-1547)
      [Billy Bob Brumley]
 
+  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+     An attack is simple, if the first CMS_recipientInfo is valid but the
+     second CMS_recipientInfo is chosen ciphertext. If the second
+     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+     encryption key will be replaced by garbage, and the message cannot be
+     decoded, but if the RSA decryption fails, the correct encryption key is
+     used and the recipient will not notice the attack.
+     As a work around for this potential attack the length of the decrypted
+     key must be equal to the cipher default key length, in case the
+     certifiate is not given and all recipientInfo are tried out.
+     The old behaviour can be re-enabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag.
+     [Bernd Edlinger]
+
   *) Document issue with installation paths in diverse Windows builds
 
      '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL