/src/openssl35/crypto/cms/cms_ec.c

Source
/*
 * Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <assert.h>
#include <limits.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/decoder.h>
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include "cms_local.h"

static EVP_PKEY *pkey_type2param(int ptype, const void *pval,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *pctx = NULL;
    OSSL_DECODER_CTX *ctx = NULL;

    if (ptype == V_ASN1_SEQUENCE) {
        const ASN1_STRING *pstr = pval;
        const unsigned char *pm = pstr->data;
        size_t pmlen = (size_t)pstr->length;
        int selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;

        ctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, "EC",
            selection, libctx, propq);
        if (ctx == NULL)
            goto err;

        if (!OSSL_DECODER_from_data(ctx, &pm, &pmlen)) {
            ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
            goto err;
        }
        OSSL_DECODER_CTX_free(ctx);
        return pkey;
    } else if (ptype == V_ASN1_OBJECT) {
        const ASN1_OBJECT *poid = pval;
        char groupname[OSSL_MAX_NAME_SIZE];

        /* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID */
        pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
        if (pctx == NULL || EVP_PKEY_paramgen_init(pctx) <= 0)
            goto err;
        if (OBJ_obj2txt(groupname, sizeof(groupname), poid, 0) <= 0
            || EVP_PKEY_CTX_set_group_name(pctx, groupname) <= 0) {
            ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
            goto err;
        }
        if (EVP_PKEY_paramgen(pctx, &pkey) <= 0)
            goto err;
        EVP_PKEY_CTX_free(pctx);
        return pkey;
    }

    ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
    return NULL;

err:
    EVP_PKEY_free(pkey);
    EVP_PKEY_CTX_free(pctx);
    OSSL_DECODER_CTX_free(ctx);
    return NULL;
}

static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
    X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
{
    const ASN1_OBJECT *aoid;
    int atype;
    const void *aval;
    int rv = 0;
    EVP_PKEY *pkpeer = NULL;
    const unsigned char *p;
    int plen;

    X509_ALGOR_get0(&aoid, &atype, &aval, alg);
    if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
        goto err;

    /* If absent parameters get group from main key */
    if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) {
        EVP_PKEY *pk;

        pk = EVP_PKEY_CTX_get0_pkey(pctx);
        if (pk == NULL)
            goto err;

        pkpeer = EVP_PKEY_new();
        if (pkpeer == NULL)
            goto err;
        if (!EVP_PKEY_copy_parameters(pkpeer, pk))
            goto err;
    } else {
        pkpeer = pkey_type2param(atype, aval,
            EVP_PKEY_CTX_get0_libctx(pctx),
            EVP_PKEY_CTX_get0_propq(pctx));
        if (pkpeer == NULL)
            goto err;
    }
    /* We have parameters now set public key */
    plen = ASN1_STRING_length(pubkey);
    p = ASN1_STRING_get0_data(pubkey);
    if (p == NULL || plen == 0)
        goto err;

    if (EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen) <= 0)
        goto err;

    if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
        rv = 1;
err:
    EVP_PKEY_free(pkpeer);
    return rv;
}

/* Set KDF parameters based on KDF NID */
static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
{
    int kdf_nid, kdfmd_nid, cofactor;
    const EVP_MD *kdf_md;

    if (eckdf_nid == NID_undef)
        return 0;

    /* Lookup KDF type, cofactor mode and digest */
    if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid))
        return 0;

    if (kdf_nid == NID_dh_std_kdf)
        cofactor = 0;
    else if (kdf_nid == NID_dh_cofactor_kdf)
        cofactor = 1;
    else
        return 0;

    if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
        return 0;

    if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
        return 0;

    kdf_md = EVP_get_digestbynid(kdfmd_nid);
    if (!kdf_md)
        return 0;

    if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
        return 0;
    return 1;
}

static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
{
    int rv = 0;
    X509_ALGOR *alg, *kekalg = NULL;
    ASN1_OCTET_STRING *ukm;
    const unsigned char *p;
    unsigned char *der = NULL;
    int plen, keylen;
    EVP_CIPHER *kekcipher = NULL;
    EVP_CIPHER_CTX *kekctx;
    const ASN1_OBJECT *aoid = NULL;
    int ptype = 0;
    const void *parameter = NULL;

    char name[OSSL_MAX_NAME_SIZE];

    if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
        return 0;

    X509_ALGOR_get0(&aoid, &ptype, &parameter, alg);

    if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) {
        ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
        return 0;
    }

    if (ptype != V_ASN1_SEQUENCE)
        return 0;

    p = ASN1_STRING_get0_data(parameter);
    plen = ASN1_STRING_length(parameter);
    kekalg = d2i_X509_ALGOR(NULL, &p, plen);
    if (kekalg == NULL)
        goto err;
    kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
    if (kekctx == NULL)
        goto err;
    OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0);
    kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
    if (kekcipher == NULL || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
        goto err;
    if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
        goto err;
    if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
        goto err;

    keylen = EVP_CIPHER_CTX_get_key_length(kekctx);
    if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
        goto err;

    plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen);

    if (plen <= 0)
        goto err;

    if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0)
        goto err;
    der = NULL;

    rv = 1;
err:
    EVP_CIPHER_free(kekcipher);
    X509_ALGOR_free(kekalg);
    OPENSSL_free(der);
    return rv;
}

static int ecdh_cms_decrypt(CMS_RecipientInfo *ri)
{
    EVP_PKEY_CTX *pctx;

    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
    if (pctx == NULL)
        return 0;
    /* See if we need to set peer key */
    if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
        X509_ALGOR *alg;
        ASN1_BIT_STRING *pubkey;

        if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
                NULL, NULL, NULL))
            return 0;
        if (alg == NULL || pubkey == NULL)
            return 0;
        if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) {
            ERR_raise(ERR_LIB_CMS, CMS_R_PEER_KEY_ERROR);
            return 0;
        }
    }
    /* Set ECDH derivation parameters and initialise unwrap context */
    if (!ecdh_cms_set_shared_info(pctx, ri)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_SHARED_INFO_ERROR);
        return 0;
    }
    return 1;
}

static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
{
    EVP_PKEY_CTX *pctx;
    EVP_PKEY *pkey;
    EVP_CIPHER_CTX *ctx;
    int keylen;
    X509_ALGOR *talg, *wrap_alg = NULL;
    const ASN1_OBJECT *aoid;
    ASN1_BIT_STRING *pubkey;
    ASN1_STRING *wrap_str;
    ASN1_OCTET_STRING *ukm;
    unsigned char *penc = NULL;
    int penclen;
    int rv = 0;
    int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
    const EVP_MD *kdf_md;

    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
    if (pctx == NULL)
        return 0;
    /* Get ephemeral key */
    pkey = EVP_PKEY_CTX_get0_pkey(pctx);
    if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
            NULL, NULL, NULL))
        goto err;
    X509_ALGOR_get0(&aoid, NULL, NULL, talg);
    /* Is everything uninitialised? */
    if (aoid == OBJ_nid2obj(NID_undef)) {
        /* Set the key */
        size_t enckeylen;

        enckeylen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
        if (enckeylen > INT_MAX || enckeylen == 0)
            goto err;
        ASN1_STRING_set0(pubkey, penc, (int)enckeylen);
        ossl_asn1_string_set_bits_left(pubkey, 0);

        penc = NULL;
        (void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
            V_ASN1_UNDEF, NULL); /* cannot fail */
    }

