diff options
author | jkim <jkim@FreeBSD.org> | 2014-06-09 05:50:57 +0000 |
---|---|---|
committer | jkim <jkim@FreeBSD.org> | 2014-06-09 05:50:57 +0000 |
commit | 68fed3306b1f39bfb6d5cd97485248dc0c3884f8 (patch) | |
tree | 3b5358dd257bf44bb4ea15442ad4bdb078b6795f /secure/usr.bin/openssl/man/cms.1 | |
parent | e15884d6df140228c1e2db4ca751565a6933e1f5 (diff) | |
parent | d4a5f67323e640990da5aa727b2e6da35d2157f3 (diff) | |
download | FreeBSD-src-68fed3306b1f39bfb6d5cd97485248dc0c3884f8.zip FreeBSD-src-68fed3306b1f39bfb6d5cd97485248dc0c3884f8.tar.gz |
Merge OpenSSL 1.0.1h.
Approved by: so (delphij)
Diffstat (limited to 'secure/usr.bin/openssl/man/cms.1')
-rw-r--r-- | secure/usr.bin/openssl/man/cms.1 | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1 index 0e3c654..d77ae28 100644 --- a/secure/usr.bin/openssl/man/cms.1 +++ b/secure/usr.bin/openssl/man/cms.1 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "CMS 1" -.TH CMS 1 "2014-04-07" "1.0.1g" "OpenSSL" +.TH CMS 1 "2014-06-05" "1.0.1h" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -210,6 +210,10 @@ actual \s-1CMS\s0 type is <B>EnvelopedData<B>. decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail is written to the output file. +.IP "\fB\-debug_decrypt\fR" 4 +.IX Item "-debug_decrypt" +this option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used +with caution: see the notes section below. .IP "\fB\-sign\fR" 4 .IX Item "-sign" sign mail using the supplied certificate and private key. Input file is @@ -510,6 +514,16 @@ and no longer \s-1DER\s0. Streaming is supported for the \fB\-encrypt\fR operati Streaming is always used for the \fB\-sign\fR operation with detached data but since the content is no longer part of the \s-1CMS\s0 structure the encoding remains \s-1DER\s0. +.PP +If the \fB\-decrypt\fR option is used without a recipient certificate then an +attempt is made to locate the recipient by trying each potential recipient +in turn using the supplied private key. To thwart the \s-1MMA\s0 attack +(Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are +tried whether they succeed or not and if no recipients match the message +is \*(L"decrypted\*(R" using a random key which will typically output garbage. +The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection +and return an error if no recipient can be found: this option should be used +with caution. For a fuller description see \fICMS_decrypt\fR\|(3)). .SH "EXIT CODES" .IX Header "EXIT CODES" .IP "0" 4 |