Return an error if no recipient type matches.

If the key type does not match any CMS recipient type return
an error instead of using a random key (MMA mitigation). This
does not leak any useful information to an attacker.

PR#3348
(cherry picked from commit 83a3182e0560f76548f4378325393461f6275493)

diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 2be07c2099af636973f5b9090ed0e8baf81167ce..a3f67df08415bf321ec066880f76fd65e46d91b2 100644 (file)
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -622,7 +622,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
        STACK_OF(CMS_RecipientInfo) *ris;
        CMS_RecipientInfo *ri;
        int i, r;
-       int debug = 0;
+       int debug = 0, ri_match = 0;
        ris = CMS_get0_RecipientInfos(cms);
        if (ris)
                debug = cms->d.envelopedData->encryptedContentInfo->debug;
@@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
                ri = sk_CMS_RecipientInfo_value(ris, i);
                if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
                                continue;
+               ri_match = 1;
                /* If we have a cert try matching RecipientInfo
                 * otherwise try them all.
                 */
@@ -666,7 +667,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
                        }
                }
        /* If no cert and not debugging always return success */
-       if (!cert && !debug)
+       if (ri_match && !cert && !debug)
                {
                ERR_clear_error();
                return 1;