1. Adjust ossl_cms_EncryptedContent_init_bio to not accept non-AEAD
ciphers.
If a forged CMS message with AuthEnvelopedData is received with
a non-AEAD cipher specified, we silently accept that and decrypt
the message, skipping any authentication, which violates RFC 5083.
We also add checks to ensure we fail if we try to encrypt
AuthEnvelopedData without using an AEAD cipher.
2. Ensure that tag lengths on cms AEAD data is the recommended size.
RFC 5084 recommends that mac tags be at least 12 bytes for AES-GCM
and 4 bytes for AES-CCM on AuthEnvelopedData. As this code is not
algorith-specific we add a check for a minimal size and just use the
lower limit which is sufficient to prevent this attack.
Without this check, its possible to set the tag length to 1 and within
256 guesses, forge a CMS message.
Fixes CVE-2026-34182
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:27:02 2026
goto err;
}
piv = aparams.iv;
- if (ec->taglen > 0
- && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
- (int)ec->taglen, ec->tag)
- <= 0) {
+
+ if (ec->taglen < 4 || ec->taglen > 16
+ || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) {
ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR);
goto err;
}
+ } else if (auth) {
+ ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
+ goto err;
}
}
len = EVP_CIPHER_CTX_get_key_length(ctx);
projects / thirdparty / openssl.git / commitdiff