    /* See if custom parameters set */
    kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx);
    if (kdf_type <= 0)
        goto err;
    if (EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md) <= 0)
        goto err;
    ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx);
    if (ecdh_nid < 0)
        goto err;
    else if (ecdh_nid == 0)
        ecdh_nid = NID_dh_std_kdf;
    else if (ecdh_nid == 1)
        ecdh_nid = NID_dh_cofactor_kdf;

    if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
        kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
        if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
            goto err;
    } else
        /* Unknown KDF */
        goto err;
    if (kdf_md == NULL) {
        /* Fixme later for better MD */
        kdf_md = EVP_sha1();
        if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
            goto err;
    }

    if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
        goto err;

    /* Lookup NID for KDF+cofactor+digest */

    if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_get_type(kdf_md), ecdh_nid))
        goto err;
    /* Get wrap NID */
    ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
    wrap_nid = EVP_CIPHER_CTX_get_type(ctx);
    keylen = EVP_CIPHER_CTX_get_key_length(ctx);

    /* Package wrap algorithm in an AlgorithmIdentifier */

    wrap_alg = X509_ALGOR_new();
    if (wrap_alg == NULL)
        goto err;
    wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
    wrap_alg->parameter = ASN1_TYPE_new();
    if (wrap_alg->parameter == NULL)
        goto err;
    if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
        goto err;
    if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
        ASN1_TYPE_free(wrap_alg->parameter);
        wrap_alg->parameter = NULL;
    }

    if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
        goto err;

    penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);

    if (penclen <= 0)
        goto err;

    if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
        goto err;
    penc = NULL;

    /*
     * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
     * of another AlgorithmIdentifier.
     */
    penclen = i2d_X509_ALGOR(wrap_alg, &penc);
    if (penclen <= 0)
        goto err;
    wrap_str = ASN1_STRING_new();
    if (wrap_str == NULL)
        goto err;
    ASN1_STRING_set0(wrap_str, penc, penclen);
    penc = NULL;
    rv = X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
    if (!rv)
        ASN1_STRING_free(wrap_str);

err:
    OPENSSL_free(penc);
    X509_ALGOR_free(wrap_alg);
    return rv;
}

int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt)
{
    assert(decrypt == 0 || decrypt == 1);

    if (decrypt == 1)
        return ecdh_cms_decrypt(ri);

    if (decrypt == 0)
        return ecdh_cms_encrypt(ri);

    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
    return 0;
}

Coverage Report

Created: 2026-04-09 06:50

Line	Count	Source
1		/*
2		* Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <assert.h>
11		#include <limits.h>
12		#include <openssl/cms.h>
13		#include <openssl/err.h>
14		#include <openssl/decoder.h>
15		#include "internal/sizes.h"
16		#include "crypto/asn1.h"
17		#include "crypto/evp.h"
18		#include "cms_local.h"
19
20		static EVP_PKEY pkey_type2param(int ptype, const void pval,
21		OSSL_LIB_CTX libctx, const char propq)
22	0	{
23	0	EVP_PKEY *pkey = NULL;
24	0	EVP_PKEY_CTX *pctx = NULL;
25	0	OSSL_DECODER_CTX *ctx = NULL;
26
27	0	if (ptype == V_ASN1_SEQUENCE) {
28	0	const ASN1_STRING *pstr = pval;
29	0	const unsigned char *pm = pstr->data;
30	0	size_t pmlen = (size_t)pstr->length;
31	0	int selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
32
33	0	ctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, "EC",
34	0	selection, libctx, propq);
35	0	if (ctx == NULL)
36	0	goto err;
37
38	0	if (!OSSL_DECODER_from_data(ctx, &pm, &pmlen)) {
39	0	ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
40	0	goto err;
41	0	}
42	0	OSSL_DECODER_CTX_free(ctx);
43	0	return pkey;
44	0	} else if (ptype == V_ASN1_OBJECT) {
45	0	const ASN1_OBJECT *poid = pval;
46	0	char groupname[OSSL_MAX_NAME_SIZE];
47
48		/* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID */
49	0	pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
50	0	if (pctx == NULL \|\| EVP_PKEY_paramgen_init(pctx) <= 0)
51	0	goto err;
52	0	if (OBJ_obj2txt(groupname, sizeof(groupname), poid, 0) <= 0
53	0	\|\| EVP_PKEY_CTX_set_group_name(pctx, groupname) <= 0) {
54	0	ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
55	0	goto err;
56	0	}
57	0	if (EVP_PKEY_paramgen(pctx, &pkey) <= 0)
58	0	goto err;
59	0	EVP_PKEY_CTX_free(pctx);
60	0	return pkey;
61	0	}
62
63	0	ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
64	0	return NULL;
65
66	0	err:
67	0	EVP_PKEY_free(pkey);
68	0	EVP_PKEY_CTX_free(pctx);
69	0	OSSL_DECODER_CTX_free(ctx);
70	0	return NULL;
71	0	}
72
73		static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
74		X509_ALGOR alg, ASN1_BIT_STRING pubkey)
75	0	{
76	0	const ASN1_OBJECT *aoid;
77	0	int atype;
78	0	const void *aval;
79	0	int rv = 0;
80	0	EVP_PKEY *pkpeer = NULL;
81	0	const unsigned char *p;
82	0	int plen;
83
84	0	X509_ALGOR_get0(&aoid, &atype, &aval, alg);
85	0	if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
86	0	goto err;
87
88		/* If absent parameters get group from main key */
89	0	if (atype == V_ASN1_UNDEF \|\| atype == V_ASN1_NULL) {
90	0	EVP_PKEY *pk;
91
92	0	pk = EVP_PKEY_CTX_get0_pkey(pctx);
93	0	if (pk == NULL)
94	0	goto err;
95
96	0	pkpeer = EVP_PKEY_new();
97	0	if (pkpeer == NULL)
98	0	goto err;
99	0	if (!EVP_PKEY_copy_parameters(pkpeer, pk))
100	0	goto err;
101	0	} else {
102	0	pkpeer = pkey_type2param(atype, aval,
103	0	EVP_PKEY_CTX_get0_libctx(pctx),
104	0	EVP_PKEY_CTX_get0_propq(pctx));
105	0	if (pkpeer == NULL)
106	0	goto err;
107	0	}
108		/* We have parameters now set public key */
109	0	plen = ASN1_STRING_length(pubkey);
110	0	p = ASN1_STRING_get0_data(pubkey);
111	0	if (p == NULL \|\| plen == 0)
112	0	goto err;
113
114	0	if (EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen) <= 0)
115	0	goto err;
116
117	0	if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
118	0	rv = 1;
119	0	err:
120	0	EVP_PKEY_free(pkpeer);
121	0	return rv;
122	0	}
123
124		/* Set KDF parameters based on KDF NID */
125		static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
126	0	{
127	0	int kdf_nid, kdfmd_nid, cofactor;
128	0	const EVP_MD *kdf_md;
129
130	0	if (eckdf_nid == NID_undef)
131	0	return 0;
132
133		/* Lookup KDF type, cofactor mode and digest */
134	0	if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid))
135	0	return 0;
136
137	0	if (kdf_nid == NID_dh_std_kdf)
138	0	cofactor = 0;
139	0	else if (kdf_nid == NID_dh_cofactor_kdf)
140	0	cofactor = 1;
141	0	else
142	0	return 0;
143
144	0	if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
145	0	return 0;
146
147	0	if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
148	0	return 0;
149
150	0	kdf_md = EVP_get_digestbynid(kdfmd_nid);
151	0	if (!kdf_md)
152	0	return 0;
153
154	0	if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
155	0	return 0;
156	0	return 1;
157	0	}
158
159		static int ecdh_cms_set_shared_info(EVP_PKEY_CTX pctx, CMS_RecipientInfo ri)
160	0	{
161	0	int rv = 0;
162	0	X509_ALGOR alg, kekalg = NULL;
163	0	ASN1_OCTET_STRING *ukm;
164	0	const unsigned char *p;
165	0	unsigned char *der = NULL;
166	0	int plen, keylen;
167	0	EVP_CIPHER *kekcipher = NULL;
168	0	EVP_CIPHER_CTX *kekctx;
169	0	const ASN1_OBJECT *aoid = NULL;
170	0	int ptype = 0;
171	0	const void *parameter = NULL;
172
173	0	char name[OSSL_MAX_NAME_SIZE];
174
175	0	if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
176	0	return 0;
177
178	0	X509_ALGOR_get0(&aoid, &ptype, &parameter, alg);
179
180	0	if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) {
181	0	ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
182	0	return 0;
183	0	}
184
185	0	if (ptype != V_ASN1_SEQUENCE)
186	0	return 0;
187
188	0	p = ASN1_STRING_get0_data(parameter);
189	0	plen = ASN1_STRING_length(parameter);
190	0	kekalg = d2i_X509_ALGOR(NULL, &p, plen);
191	0	if (kekalg == NULL)
192	0	goto err;
193	0	kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
194	0	if (kekctx == NULL)
195	0	goto err;
196	0	OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0);
197	0	kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
198	0	if (kekcipher == NULL \|\| EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
199	0	goto err;
200	0	if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
201	0	goto err;
202	0	if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
203	0	goto err;
204
205	0	keylen = EVP_CIPHER_CTX_get_key_length(kekctx);
206	0	if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
207	0	goto err;
208
209	0	plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen);
210
211	0	if (plen <= 0)
212	0	goto err;
213
214	0	if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0)
215	0	goto err;
216	0	der = NULL;
217
218	0	rv = 1;
219	0	err:
220	0	EVP_CIPHER_free(kekcipher);
221	0	X509_ALGOR_free(kekalg);
222	0	OPENSSL_free(der);
223	0	return rv;
224	0	}
225
226		static int ecdh_cms_decrypt(CMS_RecipientInfo *ri)
227	0	{
228	0	EVP_PKEY_CTX *pctx;
229
230	0	pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
231	0	if (pctx == NULL)
232	0	return 0;
233		/* See if we need to set peer key */
234	0	if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
235	0	X509_ALGOR *alg;
236	0	ASN1_BIT_STRING *pubkey;
237
238	0	if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
239	0	NULL, NULL, NULL))
240	0	return 0;
241	0	if (alg == NULL \|\| pubkey == NULL)
242	0	return 0;
243	0	if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) {
244	0	ERR_raise(ERR_LIB_CMS, CMS_R_PEER_KEY_ERROR);
245	0	return 0;
246	0	}
247	0	}
248		/* Set ECDH derivation parameters and initialise unwrap context */
249	0	if (!ecdh_cms_set_shared_info(pctx, ri)) {
250	0	ERR_raise(ERR_LIB_CMS, CMS_R_SHARED_INFO_ERROR);
251	0	return 0;
252	0	}
253	0	return 1;
254	0	}
255
256		static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
257	0	{
258	0	EVP_PKEY_CTX *pctx;
259	0	EVP_PKEY *pkey;
260	0	EVP_CIPHER_CTX *ctx;
261	0	int keylen;
262	0	X509_ALGOR talg, wrap_alg = NULL;
263	0	const ASN1_OBJECT *aoid;
264	0	ASN1_BIT_STRING *pubkey;
265	0	ASN1_STRING *wrap_str;
266	0	ASN1_OCTET_STRING *ukm;
267	0	unsigned char *penc = NULL;
268	0	int penclen;
269	0	int rv = 0;
270	0	int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
271	0	const EVP_MD *kdf_md;
272
273	0	pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
