/src/openssl/crypto/cms/cms_kari.c

Source (jump to first uncovered line)
/*
 * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/aes.h>
#include "cms_lcl.h"
#include "internal/asn1_int.h"

/* Key Agreement Recipient Info (KARI) routines */

int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
                                    X509_ALGOR **palg,
                                    ASN1_OCTET_STRING **pukm)
{
    if (ri->type != CMS_RECIPINFO_AGREE) {
        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
               CMS_R_NOT_KEY_AGREEMENT);
        return 0;
    }
    if (palg)
        *palg = ri->d.kari->keyEncryptionAlgorithm;
    if (pukm)
        *pukm = ri->d.kari->ukm;
    return 1;
}

/* Retrieve recipient encrypted keys from a kari */

STACK_OF(CMS_RecipientEncryptedKey)
*CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri)
{
    if (ri->type != CMS_RECIPINFO_AGREE) {
        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
               CMS_R_NOT_KEY_AGREEMENT);
        return NULL;
    }
    return ri->d.kari->recipientEncryptedKeys;
}

int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
                                        X509_ALGOR **pubalg,
                                        ASN1_BIT_STRING **pubkey,
                                        ASN1_OCTET_STRING **keyid,
                                        X509_NAME **issuer,
                                        ASN1_INTEGER **sno)
{
    CMS_OriginatorIdentifierOrKey *oik;
    if (ri->type != CMS_RECIPINFO_AGREE) {
        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
               CMS_R_NOT_KEY_AGREEMENT);
        return 0;
    }
    oik = ri->d.kari->originator;
    if (issuer)
        *issuer = NULL;
    if (sno)
        *sno = NULL;
    if (keyid)
        *keyid = NULL;
    if (pubalg)
        *pubalg = NULL;
    if (pubkey)
        *pubkey = NULL;
    if (oik->type == CMS_OIK_ISSUER_SERIAL) {
        if (issuer)
            *issuer = oik->d.issuerAndSerialNumber->issuer;
        if (sno)
            *sno = oik->d.issuerAndSerialNumber->serialNumber;
    } else if (oik->type == CMS_OIK_KEYIDENTIFIER) {
        if (keyid)
            *keyid = oik->d.subjectKeyIdentifier;
    } else if (oik->type == CMS_OIK_PUBKEY) {
        if (pubalg)
            *pubalg = oik->d.originatorKey->algorithm;
        if (pubkey)
            *pubkey = oik->d.originatorKey->publicKey;
    } else
        return 0;
    return 1;
}

int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert)
{
    CMS_OriginatorIdentifierOrKey *oik;
    if (ri->type != CMS_RECIPINFO_AGREE) {
        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
               CMS_R_NOT_KEY_AGREEMENT);
        return -2;
    }
    oik = ri->d.kari->originator;
    if (oik->type == CMS_OIK_ISSUER_SERIAL)
        return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
    else if (oik->type == CMS_OIK_KEYIDENTIFIER)
        return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
    return -1;
}

int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
                                      ASN1_OCTET_STRING **keyid,
                                      ASN1_GENERALIZEDTIME **tm,
                                      CMS_OtherKeyAttribute **other,
                                      X509_NAME **issuer, ASN1_INTEGER **sno)
{
    CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
    if (rid->type == CMS_REK_ISSUER_SERIAL) {
        if (issuer)
            *issuer = rid->d.issuerAndSerialNumber->issuer;
        if (sno)
            *sno = rid->d.issuerAndSerialNumber->serialNumber;
        if (keyid)
            *keyid = NULL;
        if (tm)
            *tm = NULL;
        if (other)
            *other = NULL;
    } else if (rid->type == CMS_REK_KEYIDENTIFIER) {
        if (keyid)
            *keyid = rid->d.rKeyId->subjectKeyIdentifier;
        if (tm)
            *tm = rid->d.rKeyId->date;
        if (other)
            *other = rid->d.rKeyId->other;
        if (issuer)
            *issuer = NULL;
        if (sno)
            *sno = NULL;
    } else
        return 0;
    return 1;
}

int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
                                       X509 *cert)
{
    CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
    if (rid->type == CMS_REK_ISSUER_SERIAL)
        return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
    else if (rid->type == CMS_REK_KEYIDENTIFIER)
        return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
    else
        return -1;
}

int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
{
    EVP_PKEY_CTX *pctx;
    CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;

    EVP_PKEY_CTX_free(kari->pctx);
    kari->pctx = NULL;
    if (!pk)
        return 1;
    pctx = EVP_PKEY_CTX_new(pk, NULL);
    if (!pctx || !EVP_PKEY_derive_init(pctx))
        goto err;
    kari->pctx = pctx;
    return 1;
 err:
    EVP_PKEY_CTX_free(pctx);
    return 0;
}

EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
{
    if (ri->type == CMS_RECIPINFO_AGREE)
        return ri->d.kari->ctx;
    return NULL;
}

/*
 * Derive KEK and decrypt/encrypt with it to produce either the original CEK
 * or the encrypted CEK.
 */

static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
                          const unsigned char *in, size_t inlen,
                          CMS_KeyAgreeRecipientInfo *kari, int enc)
{
    /* Key encryption key */
    unsigned char kek[EVP_MAX_KEY_LENGTH];
    size_t keklen;
    int rv = 0;
    unsigned char *out = NULL;
    int outlen;
    keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
    if (keklen > EVP_MAX_KEY_LENGTH)
        return 0;
    /* Derive KEK */
    if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
        goto err;
    /* Set KEK in context */
    if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc))
        goto err;
    /* obtain output length of ciphered key */
    if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen))
        goto err;
    out = OPENSSL_malloc(outlen);
    if (out == NULL)
        goto err;
    if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen))
        goto err;
    *pout = out;
    *poutlen = (size_t)outlen;
    rv = 1;

 err:
    OPENSSL_cleanse(kek, keklen);
    if (!rv)
        OPENSSL_free(out);
    EVP_CIPHER_CTX_reset(kari->ctx);
    /* FIXME: WHY IS kari->pctx freed here?  /RL */
    EVP_PKEY_CTX_free(kari->pctx);
    kari->pctx = NULL;
    return rv;
}

int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
                                   CMS_RecipientInfo *ri,
                                   CMS_RecipientEncryptedKey *rek)
{
    int rv = 0;
    unsigned char *enckey = NULL, *cek = NULL;
    size_t enckeylen;
    size_t ceklen;
    CMS_EncryptedContentInfo *ec;
    enckeylen = rek->encryptedKey->length;
    enckey = rek->encryptedKey->data;
    /* Setup all parameters to derive KEK */
    if (!cms_env_asn1_ctrl(ri, 1))
        goto err;
    /* Attempt to decrypt CEK */
    if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
        goto err;
    ec = cms->d.envelopedData->encryptedContentInfo;
    OPENSSL_clear_free(ec->key, ec->keylen);
    ec->key = cek;
    ec->keylen = ceklen;
    cek = NULL;
    rv = 1;
 err:
    OPENSSL_free(cek);
    return rv;
}

/* Create ephemeral key and initialise context based on it */
static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
                                         EVP_PKEY *pk)
{
    EVP_PKEY_CTX *pctx = NULL;
    EVP_PKEY *ekey = NULL;
    int rv = 0;
    pctx = EVP_PKEY_CTX_new(pk, NULL);
    if (!pctx)
        goto err;
    if (EVP_PKEY_keygen_init(pctx) <= 0)
        goto err;
    if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
        goto err;
    EVP_PKEY_CTX_free(pctx);
    pctx = EVP_PKEY_CTX_new(ekey, NULL);
    if (!pctx)
        goto err;
    if (EVP_PKEY_derive_init(pctx) <= 0)
        goto err;
    kari->pctx = pctx;
    rv = 1;
 err:
    if (!rv)
        EVP_PKEY_CTX_free(pctx);
    EVP_PKEY_free(ekey);
    return rv;
}

/* Initialise a ktri based on passed certificate and key */

int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
                                EVP_PKEY *pk, unsigned int flags)
{
    CMS_KeyAgreeRecipientInfo *kari;
    CMS_RecipientEncryptedKey *rek = NULL;

    ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
    if (!ri->d.kari)
        return 0;
    ri->type = CMS_RECIPINFO_AGREE;

    kari = ri->d.kari;
    kari->version = 3;

    rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
    if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
        M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
        return 0;
    }

    if (flags & CMS_USE_KEYID) {
        rek->rid->type = CMS_REK_KEYIDENTIFIER;
        rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier);
        if (rek->rid->d.rKeyId == NULL)
            return 0;
        if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
            return 0;
    } else {
        rek->rid->type = CMS_REK_ISSUER_SERIAL;
        if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
            return 0;
    }

    /* Create ephemeral key */
    if (!cms_kari_create_ephemeral_key(kari, pk))
        return 0;

    EVP_PKEY_up_ref(pk);
    rek->pkey = pk;
    return 1;
}

static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
                         const EVP_CIPHER *cipher)
{
    EVP_CIPHER_CTX *ctx = kari->ctx;
    const EVP_CIPHER *kekcipher;
    int keylen = EVP_CIPHER_key_length(cipher);
    /* If a suitable wrap algorithm is already set nothing to do */
    kekcipher = EVP_CIPHER_CTX_cipher(ctx);

    if (kekcipher) {
        if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
            return 0;
        return 1;
    }
    /*
     * Pick a cipher based on content encryption cipher. If it is DES3 use
     * DES3 wrap otherwise use AES wrap similar to key size.
     */
#ifndef OPENSSL_NO_DES
    if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
        kekcipher = EVP_des_ede3_wrap();
    else
#endif
    if (keylen <= 16)
        kekcipher = EVP_aes_128_wrap();
    else if (keylen <= 24)
        kekcipher = EVP_aes_192_wrap();
    else
        kekcipher = EVP_aes_256_wrap();
    return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
}

/* Encrypt content key in key agreement recipient info */

int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
                                   CMS_RecipientInfo *ri)
{
    CMS_KeyAgreeRecipientInfo *kari;
    CMS_EncryptedContentInfo *ec;
    CMS_RecipientEncryptedKey *rek;
    STACK_OF(CMS_RecipientEncryptedKey) *reks;
    int i;

    if (ri->type != CMS_RECIPINFO_AGREE) {
        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
        return 0;
    }
    kari = ri->d.kari;
    reks = kari->recipientEncryptedKeys;
    ec = cms->d.envelopedData->encryptedContentInfo;
    /* Initialise wrap algorithm parameters */
    if (!cms_wrap_init(kari, ec->cipher))
        return 0;
    /*
     * If no originator key set up initialise for ephemeral key the public key
     * ASN1 structure will set the actual public key value.
     */
    if (kari->originator->type == -1) {
        CMS_OriginatorIdentifierOrKey *oik = kari->originator;
        oik->type = CMS_OIK_PUBKEY;
        oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
        if (!oik->d.originatorKey)
            return 0;
    }
    /* Initialise KDF algorithm */
    if (!cms_env_asn1_ctrl(ri, 0))
        return 0;
    /* For each rek, derive KEK, encrypt CEK */
    for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
        unsigned char *enckey;
        size_t enckeylen;
        rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
        if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
            return 0;
        if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
                            kari, 1))
            return 0;
        ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
    }

    return 1;

}

Coverage Report

Created: 2018-08-29 13:53

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include "internal/cryptlib.h"
11		#include <openssl/asn1t.h>
12		#include <openssl/pem.h>
13		#include <openssl/x509v3.h>
14		#include <openssl/err.h>
15		#include <openssl/cms.h>
16		#include <openssl/aes.h>
17		#include "cms_lcl.h"
18		#include "internal/asn1_int.h"
19
20		/* Key Agreement Recipient Info (KARI) routines */
21
22		int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
23		X509_ALGOR **palg,
24		ASN1_OCTET_STRING **pukm)
25	0	{
26	0	if (ri->type != CMS_RECIPINFO_AGREE) {
27	0	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
28	0	CMS_R_NOT_KEY_AGREEMENT);
29	0	return 0;
30	0	}
31	0	if (palg)
32	0	*palg = ri->d.kari->keyEncryptionAlgorithm;
33	0	if (pukm)
34	0	*pukm = ri->d.kari->ukm;
35	0	return 1;
36	0	}
37
38		/* Retrieve recipient encrypted keys from a kari */
39
40		STACK_OF(CMS_RecipientEncryptedKey)
41		CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo ri)
42	0	{
43	0	if (ri->type != CMS_RECIPINFO_AGREE) {
44	0	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
45	0	CMS_R_NOT_KEY_AGREEMENT);
46	0	return NULL;
47	0	}
48	0	return ri->d.kari->recipientEncryptedKeys;
49	0	}
50
51		int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
52		X509_ALGOR **pubalg,
53		ASN1_BIT_STRING **pubkey,
54		ASN1_OCTET_STRING **keyid,
55		X509_NAME **issuer,
56		ASN1_INTEGER **sno)
57	0	{
58	0	CMS_OriginatorIdentifierOrKey *oik;
59	0	if (ri->type != CMS_RECIPINFO_AGREE) {
60	0	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
61	0	CMS_R_NOT_KEY_AGREEMENT);
62	0	return 0;
63	0	}
64	0	oik = ri->d.kari->originator;
65	0	if (issuer)
66	0	*issuer = NULL;
67	0	if (sno)
68	0	*sno = NULL;
69	0	if (keyid)
70	0	*keyid = NULL;
71	0	if (pubalg)
72	0	*pubalg = NULL;
73	0	if (pubkey)
74	0	*pubkey = NULL;
75	0	if (oik->type == CMS_OIK_ISSUER_SERIAL) {
76	0	if (issuer)
77	0	*issuer = oik->d.issuerAndSerialNumber->issuer;
78	0	if (sno)
79	0	*sno = oik->d.issuerAndSerialNumber->serialNumber;
80	0	} else if (oik->type == CMS_OIK_KEYIDENTIFIER) {
81	0	if (keyid)
82	0	*keyid = oik->d.subjectKeyIdentifier;
83	0	} else if (oik->type == CMS_OIK_PUBKEY) {
84	0	if (pubalg)
85	0	*pubalg = oik->d.originatorKey->algorithm;
86	0	if (pubkey)
87	0	*pubkey = oik->d.originatorKey->publicKey;
88	0	} else
89	0	return 0;
90	0	return 1;
91	0	}
92
93		int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo ri, X509 cert)
94	0	{
95	0	CMS_OriginatorIdentifierOrKey *oik;
96	0	if (ri->type != CMS_RECIPINFO_AGREE) {
97	0	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
98	0	CMS_R_NOT_KEY_AGREEMENT);
99	0	return -2;
100	0	}
101	0	oik = ri->d.kari->originator;
102	0	if (oik->type == CMS_OIK_ISSUER_SERIAL)
103	0	return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
104	0	else if (oik->type == CMS_OIK_KEYIDENTIFIER)
105	0	return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
106	0	return -1;
107	0	}
108
109		int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
110		ASN1_OCTET_STRING **keyid,
111		ASN1_GENERALIZEDTIME **tm,
112		CMS_OtherKeyAttribute **other,
113		X509_NAME issuer, ASN1_INTEGER sno)
114	0	{
115	0	CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
116	0	if (rid->type == CMS_REK_ISSUER_SERIAL) {
117	0	if (issuer)
118	0	*issuer = rid->d.issuerAndSerialNumber->issuer;
119	0	if (sno)
120	0	*sno = rid->d.issuerAndSerialNumber->serialNumber;
121	0	if (keyid)
122	0	*keyid = NULL;
123	0	if (tm)
124	0	*tm = NULL;
125	0	if (other)
126	0	*other = NULL;
127	0	} else if (rid->type == CMS_REK_KEYIDENTIFIER) {
128	0	if (keyid)
129	0	*keyid = rid->d.rKeyId->subjectKeyIdentifier;
130	0	if (tm)
131	0	*tm = rid->d.rKeyId->date;
132	0	if (other)
133	0	*other = rid->d.rKeyId->other;
134	0	if (issuer)
135	0	*issuer = NULL;
136	0	if (sno)
137	0	*sno = NULL;
138	0	} else
139	0	return 0;
140	0	return 1;
141	0	}
142
143		int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
144		X509 *cert)
145	0	{
146	0	CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
147	0	if (rid->type == CMS_REK_ISSUER_SERIAL)
148	0	return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
149	0	else if (rid->type == CMS_REK_KEYIDENTIFIER)
150	0	return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
151	0	else
152	0	return -1;
153	0	}
154
155		int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo ri, EVP_PKEY pk)
156	0	{
157	0	EVP_PKEY_CTX *pctx;
158	0	CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
159	0
160	0	EVP_PKEY_CTX_free(kari->pctx);
161	0	kari->pctx = NULL;
162	0	if (!pk)
163	0	return 1;
164	0	pctx = EVP_PKEY_CTX_new(pk, NULL);
165	0	if (!pctx \|\| !EVP_PKEY_derive_init(pctx))
166	0	goto err;
167	0	kari->pctx = pctx;
168	0	return 1;
169	0	err:
170	0	EVP_PKEY_CTX_free(pctx);
171	0	return 0;
172	0	}
173
174		EVP_CIPHER_CTX CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo ri)
175	0	{
176	0	if (ri->type == CMS_RECIPINFO_AGREE)
177	0	return ri->d.kari->ctx;
178	0	return NULL;
179	0	}
180
181		/*
182		* Derive KEK and decrypt/encrypt with it to produce either the original CEK
183		* or the encrypted CEK.
184		*/
185
186		static int cms_kek_cipher(unsigned char *pout, size_t poutlen,
187		const unsigned char *in, size_t inlen,
188		CMS_KeyAgreeRecipientInfo *kari, int enc)
189	0	{
190	0	/* Key encryption key */
191	0	unsigned char kek[EVP_MAX_KEY_LENGTH];
192	0	size_t keklen;
193	0	int rv = 0;
194	0	unsigned char *out = NULL;
195	0	int outlen;
196	0	keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
197	0	if (keklen > EVP_MAX_KEY_LENGTH)
198	0	return 0;
199	0	/* Derive KEK */
200	0	if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
201	0	goto err;
202	0	/* Set KEK in context */
203	0	if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc))
204	0	goto err;
205	0	/* obtain output length of ciphered key */
206	0	if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen))
207	0	goto err;
208	0	out = OPENSSL_malloc(outlen);
209	0	if (out == NULL)
210	0	goto err;
211	0	if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen))
212	0	goto err;
213	0	*pout = out;
214	0	*poutlen = (size_t)outlen;
215	0	rv = 1;
216	0
217	0	err:
218	0	OPENSSL_cleanse(kek, keklen);
219	0	if (!rv)
220	0	OPENSSL_free(out);
221	0	EVP_CIPHER_CTX_reset(kari->ctx);
222	0	/* FIXME: WHY IS kari->pctx freed here? /RL */
223	0	EVP_PKEY_CTX_free(kari->pctx);
224	0	kari->pctx = NULL;
225	0	return rv;
226	0	}
227
228		int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
229		CMS_RecipientInfo *ri,
230		CMS_RecipientEncryptedKey *rek)
231	0	{
232	0	int rv = 0;
233	0	unsigned char enckey = NULL, cek = NULL;
234	0	size_t enckeylen;
235	0	size_t ceklen;
236	0	CMS_EncryptedContentInfo *ec;
237	0	enckeylen = rek->encryptedKey->length;
238	0	enckey = rek->encryptedKey->data;
239	0	/* Setup all parameters to derive KEK */
240	0	if (!cms_env_asn1_ctrl(ri, 1))
241	0	goto err;
242	0	/* Attempt to decrypt CEK */
243	0	if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
244	0	goto err;
245	0	ec = cms->d.envelopedData->encryptedContentInfo;
246	0	OPENSSL_clear_free(ec->key, ec->keylen);
247	0	ec->key = cek;
248	0	ec->keylen = ceklen;
249	0	cek = NULL;
250	0	rv = 1;
251	0	err:
252	0	OPENSSL_free(cek);
253	0	return rv;
254	0	}
255
256		/* Create ephemeral key and initialise context based on it */
257		static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
258		EVP_PKEY *pk)
259	0	{
260	0	EVP_PKEY_CTX *pctx = NULL;
261	0	EVP_PKEY *ekey = NULL;
262	0	int rv = 0;
263	0	pctx = EVP_PKEY_CTX_new(pk, NULL);
264	0	if (!pctx)
265	0	goto err;
266	0	if (EVP_PKEY_keygen_init(pctx) <= 0)
267	0	goto err;
268	0	if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
269	0	goto err;
270	0	EVP_PKEY_CTX_free(pctx);
271	0	pctx = EVP_PKEY_CTX_new(ekey, NULL);
272	0	if (!pctx)
273	0	goto err;
274	0	if (EVP_PKEY_derive_init(pctx) <= 0)
275	0	goto err;
276	0	kari->pctx = pctx;
277	0	rv = 1;
278	0	err:
279	0	if (!rv)
280	0	EVP_PKEY_CTX_free(pctx);
281	0	EVP_PKEY_free(ekey);
282	0	return rv;
283	0	}
284
285		/* Initialise a ktri based on passed certificate and key */
