Please find below a patch, with spec reference, against OpenSSL 0.9.7g.

It could be argued that XMLENC spec is wrong in insisting on unpredictable
values for the padding because this allows padding to be used as a
covert channel. However, to deploy interoperable implementations it seems
patching OpenSSL is the right thing to do. It has been observed that
other crypto libraries, such as bouncing castle (a pure Java
implementation) do not set all padding bytes to OpenSSL's satisfaction.

--Sampo

--- evp_enc.c~ 2005-01-28 14:03:53.000000000 +0000
+++ evp_enc.c 2005-05-12 03:26:44.000000000 +0000
@@ -509,6 +509,21 @@
EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
return(0);
}
+#ifdef PADDING_CHECK
+ /* Following loop checks that all padding has known value,
+ * presumably to prevent covert channel or some form of
+ * chosen text attack. However this check is in violation
+ * of [XMLENC] specification section 5.2 subsection
+ * "Padding", which states that only last octet of the
+ * block matters and values of other octets are not
+ * predictable. Thus to implement XMLENC decryption with
+ * openssl it is necessary to disable this code.
+ * -- 11.5.2005, Sampo Kellomaki (sampo@symlabs.com)
+ *
+ * [XMLENC] D. Eastlake, ed., XML Encryption Syntax and
+ * Processing, W3C Recommendation 10. Dec. 2002,
+ * http://www.w3.org/TR/2002/REC-xmlenc-core-20021210 */
+
for (i=0; i {
if (ctx->final[--b] != n)
@@ -517,6 +532,7 @@
return(0);
}
}
+#endif
n=ctx->cipher->block_size-n;
for (i=0; i out[i]=ctx->final[i];

.................................................. ...................
Sampo Kellomaki ---> Chief Architect ---> DirectoryScript
M: +351-918.731.007 F: +351-213.422.185 W: www.symlabs.com
Customize directories -> LDAP SOAP Liberty SIP -> Directory Extender

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org