On 01/08/2018 15:42, Viktor Dukhovni wrote:
On Aug 1, 2018, at 9:31 AM, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
CMS with an AEAD mode (such as AES128-GCM) ought to avoid the integrity-protection issue for the encrypted content, but not for the other parts of the message, I assume. (I'm no CMS expert so I may be missing something there.) And, of course, both sender and recipient would have to support that algorithm.
Not if you make it streaming. A streaming implementing will emit almost
the entirety of the decrypted message before checking integrity at the
end and finding out that some part of it (already output) was wrong.
Which is entirely fine if all you do with the stream output before
integrity checking is to store it somewhere larger than process RAM,
such as in a (temporary) disk file (Or perform some other operation
which is safe with garbage input).
Consider the (logically equivalent) fact that most algorithms inside
OpenSSL stream their output to memory because it is rarely possible
to hold an entire message in CPU registers.
But I agree that blindly switching to AEAD modes does nothing to help
the "problem" of allowing a different level of the software stack to
see decrypted output before the integrity check has been completed.
OpenSSL should be an open toolkit, not a bondage-and-discipline
programming environment like NaCl.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