286
287		int cms_RecipientInfo_kari_init(CMS_RecipientInfo ri, X509 recip,
288		EVP_PKEY *pk, unsigned int flags)
289	0	{
290	0	CMS_KeyAgreeRecipientInfo *kari;
291	0	CMS_RecipientEncryptedKey *rek = NULL;
292	0
293	0	ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
294	0	if (!ri->d.kari)
295	0	return 0;
296	0	ri->type = CMS_RECIPINFO_AGREE;
297	0
298	0	kari = ri->d.kari;
299	0	kari->version = 3;
300	0
301	0	rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
302	0	if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
303	0	M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
304	0	return 0;
305	0	}
306	0
307	0	if (flags & CMS_USE_KEYID) {
308	0	rek->rid->type = CMS_REK_KEYIDENTIFIER;
309	0	rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier);
310	0	if (rek->rid->d.rKeyId == NULL)
311	0	return 0;
312	0	if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
313	0	return 0;
314	0	} else {
315	0	rek->rid->type = CMS_REK_ISSUER_SERIAL;
316	0	if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
317	0	return 0;
318	0	}
319	0
320	0	/* Create ephemeral key */
321	0	if (!cms_kari_create_ephemeral_key(kari, pk))
322	0	return 0;
323	0
324	0	EVP_PKEY_up_ref(pk);
325	0	rek->pkey = pk;
326	0	return 1;
327	0	}
328
329		static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
330		const EVP_CIPHER *cipher)
331	0	{
332	0	EVP_CIPHER_CTX *ctx = kari->ctx;
333	0	const EVP_CIPHER *kekcipher;
334	0	int keylen = EVP_CIPHER_key_length(cipher);
335	0	/* If a suitable wrap algorithm is already set nothing to do */
336	0	kekcipher = EVP_CIPHER_CTX_cipher(ctx);
337	0
338	0	if (kekcipher) {
339	0	if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
340	0	return 0;
341	0	return 1;
342	0	}
343	0	/*
344	0	* Pick a cipher based on content encryption cipher. If it is DES3 use
345	0	* DES3 wrap otherwise use AES wrap similar to key size.
346	0	*/
347	0	#ifndef OPENSSL_NO_DES
348	0	if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
349	0	kekcipher = EVP_des_ede3_wrap();
350	0	else
351	0	#endif
352	0	if (keylen <= 16)
353	0	kekcipher = EVP_aes_128_wrap();
354	0	else if (keylen <= 24)
355	0	kekcipher = EVP_aes_192_wrap();
356	0	else
357	0	kekcipher = EVP_aes_256_wrap();
358	0	return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
359	0	}
360
361		/* Encrypt content key in key agreement recipient info */
362
363		int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
364		CMS_RecipientInfo *ri)
365	0	{
366	0	CMS_KeyAgreeRecipientInfo *kari;
367	0	CMS_EncryptedContentInfo *ec;
368	0	CMS_RecipientEncryptedKey *rek;
369	0	STACK_OF(CMS_RecipientEncryptedKey) *reks;
370	0	int i;
371	0
372	0	if (ri->type != CMS_RECIPINFO_AGREE) {
373	0	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
374	0	return 0;
375	0	}
376	0	kari = ri->d.kari;
377	0	reks = kari->recipientEncryptedKeys;
378	0	ec = cms->d.envelopedData->encryptedContentInfo;
379	0	/* Initialise wrap algorithm parameters */
380	0	if (!cms_wrap_init(kari, ec->cipher))
381	0	return 0;
382	0	/*
383	0	* If no originator key set up initialise for ephemeral key the public key
384	0	* ASN1 structure will set the actual public key value.
385	0	*/
386	0	if (kari->originator->type == -1) {
387	0	CMS_OriginatorIdentifierOrKey *oik = kari->originator;
388	0	oik->type = CMS_OIK_PUBKEY;
389	0	oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
390	0	if (!oik->d.originatorKey)
391	0	return 0;
392	0	}
393	0	/* Initialise KDF algorithm */
394	0	if (!cms_env_asn1_ctrl(ri, 0))
395	0	return 0;
396	0	/* For each rek, derive KEK, encrypt CEK */
397	0	for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
398	0	unsigned char *enckey;
399	0	size_t enckeylen;
400	0	rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
401	0	if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
402	0	return 0;
403	0	if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
404	0	kari, 1))
405	0	return 0;
406	0	ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
407	0	}
408	0
409	0	return 1;
410	0
411	0	}