274	0	if (pctx == NULL)
275	0	return 0;
276		/* Get ephemeral key */
277	0	pkey = EVP_PKEY_CTX_get0_pkey(pctx);
278	0	if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
279	0	NULL, NULL, NULL))
280	0	goto err;
281	0	X509_ALGOR_get0(&aoid, NULL, NULL, talg);
282		/* Is everything uninitialised? */
283	0	if (aoid == OBJ_nid2obj(NID_undef)) {
284		/* Set the key */
285	0	size_t enckeylen;
286
287	0	enckeylen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
288	0	if (enckeylen > INT_MAX \|\| enckeylen == 0)
289	0	goto err;
290	0	ASN1_STRING_set0(pubkey, penc, (int)enckeylen);
291	0	ossl_asn1_string_set_bits_left(pubkey, 0);
292
293	0	penc = NULL;
294	0	(void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
295	0	V_ASN1_UNDEF, NULL); /* cannot fail */
296	0	}
297
298		/* See if custom parameters set */
299	0	kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx);
300	0	if (kdf_type <= 0)
301	0	goto err;
302	0	if (EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md) <= 0)
303	0	goto err;
304	0	ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx);
305	0	if (ecdh_nid < 0)
306	0	goto err;
307	0	else if (ecdh_nid == 0)
308	0	ecdh_nid = NID_dh_std_kdf;
309	0	else if (ecdh_nid == 1)
310	0	ecdh_nid = NID_dh_cofactor_kdf;
311
312	0	if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
313	0	kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
314	0	if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
315	0	goto err;
316	0	} else
317		/* Unknown KDF */
318	0	goto err;
319	0	if (kdf_md == NULL) {
320		/* Fixme later for better MD */
321	0	kdf_md = EVP_sha1();
322	0	if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
323	0	goto err;
324	0	}
325
326	0	if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
327	0	goto err;
328
329		/* Lookup NID for KDF+cofactor+digest */
330
331	0	if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_get_type(kdf_md), ecdh_nid))
332	0	goto err;
333		/* Get wrap NID */
334	0	ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
335	0	wrap_nid = EVP_CIPHER_CTX_get_type(ctx);
336	0	keylen = EVP_CIPHER_CTX_get_key_length(ctx);
337
338		/* Package wrap algorithm in an AlgorithmIdentifier */
339
340	0	wrap_alg = X509_ALGOR_new();
341	0	if (wrap_alg == NULL)
342	0	goto err;
343	0	wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
344	0	wrap_alg->parameter = ASN1_TYPE_new();
345	0	if (wrap_alg->parameter == NULL)
346	0	goto err;
347	0	if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
348	0	goto err;
349	0	if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
350	0	ASN1_TYPE_free(wrap_alg->parameter);
351	0	wrap_alg->parameter = NULL;
352	0	}
353
354	0	if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
355	0	goto err;
356
357	0	penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);
358
359	0	if (penclen <= 0)
360	0	goto err;
361
362	0	if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
363	0	goto err;
364	0	penc = NULL;
365
366		/*
367		* Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
368		* of another AlgorithmIdentifier.
369		*/
370	0	penclen = i2d_X509_ALGOR(wrap_alg, &penc);
371	0	if (penclen <= 0)
372	0	goto err;
373	0	wrap_str = ASN1_STRING_new();
374	0	if (wrap_str == NULL)
375	0	goto err;
376	0	ASN1_STRING_set0(wrap_str, penc, penclen);
377	0	penc = NULL;
378	0	rv = X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
379	0	if (!rv)
380	0	ASN1_STRING_free(wrap_str);
381
382	0	err:
383	0	OPENSSL_free(penc);
384	0	X509_ALGOR_free(wrap_alg);
385	0	return rv;
386	0	}
387
388		int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt)
389	0	{
390	0	assert(decrypt == 0 \|\| decrypt == 1);
391
392	0	if (decrypt == 1)
393	0	return ecdh_cms_decrypt(ri);
394
395	0	if (decrypt == 0)
396	0	return ecdh_cms_encrypt(ri);
397
398	0	ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
399	0	return 0;
400	0	}