From: Neil Horman Date: Fri, 17 Apr 2026 17:21:50 +0000 (-0400) Subject: Reject potentially forged encrypted CMS AuthEnvelopedData messages X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=206faade8b3872d265524e56583cfc05ac001da5;p=thirdparty%2Fopenssl.git Reject potentially forged encrypted CMS AuthEnvelopedData messages 1. Adjust ossl_cms_EncryptedContent_init_bio to not accept non-AEAD ciphers. If a forged CMS message with AuthEnvelopedData is received with a non-AEAD cipher specified, we silently accept that and decrypt the message, skipping any authentication, which violates RFC 5083. We also add checks to ensure we fail if we try to encrypt AuthEnvelopedData without using an AEAD cipher. 2. Ensure that tag lengths on cms AEAD data is the recommended size. RFC 5084 recommends that mac tags be at least 12 bytes for AES-GCM and 4 bytes for AES-CCM on AuthEnvelopedData. As this code is not algorith-specific we add a check for a minimal size and just use the lower limit which is sufficient to prevent this attack. Without this check, its possible to set the tag length to 1 and within 256 guesses, forge a CMS message. Fixes CVE-2026-34182 Reviewed-by: Norbert Pocs Reviewed-by: Tomas Mraz MergeDate: Mon Jun 8 14:27:02 2026 --- diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index 01907a8d77e..32133c6847d 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -105,13 +105,15 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - (int)ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx);