summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2016-09-04 17:55:28 +0000
committerjsing <>2016-09-04 17:55:28 +0000
commitf241743894147029e418ff36ff91f2216f0dd756 (patch)
tree0c7a376ed0e00e4e86552ac7422f66908cef3774
parent6b821b77472515bca3e910c34372cf3306e435dd (diff)
downloadopenbsd-f241743894147029e418ff36ff91f2216f0dd756.tar.gz
openbsd-f241743894147029e418ff36ff91f2216f0dd756.tar.bz2
openbsd-f241743894147029e418ff36ff91f2216f0dd756.zip
Remove cms.
ok beck@, guenther@, tedu@
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/cms/cms.h473
-rw-r--r--src/lib/libcrypto/cms/cms_asn1.c1503
-rw-r--r--src/lib/libcrypto/cms/cms_att.c211
-rw-r--r--src/lib/libcrypto/cms/cms_cd.c135
-rw-r--r--src/lib/libcrypto/cms/cms_dd.c147
-rw-r--r--src/lib/libcrypto/cms/cms_enc.c267
-rw-r--r--src/lib/libcrypto/cms/cms_env.c818
-rw-r--r--src/lib/libcrypto/cms/cms_err.c245
-rw-r--r--src/lib/libcrypto/cms/cms_ess.c385
-rw-r--r--src/lib/libcrypto/cms/cms_io.c139
-rw-r--r--src/lib/libcrypto/cms/cms_lcl.h438
-rw-r--r--src/lib/libcrypto/cms/cms_lib.c594
-rw-r--r--src/lib/libcrypto/cms/cms_pwri.c431
-rw-r--r--src/lib/libcrypto/cms/cms_sd.c934
-rw-r--r--src/lib/libcrypto/cms/cms_smime.c821
15 files changed, 0 insertions, 7541 deletions
diff --git a/src/lib/libcrypto/cms/cms.h b/src/lib/libcrypto/cms/cms.h
deleted file mode 100644
index 9a5aae5299..0000000000
--- a/src/lib/libcrypto/cms/cms.h
+++ /dev/null
@@ -1,473 +0,0 @@
1/* $OpenBSD: cms.h,v 1.7 2015/02/11 04:05:14 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#ifndef HEADER_CMS_H
55#define HEADER_CMS_H
56
57#include <openssl/opensslconf.h>
58
59#include <openssl/x509.h>
60
61#ifdef OPENSSL_NO_CMS
62#error CMS is disabled.
63#endif
64
65#ifdef __cplusplus
66extern "C" {
67#endif
68
69typedef struct CMS_ContentInfo_st CMS_ContentInfo;
70typedef struct CMS_SignerInfo_st CMS_SignerInfo;
71typedef struct CMS_CertificateChoices CMS_CertificateChoices;
72typedef struct CMS_RevocationInfoChoice_st CMS_RevocationInfoChoice;
73typedef struct CMS_RecipientInfo_st CMS_RecipientInfo;
74typedef struct CMS_ReceiptRequest_st CMS_ReceiptRequest;
75typedef struct CMS_Receipt_st CMS_Receipt;
76
77DECLARE_STACK_OF(CMS_SignerInfo)
78DECLARE_STACK_OF(GENERAL_NAMES)
79DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
80DECLARE_ASN1_FUNCTIONS(CMS_ReceiptRequest)
81DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
82
83#define CMS_SIGNERINFO_ISSUER_SERIAL 0
84#define CMS_SIGNERINFO_KEYIDENTIFIER 1
85
86#define CMS_RECIPINFO_TRANS 0
87#define CMS_RECIPINFO_AGREE 1
88#define CMS_RECIPINFO_KEK 2
89#define CMS_RECIPINFO_PASS 3
90#define CMS_RECIPINFO_OTHER 4
91
92/* S/MIME related flags */
93
94#define CMS_TEXT 0x1
95#define CMS_NOCERTS 0x2
96#define CMS_NO_CONTENT_VERIFY 0x4
97#define CMS_NO_ATTR_VERIFY 0x8
98#define CMS_NOSIGS \
99 (CMS_NO_CONTENT_VERIFY|CMS_NO_ATTR_VERIFY)
100#define CMS_NOINTERN 0x10
101#define CMS_NO_SIGNER_CERT_VERIFY 0x20
102#define CMS_NOVERIFY 0x20
103#define CMS_DETACHED 0x40
104#define CMS_BINARY 0x80
105#define CMS_NOATTR 0x100
106#define CMS_NOSMIMECAP 0x200
107#define CMS_NOOLDMIMETYPE 0x400
108#define CMS_CRLFEOL 0x800
109#define CMS_STREAM 0x1000
110#define CMS_NOCRL 0x2000
111#define CMS_PARTIAL 0x4000
112#define CMS_REUSE_DIGEST 0x8000
113#define CMS_USE_KEYID 0x10000
114#define CMS_DEBUG_DECRYPT 0x20000
115
116const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms);
117
118BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont);
119int CMS_dataFinal(CMS_ContentInfo *cms, BIO *bio);
120
121ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms);
122int CMS_is_detached(CMS_ContentInfo *cms);
123int CMS_set_detached(CMS_ContentInfo *cms, int detached);
124
125#ifdef HEADER_PEM_H
126DECLARE_PEM_rw_const(CMS, CMS_ContentInfo)
127#endif
128
129int CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms);
130CMS_ContentInfo *d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms);
131int i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms);
132
133BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms);
134int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags);
135int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in,
136 int flags);
137CMS_ContentInfo *SMIME_read_CMS(BIO *bio, BIO **bcont);
138int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags);
139
140int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags);
141
142CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
143 STACK_OF(X509) *certs, BIO *data, unsigned int flags);
144
145CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert,
146 EVP_PKEY *pkey, STACK_OF(X509) *certs, unsigned int flags);
147
148int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags);
149CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags);
150
151int CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out,
152 unsigned int flags);
153CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md,
154 unsigned int flags);
155
156int CMS_EncryptedData_decrypt(CMS_ContentInfo *cms, const unsigned char *key,
157 size_t keylen, BIO *dcont, BIO *out, unsigned int flags);
158
159CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
160 const unsigned char *key, size_t keylen, unsigned int flags);
161
162int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph,
163 const unsigned char *key, size_t keylen);
164
165int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
166 X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags);
167
168int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
169 STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags);
170
171STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms);
172
173CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
174 const EVP_CIPHER *cipher, unsigned int flags);
175
176int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont,
177 BIO *out, unsigned int flags);
178
179int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
180int CMS_decrypt_set1_key(CMS_ContentInfo *cms, unsigned char *key,
181 size_t keylen, unsigned char *id, size_t idlen);
182int CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass,
183 ssize_t passlen);
184
185STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms);
186int CMS_RecipientInfo_type(CMS_RecipientInfo *ri);
187CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
188CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip,
189 unsigned int flags);
190int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
191int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
192int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, EVP_PKEY **pk,
193 X509 **recip, X509_ALGOR **palg);
194int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri,
195 ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);
196
197CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
198 unsigned char *key, size_t keylen, unsigned char *id, size_t idlen,
199 ASN1_GENERALIZEDTIME *date, ASN1_OBJECT *otherTypeId,
200 ASN1_TYPE *otherType);
201
202int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
203 ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate,
204 ASN1_OBJECT **potherid, ASN1_TYPE **pothertype);
205
206int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key,
207 size_t keylen);
208
209int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri,
210 const unsigned char *id, size_t idlen);
211
212int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, unsigned char *pass,
213 ssize_t passlen);
214
215CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter,
216 int wrap_nid, int pbe_nid, unsigned char *pass, ssize_t passlen,
217 const EVP_CIPHER *kekciph);
218
219int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
220
221int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out,
222 unsigned int flags);
223CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags);
224
225int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid);
226const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms);
227
228CMS_CertificateChoices *CMS_add0_CertificateChoices(CMS_ContentInfo *cms);
229int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert);
230int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert);
231STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms);
232
233CMS_RevocationInfoChoice *CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms);
234int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl);
235int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl);
236STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms);
237
238int CMS_SignedData_init(CMS_ContentInfo *cms);
239CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer,
240 EVP_PKEY *pk, const EVP_MD *md, unsigned int flags);
241STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms);
242
243void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer);
244int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si,
245 ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);
246int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert);
247int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
248 unsigned int flags);
249void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, X509 **signer,
250 X509_ALGOR **pdig, X509_ALGOR **psig);
251int CMS_SignerInfo_sign(CMS_SignerInfo *si);
252int CMS_SignerInfo_verify(CMS_SignerInfo *si);
253int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain);
254
255int CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs);
256int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, int algnid,
257 int keysize);
258int CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap);
259
260int CMS_signed_get_attr_count(const CMS_SignerInfo *si);
261int CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos);
262int CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, ASN1_OBJECT *obj,
263 int lastpos);
264X509_ATTRIBUTE *CMS_signed_get_attr(const CMS_SignerInfo *si, int loc);
265X509_ATTRIBUTE *CMS_signed_delete_attr(CMS_SignerInfo *si, int loc);
266int CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr);
267int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj,
268 int type, const void *bytes, int len);
269int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type,
270 const void *bytes, int len);
271int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname,
272 int type, const void *bytes, int len);
273void *CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
274 int lastpos, int type);
275
276int CMS_unsigned_get_attr_count(const CMS_SignerInfo *si);
277int CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid,
278 int lastpos);
279int CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si, ASN1_OBJECT *obj,
280 int lastpos);
281X509_ATTRIBUTE *CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc);
282X509_ATTRIBUTE *CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc);
283int CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr);
284int CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj,
285 int type, const void *bytes, int len);
286int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type,
287 const void *bytes, int len);
288int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname,
289 int type, const void *bytes, int len);
290void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
291 int lastpos, int type);
292
293#ifdef HEADER_X509V3_H
294
295int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
296CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
297 int allorfirst, STACK_OF(GENERAL_NAMES) *receiptList,
298 STACK_OF(GENERAL_NAMES) *receiptsTo);
299int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr);
300void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid,
301 int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist,
302 STACK_OF(GENERAL_NAMES) **prto);
303
304#endif
305
306/* BEGIN ERROR CODES */
307/* The following lines are auto generated by the script mkerr.pl. Any changes
308 * made after this point may be overwritten when the script is next run.
309 */
310void ERR_load_CMS_strings(void);
311
312/* Error codes for the CMS functions. */
313
314/* Function codes. */
315#define CMS_F_CHECK_CONTENT 99
316#define CMS_F_CMS_ADD0_CERT 164
317#define CMS_F_CMS_ADD0_RECIPIENT_KEY 100
318#define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 165
319#define CMS_F_CMS_ADD1_RECEIPTREQUEST 158
320#define CMS_F_CMS_ADD1_RECIPIENT_CERT 101
321#define CMS_F_CMS_ADD1_SIGNER 102
322#define CMS_F_CMS_ADD1_SIGNINGTIME 103
323#define CMS_F_CMS_COMPRESS 104
324#define CMS_F_CMS_COMPRESSEDDATA_CREATE 105
325#define CMS_F_CMS_COMPRESSEDDATA_INIT_BIO 106
326#define CMS_F_CMS_COPY_CONTENT 107
327#define CMS_F_CMS_COPY_MESSAGEDIGEST 108
328#define CMS_F_CMS_DATA 109
329#define CMS_F_CMS_DATAFINAL 110
330#define CMS_F_CMS_DATAINIT 111
331#define CMS_F_CMS_DECRYPT 112
332#define CMS_F_CMS_DECRYPT_SET1_KEY 113
333#define CMS_F_CMS_DECRYPT_SET1_PASSWORD 166
334#define CMS_F_CMS_DECRYPT_SET1_PKEY 114
335#define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 115
336#define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 116
337#define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 117
338#define CMS_F_CMS_DIGEST_VERIFY 118
339#define CMS_F_CMS_ENCODE_RECEIPT 161
340#define CMS_F_CMS_ENCRYPT 119
341#define CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO 120
342#define CMS_F_CMS_ENCRYPTEDDATA_DECRYPT 121
343#define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 122
344#define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 123
345#define CMS_F_CMS_ENVELOPEDDATA_CREATE 124
346#define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 125
347#define CMS_F_CMS_ENVELOPED_DATA_INIT 126
348#define CMS_F_CMS_FINAL 127
349#define CMS_F_CMS_GET0_CERTIFICATE_CHOICES 128
350#define CMS_F_CMS_GET0_CONTENT 129
351#define CMS_F_CMS_GET0_ECONTENT_TYPE 130
352#define CMS_F_CMS_GET0_ENVELOPED 131
353#define CMS_F_CMS_GET0_REVOCATION_CHOICES 132
354#define CMS_F_CMS_GET0_SIGNED 133
355#define CMS_F_CMS_MSGSIGDIGEST_ADD1 162
356#define CMS_F_CMS_RECEIPTREQUEST_CREATE0 159
357#define CMS_F_CMS_RECEIPT_VERIFY 160
358#define CMS_F_CMS_RECIPIENTINFO_DECRYPT 134
359#define CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT 135
360#define CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT 136
361#define CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID 137
362#define CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP 138
363#define CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP 139
364#define CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT 140
365#define CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT 141
366#define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS 142
367#define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID 143
368#define CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT 167
369#define CMS_F_CMS_RECIPIENTINFO_SET0_KEY 144
370#define CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD 168
371#define CMS_F_CMS_RECIPIENTINFO_SET0_PKEY 145
372#define CMS_F_CMS_SET1_SIGNERIDENTIFIER 146
373#define CMS_F_CMS_SET_DETACHED 147
374#define CMS_F_CMS_SIGN 148
375#define CMS_F_CMS_SIGNED_DATA_INIT 149
376#define CMS_F_CMS_SIGNERINFO_CONTENT_SIGN 150
377#define CMS_F_CMS_SIGNERINFO_SIGN 151
378#define CMS_F_CMS_SIGNERINFO_VERIFY 152
379#define CMS_F_CMS_SIGNERINFO_VERIFY_CERT 153
380#define CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT 154
381#define CMS_F_CMS_SIGN_RECEIPT 163
382#define CMS_F_CMS_STREAM 155
383#define CMS_F_CMS_UNCOMPRESS 156
384#define CMS_F_CMS_VERIFY 157
385
386/* Reason codes. */
387#define CMS_R_ADD_SIGNER_ERROR 99
388#define CMS_R_CERTIFICATE_ALREADY_PRESENT 175
389#define CMS_R_CERTIFICATE_HAS_NO_KEYID 160
390#define CMS_R_CERTIFICATE_VERIFY_ERROR 100
391#define CMS_R_CIPHER_INITIALISATION_ERROR 101
392#define CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR 102
393#define CMS_R_CMS_DATAFINAL_ERROR 103
394#define CMS_R_CMS_LIB 104
395#define CMS_R_CONTENTIDENTIFIER_MISMATCH 170
396#define CMS_R_CONTENT_NOT_FOUND 105
397#define CMS_R_CONTENT_TYPE_MISMATCH 171
398#define CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA 106
399#define CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA 107
400#define CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA 108
401#define CMS_R_CONTENT_VERIFY_ERROR 109
402#define CMS_R_CTRL_ERROR 110
403#define CMS_R_CTRL_FAILURE 111
404#define CMS_R_DECRYPT_ERROR 112
405#define CMS_R_DIGEST_ERROR 161
406#define CMS_R_ERROR_GETTING_PUBLIC_KEY 113
407#define CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE 114
408#define CMS_R_ERROR_SETTING_KEY 115
409#define CMS_R_ERROR_SETTING_RECIPIENTINFO 116
410#define CMS_R_INVALID_ENCRYPTED_KEY_LENGTH 117
411#define CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER 176
412#define CMS_R_INVALID_KEY_LENGTH 118
413#define CMS_R_MD_BIO_INIT_ERROR 119
414#define CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH 120
415#define CMS_R_MESSAGEDIGEST_WRONG_LENGTH 121
416#define CMS_R_MSGSIGDIGEST_ERROR 172
417#define CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE 162
418#define CMS_R_MSGSIGDIGEST_WRONG_LENGTH 163
419#define CMS_R_NEED_ONE_SIGNER 164
420#define CMS_R_NOT_A_SIGNED_RECEIPT 165
421#define CMS_R_NOT_ENCRYPTED_DATA 122
422#define CMS_R_NOT_KEK 123
423#define CMS_R_NOT_KEY_TRANSPORT 124
424#define CMS_R_NOT_PWRI 177
425#define CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE 125
426#define CMS_R_NO_CIPHER 126
427#define CMS_R_NO_CONTENT 127
428#define CMS_R_NO_CONTENT_TYPE 173
429#define CMS_R_NO_DEFAULT_DIGEST 128
430#define CMS_R_NO_DIGEST_SET 129
431#define CMS_R_NO_KEY 130
432#define CMS_R_NO_KEY_OR_CERT 174
433#define CMS_R_NO_MATCHING_DIGEST 131
434#define CMS_R_NO_MATCHING_RECIPIENT 132
435#define CMS_R_NO_MATCHING_SIGNATURE 166
436#define CMS_R_NO_MSGSIGDIGEST 167
437#define CMS_R_NO_PASSWORD 178
438#define CMS_R_NO_PRIVATE_KEY 133
439#define CMS_R_NO_PUBLIC_KEY 134
440#define CMS_R_NO_RECEIPT_REQUEST 168
441#define CMS_R_NO_SIGNERS 135
442#define CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 136
443#define CMS_R_RECEIPT_DECODE_ERROR 169
444#define CMS_R_RECIPIENT_ERROR 137
445#define CMS_R_SIGNER_CERTIFICATE_NOT_FOUND 138
446#define CMS_R_SIGNFINAL_ERROR 139
447#define CMS_R_SMIME_TEXT_ERROR 140
448#define CMS_R_STORE_INIT_ERROR 141
449#define CMS_R_TYPE_NOT_COMPRESSED_DATA 142
450#define CMS_R_TYPE_NOT_DATA 143
451#define CMS_R_TYPE_NOT_DIGESTED_DATA 144
452#define CMS_R_TYPE_NOT_ENCRYPTED_DATA 145
453#define CMS_R_TYPE_NOT_ENVELOPED_DATA 146
454#define CMS_R_UNABLE_TO_FINALIZE_CONTEXT 147
455#define CMS_R_UNKNOWN_CIPHER 148
456#define CMS_R_UNKNOWN_DIGEST_ALGORIHM 149
457#define CMS_R_UNKNOWN_ID 150
458#define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM 151
459#define CMS_R_UNSUPPORTED_CONTENT_TYPE 152
460#define CMS_R_UNSUPPORTED_KEK_ALGORITHM 153
461#define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM 179
462#define CMS_R_UNSUPPORTED_RECIPIENT_TYPE 154
463#define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE 155
464#define CMS_R_UNSUPPORTED_TYPE 156
465#define CMS_R_UNWRAP_ERROR 157
466#define CMS_R_UNWRAP_FAILURE 180
467#define CMS_R_VERIFICATION_FAILURE 158
468#define CMS_R_WRAP_ERROR 159
469
470#ifdef __cplusplus
471}
472#endif
473#endif
diff --git a/src/lib/libcrypto/cms/cms_asn1.c b/src/lib/libcrypto/cms/cms_asn1.c
deleted file mode 100644
index 42e33d5b46..0000000000
--- a/src/lib/libcrypto/cms/cms_asn1.c
+++ /dev/null
@@ -1,1503 +0,0 @@
1/* $OpenBSD: cms_asn1.c,v 1.8 2016/03/11 07:08:44 mmcc Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/pem.h>
56#include <openssl/x509v3.h>
57#include "cms.h"
58#include "cms_lcl.h"
59
60static const ASN1_TEMPLATE CMS_IssuerAndSerialNumber_seq_tt[] = {
61 {
62 .flags = 0,
63 .tag = 0,
64 .offset = offsetof(CMS_IssuerAndSerialNumber, issuer),
65 .field_name = "issuer",
66 .item = &X509_NAME_it,
67 },
68 {
69 .flags = 0,
70 .tag = 0,
71 .offset = offsetof(CMS_IssuerAndSerialNumber, serialNumber),
72 .field_name = "serialNumber",
73 .item = &ASN1_INTEGER_it,
74 },
75};
76
77const ASN1_ITEM CMS_IssuerAndSerialNumber_it = {
78 .itype = ASN1_ITYPE_SEQUENCE,
79 .utype = V_ASN1_SEQUENCE,
80 .templates = CMS_IssuerAndSerialNumber_seq_tt,
81 .tcount = sizeof(CMS_IssuerAndSerialNumber_seq_tt) / sizeof(ASN1_TEMPLATE),
82 .funcs = NULL,
83 .size = sizeof(CMS_IssuerAndSerialNumber),
84 .sname = "CMS_IssuerAndSerialNumber",
85};
86
87static const ASN1_TEMPLATE CMS_OtherCertificateFormat_seq_tt[] = {
88 {
89 .flags = 0,
90 .tag = 0,
91 .offset = offsetof(CMS_OtherCertificateFormat, otherCertFormat),
92 .field_name = "otherCertFormat",
93 .item = &ASN1_OBJECT_it,
94 },
95 {
96 .flags = ASN1_TFLG_OPTIONAL,
97 .tag = 0,
98 .offset = offsetof(CMS_OtherCertificateFormat, otherCert),
99 .field_name = "otherCert",
100 .item = &ASN1_ANY_it,
101 },
102};
103
104const ASN1_ITEM CMS_OtherCertificateFormat_it = {
105 .itype = ASN1_ITYPE_SEQUENCE,
106 .utype = V_ASN1_SEQUENCE,
107 .templates = CMS_OtherCertificateFormat_seq_tt,
108 .tcount = sizeof(CMS_OtherCertificateFormat_seq_tt) / sizeof(ASN1_TEMPLATE),
109 .funcs = NULL,
110 .size = sizeof(CMS_OtherCertificateFormat),
111 .sname = "CMS_OtherCertificateFormat",
112};
113
114static const ASN1_TEMPLATE CMS_CertificateChoices_ch_tt[] = {
115 {
116 .flags = 0,
117 .tag = 0,
118 .offset = offsetof(CMS_CertificateChoices, d.certificate),
119 .field_name = "d.certificate",
120 .item = &X509_it,
121 },
122 {
123 .flags = ASN1_TFLG_IMPLICIT,
124 .tag = 0,
125 .offset = offsetof(CMS_CertificateChoices, d.extendedCertificate),
126 .field_name = "d.extendedCertificate",
127 .item = &ASN1_SEQUENCE_it,
128 },
129 {
130 .flags = ASN1_TFLG_IMPLICIT,
131 .tag = 1,
132 .offset = offsetof(CMS_CertificateChoices, d.v1AttrCert),
133 .field_name = "d.v1AttrCert",
134 .item = &ASN1_SEQUENCE_it,
135 },
136 {
137 .flags = ASN1_TFLG_IMPLICIT,
138 .tag = 2,
139 .offset = offsetof(CMS_CertificateChoices, d.v2AttrCert),
140 .field_name = "d.v2AttrCert",
141 .item = &ASN1_SEQUENCE_it,
142 },
143 {
144 .flags = ASN1_TFLG_IMPLICIT,
145 .tag = 3,
146 .offset = offsetof(CMS_CertificateChoices, d.other),
147 .field_name = "d.other",
148 .item = &CMS_OtherCertificateFormat_it,
149 },
150};
151
152const ASN1_ITEM CMS_CertificateChoices_it = {
153 .itype = ASN1_ITYPE_CHOICE,
154 .utype = offsetof(CMS_CertificateChoices, type),
155 .templates = CMS_CertificateChoices_ch_tt,
156 .tcount = sizeof(CMS_CertificateChoices_ch_tt) / sizeof(ASN1_TEMPLATE),
157 .funcs = NULL,
158 .size = sizeof(CMS_CertificateChoices),
159 .sname = "CMS_CertificateChoices",
160};
161
162static const ASN1_TEMPLATE CMS_SignerIdentifier_ch_tt[] = {
163 {
164 .flags = 0,
165 .tag = 0,
166 .offset = offsetof(CMS_SignerIdentifier, d.issuerAndSerialNumber),
167 .field_name = "d.issuerAndSerialNumber",
168 .item = &CMS_IssuerAndSerialNumber_it,
169 },
170 {
171 .flags = ASN1_TFLG_IMPLICIT,
172 .tag = 0,
173 .offset = offsetof(CMS_SignerIdentifier, d.subjectKeyIdentifier),
174 .field_name = "d.subjectKeyIdentifier",
175 .item = &ASN1_OCTET_STRING_it,
176 },
177};
178
179const ASN1_ITEM CMS_SignerIdentifier_it = {
180 .itype = ASN1_ITYPE_CHOICE,
181 .utype = offsetof(CMS_SignerIdentifier, type),
182 .templates = CMS_SignerIdentifier_ch_tt,
183 .tcount = sizeof(CMS_SignerIdentifier_ch_tt) / sizeof(ASN1_TEMPLATE),
184 .funcs = NULL,
185 .size = sizeof(CMS_SignerIdentifier),
186 .sname = "CMS_SignerIdentifier",
187};
188
189static const ASN1_TEMPLATE CMS_EncapsulatedContentInfo_seq_tt[] = {
190 {
191 .flags = 0,
192 .tag = 0,
193 .offset = offsetof(CMS_EncapsulatedContentInfo, eContentType),
194 .field_name = "eContentType",
195 .item = &ASN1_OBJECT_it,
196 },
197 {
198 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL | ASN1_TFLG_NDEF,
199 .tag = 0,
200 .offset = offsetof(CMS_EncapsulatedContentInfo, eContent),
201 .field_name = "eContent",
202 .item = &ASN1_OCTET_STRING_NDEF_it,
203 },
204};
205
206const ASN1_ITEM CMS_EncapsulatedContentInfo_it = {
207 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
208 .utype = V_ASN1_SEQUENCE,
209 .templates = CMS_EncapsulatedContentInfo_seq_tt,
210 .tcount = sizeof(CMS_EncapsulatedContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
211 .funcs = NULL,
212 .size = sizeof(CMS_EncapsulatedContentInfo),
213 .sname = "CMS_EncapsulatedContentInfo",
214};
215
216/* Minor tweak to operation: free up signer key, cert */
217static int
218cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
219{
220 if (operation == ASN1_OP_FREE_POST) {
221 CMS_SignerInfo *si = (CMS_SignerInfo *)*pval;
222 EVP_PKEY_free(si->pkey);
223 X509_free(si->signer);
224 }
225 return 1;
226}
227
228static const ASN1_AUX CMS_SignerInfo_aux = {
229 .app_data = NULL,
230 .flags = 0,
231 .ref_offset = 0,
232 .ref_lock = 0,
233 .asn1_cb = cms_si_cb,
234 .enc_offset = 0,
235};
236static const ASN1_TEMPLATE CMS_SignerInfo_seq_tt[] = {
237 {
238 .flags = 0,
239 .tag = 0,
240 .offset = offsetof(CMS_SignerInfo, version),
241 .field_name = "version",
242 .item = &LONG_it,
243 },
244 {
245 .flags = 0,
246 .tag = 0,
247 .offset = offsetof(CMS_SignerInfo, sid),
248 .field_name = "sid",
249 .item = &CMS_SignerIdentifier_it,
250 },
251 {
252 .flags = 0,
253 .tag = 0,
254 .offset = offsetof(CMS_SignerInfo, digestAlgorithm),
255 .field_name = "digestAlgorithm",
256 .item = &X509_ALGOR_it,
257 },
258 {
259 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
260 .tag = 0,
261 .offset = offsetof(CMS_SignerInfo, signedAttrs),
262 .field_name = "signedAttrs",
263 .item = &X509_ATTRIBUTE_it,
264 },
265 {
266 .flags = 0,
267 .tag = 0,
268 .offset = offsetof(CMS_SignerInfo, signatureAlgorithm),
269 .field_name = "signatureAlgorithm",
270 .item = &X509_ALGOR_it,
271 },
272 {
273 .flags = 0,
274 .tag = 0,
275 .offset = offsetof(CMS_SignerInfo, signature),
276 .field_name = "signature",
277 .item = &ASN1_OCTET_STRING_it,
278 },
279 {
280 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
281 .tag = 1,
282 .offset = offsetof(CMS_SignerInfo, unsignedAttrs),
283 .field_name = "unsignedAttrs",
284 .item = &X509_ATTRIBUTE_it,
285 },
286};
287
288const ASN1_ITEM CMS_SignerInfo_it = {
289 .itype = ASN1_ITYPE_SEQUENCE,
290 .utype = V_ASN1_SEQUENCE,
291 .templates = CMS_SignerInfo_seq_tt,
292 .tcount = sizeof(CMS_SignerInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
293 .funcs = &CMS_SignerInfo_aux,
294 .size = sizeof(CMS_SignerInfo),
295 .sname = "CMS_SignerInfo",
296};
297
298static const ASN1_TEMPLATE CMS_OtherRevocationInfoFormat_seq_tt[] = {
299 {
300 .flags = 0,
301 .tag = 0,
302 .offset = offsetof(CMS_OtherRevocationInfoFormat, otherRevInfoFormat),
303 .field_name = "otherRevInfoFormat",
304 .item = &ASN1_OBJECT_it,
305 },
306 {
307 .flags = ASN1_TFLG_OPTIONAL,
308 .tag = 0,
309 .offset = offsetof(CMS_OtherRevocationInfoFormat, otherRevInfo),
310 .field_name = "otherRevInfo",
311 .item = &ASN1_ANY_it,
312 },
313};
314
315const ASN1_ITEM CMS_OtherRevocationInfoFormat_it = {
316 .itype = ASN1_ITYPE_SEQUENCE,
317 .utype = V_ASN1_SEQUENCE,
318 .templates = CMS_OtherRevocationInfoFormat_seq_tt,
319 .tcount = sizeof(CMS_OtherRevocationInfoFormat_seq_tt) / sizeof(ASN1_TEMPLATE),
320 .funcs = NULL,
321 .size = sizeof(CMS_OtherRevocationInfoFormat),
322 .sname = "CMS_OtherRevocationInfoFormat",
323};
324
325static const ASN1_TEMPLATE CMS_RevocationInfoChoice_ch_tt[] = {
326 {
327 .flags = 0,
328 .tag = 0,
329 .offset = offsetof(CMS_RevocationInfoChoice, d.crl),
330 .field_name = "d.crl",
331 .item = &X509_CRL_it,
332 },
333 {
334 .flags = ASN1_TFLG_IMPLICIT,
335 .tag = 1,
336 .offset = offsetof(CMS_RevocationInfoChoice, d.other),
337 .field_name = "d.other",
338 .item = &CMS_OtherRevocationInfoFormat_it,
339 },
340};
341
342const ASN1_ITEM CMS_RevocationInfoChoice_it = {
343 .itype = ASN1_ITYPE_CHOICE,
344 .utype = offsetof(CMS_RevocationInfoChoice, type),
345 .templates = CMS_RevocationInfoChoice_ch_tt,
346 .tcount = sizeof(CMS_RevocationInfoChoice_ch_tt) / sizeof(ASN1_TEMPLATE),
347 .funcs = NULL,
348 .size = sizeof(CMS_RevocationInfoChoice),
349 .sname = "CMS_RevocationInfoChoice",
350};
351
352static const ASN1_TEMPLATE CMS_SignedData_seq_tt[] = {
353 {
354 .flags = 0,
355 .tag = 0,
356 .offset = offsetof(CMS_SignedData, version),
357 .field_name = "version",
358 .item = &LONG_it,
359 },
360 {
361 .flags = ASN1_TFLG_SET_OF,
362 .tag = 0,
363 .offset = offsetof(CMS_SignedData, digestAlgorithms),
364 .field_name = "digestAlgorithms",
365 .item = &X509_ALGOR_it,
366 },
367 {
368 .flags = 0,
369 .tag = 0,
370 .offset = offsetof(CMS_SignedData, encapContentInfo),
371 .field_name = "encapContentInfo",
372 .item = &CMS_EncapsulatedContentInfo_it,
373 },
374 {
375 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
376 .tag = 0,
377 .offset = offsetof(CMS_SignedData, certificates),
378 .field_name = "certificates",
379 .item = &CMS_CertificateChoices_it,
380 },
381 {
382 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
383 .tag = 1,
384 .offset = offsetof(CMS_SignedData, crls),
385 .field_name = "crls",
386 .item = &CMS_RevocationInfoChoice_it,
387 },
388 {
389 .flags = ASN1_TFLG_SET_OF,
390 .tag = 0,
391 .offset = offsetof(CMS_SignedData, signerInfos),
392 .field_name = "signerInfos",
393 .item = &CMS_SignerInfo_it,
394 },
395};
396
397const ASN1_ITEM CMS_SignedData_it = {
398 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
399 .utype = V_ASN1_SEQUENCE,
400 .templates = CMS_SignedData_seq_tt,
401 .tcount = sizeof(CMS_SignedData_seq_tt) / sizeof(ASN1_TEMPLATE),
402 .funcs = NULL,
403 .size = sizeof(CMS_SignedData),
404 .sname = "CMS_SignedData",
405};
406
407static const ASN1_TEMPLATE CMS_OriginatorInfo_seq_tt[] = {
408 {
409 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
410 .tag = 0,
411 .offset = offsetof(CMS_OriginatorInfo, certificates),
412 .field_name = "certificates",
413 .item = &CMS_CertificateChoices_it,
414 },
415 {
416 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
417 .tag = 1,
418 .offset = offsetof(CMS_OriginatorInfo, crls),
419 .field_name = "crls",
420 .item = &CMS_RevocationInfoChoice_it,
421 },
422};
423
424const ASN1_ITEM CMS_OriginatorInfo_it = {
425 .itype = ASN1_ITYPE_SEQUENCE,
426 .utype = V_ASN1_SEQUENCE,
427 .templates = CMS_OriginatorInfo_seq_tt,
428 .tcount = sizeof(CMS_OriginatorInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
429 .funcs = NULL,
430 .size = sizeof(CMS_OriginatorInfo),
431 .sname = "CMS_OriginatorInfo",
432};
433
434static const ASN1_TEMPLATE CMS_EncryptedContentInfo_seq_tt[] = {
435 {
436 .flags = 0,
437 .tag = 0,
438 .offset = offsetof(CMS_EncryptedContentInfo, contentType),
439 .field_name = "contentType",
440 .item = &ASN1_OBJECT_it,
441 },
442 {
443 .flags = 0,
444 .tag = 0,
445 .offset = offsetof(CMS_EncryptedContentInfo, contentEncryptionAlgorithm),
446 .field_name = "contentEncryptionAlgorithm",
447 .item = &X509_ALGOR_it,
448 },
449 {
450 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
451 .tag = 0,
452 .offset = offsetof(CMS_EncryptedContentInfo, encryptedContent),
453 .field_name = "encryptedContent",
454 .item = &ASN1_OCTET_STRING_NDEF_it,
455 },
456};
457
458const ASN1_ITEM CMS_EncryptedContentInfo_it = {
459 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
460 .utype = V_ASN1_SEQUENCE,
461 .templates = CMS_EncryptedContentInfo_seq_tt,
462 .tcount = sizeof(CMS_EncryptedContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
463 .funcs = NULL,
464 .size = sizeof(CMS_EncryptedContentInfo),
465 .sname = "CMS_EncryptedContentInfo",
466};
467
468static const ASN1_TEMPLATE CMS_KeyTransRecipientInfo_seq_tt[] = {
469 {
470 .flags = 0,
471 .tag = 0,
472 .offset = offsetof(CMS_KeyTransRecipientInfo, version),
473 .field_name = "version",
474 .item = &LONG_it,
475 },
476 {
477 .flags = 0,
478 .tag = 0,
479 .offset = offsetof(CMS_KeyTransRecipientInfo, rid),
480 .field_name = "rid",
481 .item = &CMS_SignerIdentifier_it,
482 },
483 {
484 .flags = 0,
485 .tag = 0,
486 .offset = offsetof(CMS_KeyTransRecipientInfo, keyEncryptionAlgorithm),
487 .field_name = "keyEncryptionAlgorithm",
488 .item = &X509_ALGOR_it,
489 },
490 {
491 .flags = 0,
492 .tag = 0,
493 .offset = offsetof(CMS_KeyTransRecipientInfo, encryptedKey),
494 .field_name = "encryptedKey",
495 .item = &ASN1_OCTET_STRING_it,
496 },
497};
498
499const ASN1_ITEM CMS_KeyTransRecipientInfo_it = {
500 .itype = ASN1_ITYPE_SEQUENCE,
501 .utype = V_ASN1_SEQUENCE,
502 .templates = CMS_KeyTransRecipientInfo_seq_tt,
503 .tcount = sizeof(CMS_KeyTransRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
504 .funcs = NULL,
505 .size = sizeof(CMS_KeyTransRecipientInfo),
506 .sname = "CMS_KeyTransRecipientInfo",
507};
508
509static const ASN1_TEMPLATE CMS_OtherKeyAttribute_seq_tt[] = {
510 {
511 .flags = 0,
512 .tag = 0,
513 .offset = offsetof(CMS_OtherKeyAttribute, keyAttrId),
514 .field_name = "keyAttrId",
515 .item = &ASN1_OBJECT_it,
516 },
517 {
518 .flags = ASN1_TFLG_OPTIONAL,
519 .tag = 0,
520 .offset = offsetof(CMS_OtherKeyAttribute, keyAttr),
521 .field_name = "keyAttr",
522 .item = &ASN1_ANY_it,
523 },
524};
525
526const ASN1_ITEM CMS_OtherKeyAttribute_it = {
527 .itype = ASN1_ITYPE_SEQUENCE,
528 .utype = V_ASN1_SEQUENCE,
529 .templates = CMS_OtherKeyAttribute_seq_tt,
530 .tcount = sizeof(CMS_OtherKeyAttribute_seq_tt) / sizeof(ASN1_TEMPLATE),
531 .funcs = NULL,
532 .size = sizeof(CMS_OtherKeyAttribute),
533 .sname = "CMS_OtherKeyAttribute",
534};
535
536static const ASN1_TEMPLATE CMS_RecipientKeyIdentifier_seq_tt[] = {
537 {
538 .flags = 0,
539 .tag = 0,
540 .offset = offsetof(CMS_RecipientKeyIdentifier, subjectKeyIdentifier),
541 .field_name = "subjectKeyIdentifier",
542 .item = &ASN1_OCTET_STRING_it,
543 },
544 {
545 .flags = ASN1_TFLG_OPTIONAL,
546 .tag = 0,
547 .offset = offsetof(CMS_RecipientKeyIdentifier, date),
548 .field_name = "date",
549 .item = &ASN1_GENERALIZEDTIME_it,
550 },
551 {
552 .flags = ASN1_TFLG_OPTIONAL,
553 .tag = 0,
554 .offset = offsetof(CMS_RecipientKeyIdentifier, other),
555 .field_name = "other",
556 .item = &CMS_OtherKeyAttribute_it,
557 },
558};
559
560const ASN1_ITEM CMS_RecipientKeyIdentifier_it = {
561 .itype = ASN1_ITYPE_SEQUENCE,
562 .utype = V_ASN1_SEQUENCE,
563 .templates = CMS_RecipientKeyIdentifier_seq_tt,
564 .tcount = sizeof(CMS_RecipientKeyIdentifier_seq_tt) / sizeof(ASN1_TEMPLATE),
565 .funcs = NULL,
566 .size = sizeof(CMS_RecipientKeyIdentifier),
567 .sname = "CMS_RecipientKeyIdentifier",
568};
569
570static const ASN1_TEMPLATE CMS_KeyAgreeRecipientIdentifier_ch_tt[] = {
571 {
572 .flags = 0,
573 .tag = 0,
574 .offset = offsetof(CMS_KeyAgreeRecipientIdentifier, d.issuerAndSerialNumber),
575 .field_name = "d.issuerAndSerialNumber",
576 .item = &CMS_IssuerAndSerialNumber_it,
577 },
578 {
579 .flags = ASN1_TFLG_IMPLICIT,
580 .tag = 0,
581 .offset = offsetof(CMS_KeyAgreeRecipientIdentifier, d.rKeyId),
582 .field_name = "d.rKeyId",
583 .item = &CMS_RecipientKeyIdentifier_it,
584 },
585};
586
587const ASN1_ITEM CMS_KeyAgreeRecipientIdentifier_it = {
588 .itype = ASN1_ITYPE_CHOICE,
589 .utype = offsetof(CMS_KeyAgreeRecipientIdentifier, type),
590 .templates = CMS_KeyAgreeRecipientIdentifier_ch_tt,
591 .tcount = sizeof(CMS_KeyAgreeRecipientIdentifier_ch_tt) / sizeof(ASN1_TEMPLATE),
592 .funcs = NULL,
593 .size = sizeof(CMS_KeyAgreeRecipientIdentifier),
594 .sname = "CMS_KeyAgreeRecipientIdentifier",
595};
596
597static const ASN1_TEMPLATE CMS_RecipientEncryptedKey_seq_tt[] = {
598 {
599 .flags = 0,
600 .tag = 0,
601 .offset = offsetof(CMS_RecipientEncryptedKey, rid),
602 .field_name = "rid",
603 .item = &CMS_KeyAgreeRecipientIdentifier_it,
604 },
605 {
606 .flags = 0,
607 .tag = 0,
608 .offset = offsetof(CMS_RecipientEncryptedKey, encryptedKey),
609 .field_name = "encryptedKey",
610 .item = &ASN1_OCTET_STRING_it,
611 },
612};
613
614const ASN1_ITEM CMS_RecipientEncryptedKey_it = {
615 .itype = ASN1_ITYPE_SEQUENCE,
616 .utype = V_ASN1_SEQUENCE,
617 .templates = CMS_RecipientEncryptedKey_seq_tt,
618 .tcount = sizeof(CMS_RecipientEncryptedKey_seq_tt) / sizeof(ASN1_TEMPLATE),
619 .funcs = NULL,
620 .size = sizeof(CMS_RecipientEncryptedKey),
621 .sname = "CMS_RecipientEncryptedKey",
622};
623
624static const ASN1_TEMPLATE CMS_OriginatorPublicKey_seq_tt[] = {
625 {
626 .flags = 0,
627 .tag = 0,
628 .offset = offsetof(CMS_OriginatorPublicKey, algorithm),
629 .field_name = "algorithm",
630 .item = &X509_ALGOR_it,
631 },
632 {
633 .flags = 0,
634 .tag = 0,
635 .offset = offsetof(CMS_OriginatorPublicKey, publicKey),
636 .field_name = "publicKey",
637 .item = &ASN1_BIT_STRING_it,
638 },
639};
640
641const ASN1_ITEM CMS_OriginatorPublicKey_it = {
642 .itype = ASN1_ITYPE_SEQUENCE,
643 .utype = V_ASN1_SEQUENCE,
644 .templates = CMS_OriginatorPublicKey_seq_tt,
645 .tcount = sizeof(CMS_OriginatorPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
646 .funcs = NULL,
647 .size = sizeof(CMS_OriginatorPublicKey),
648 .sname = "CMS_OriginatorPublicKey",
649};
650
651static const ASN1_TEMPLATE CMS_OriginatorIdentifierOrKey_ch_tt[] = {
652 {
653 .flags = 0,
654 .tag = 0,
655 .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.issuerAndSerialNumber),
656 .field_name = "d.issuerAndSerialNumber",
657 .item = &CMS_IssuerAndSerialNumber_it,
658 },
659 {
660 .flags = ASN1_TFLG_IMPLICIT,
661 .tag = 0,
662 .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.subjectKeyIdentifier),
663 .field_name = "d.subjectKeyIdentifier",
664 .item = &ASN1_OCTET_STRING_it,
665 },
666 {
667 .flags = ASN1_TFLG_IMPLICIT,
668 .tag = 1,
669 .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.originatorKey),
670 .field_name = "d.originatorKey",
671 .item = &CMS_OriginatorPublicKey_it,
672 },
673};
674
675const ASN1_ITEM CMS_OriginatorIdentifierOrKey_it = {
676 .itype = ASN1_ITYPE_CHOICE,
677 .utype = offsetof(CMS_OriginatorIdentifierOrKey, type),
678 .templates = CMS_OriginatorIdentifierOrKey_ch_tt,
679 .tcount = sizeof(CMS_OriginatorIdentifierOrKey_ch_tt) / sizeof(ASN1_TEMPLATE),
680 .funcs = NULL,
681 .size = sizeof(CMS_OriginatorIdentifierOrKey),
682 .sname = "CMS_OriginatorIdentifierOrKey",
683};
684
685static const ASN1_TEMPLATE CMS_KeyAgreeRecipientInfo_seq_tt[] = {
686 {
687 .flags = 0,
688 .tag = 0,
689 .offset = offsetof(CMS_KeyAgreeRecipientInfo, version),
690 .field_name = "version",
691 .item = &LONG_it,
692 },
693 {
694 .flags = ASN1_TFLG_EXPLICIT,
695 .tag = 0,
696 .offset = offsetof(CMS_KeyAgreeRecipientInfo, originator),
697 .field_name = "originator",
698 .item = &CMS_OriginatorIdentifierOrKey_it,
699 },
700 {
701 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
702 .tag = 1,
703 .offset = offsetof(CMS_KeyAgreeRecipientInfo, ukm),
704 .field_name = "ukm",
705 .item = &ASN1_OCTET_STRING_it,
706 },
707 {
708 .flags = 0,
709 .tag = 0,
710 .offset = offsetof(CMS_KeyAgreeRecipientInfo, keyEncryptionAlgorithm),
711 .field_name = "keyEncryptionAlgorithm",
712 .item = &X509_ALGOR_it,
713 },
714 {
715 .flags = ASN1_TFLG_SEQUENCE_OF,
716 .tag = 0,
717 .offset = offsetof(CMS_KeyAgreeRecipientInfo, recipientEncryptedKeys),
718 .field_name = "recipientEncryptedKeys",
719 .item = &CMS_RecipientEncryptedKey_it,
720 },
721};
722
723const ASN1_ITEM CMS_KeyAgreeRecipientInfo_it = {
724 .itype = ASN1_ITYPE_SEQUENCE,
725 .utype = V_ASN1_SEQUENCE,
726 .templates = CMS_KeyAgreeRecipientInfo_seq_tt,
727 .tcount = sizeof(CMS_KeyAgreeRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
728 .funcs = NULL,
729 .size = sizeof(CMS_KeyAgreeRecipientInfo),
730 .sname = "CMS_KeyAgreeRecipientInfo",
731};
732
733static const ASN1_TEMPLATE CMS_KEKIdentifier_seq_tt[] = {
734 {
735 .flags = 0,
736 .tag = 0,
737 .offset = offsetof(CMS_KEKIdentifier, keyIdentifier),
738 .field_name = "keyIdentifier",
739 .item = &ASN1_OCTET_STRING_it,
740 },
741 {
742 .flags = ASN1_TFLG_OPTIONAL,
743 .tag = 0,
744 .offset = offsetof(CMS_KEKIdentifier, date),
745 .field_name = "date",
746 .item = &ASN1_GENERALIZEDTIME_it,
747 },
748 {
749 .flags = ASN1_TFLG_OPTIONAL,
750 .tag = 0,
751 .offset = offsetof(CMS_KEKIdentifier, other),
752 .field_name = "other",
753 .item = &CMS_OtherKeyAttribute_it,
754 },
755};
756
757const ASN1_ITEM CMS_KEKIdentifier_it = {
758 .itype = ASN1_ITYPE_SEQUENCE,
759 .utype = V_ASN1_SEQUENCE,
760 .templates = CMS_KEKIdentifier_seq_tt,
761 .tcount = sizeof(CMS_KEKIdentifier_seq_tt) / sizeof(ASN1_TEMPLATE),
762 .funcs = NULL,
763 .size = sizeof(CMS_KEKIdentifier),
764 .sname = "CMS_KEKIdentifier",
765};
766
767static const ASN1_TEMPLATE CMS_KEKRecipientInfo_seq_tt[] = {
768 {
769 .flags = 0,
770 .tag = 0,
771 .offset = offsetof(CMS_KEKRecipientInfo, version),
772 .field_name = "version",
773 .item = &LONG_it,
774 },
775 {
776 .flags = 0,
777 .tag = 0,
778 .offset = offsetof(CMS_KEKRecipientInfo, kekid),
779 .field_name = "kekid",
780 .item = &CMS_KEKIdentifier_it,
781 },
782 {
783 .flags = 0,
784 .tag = 0,
785 .offset = offsetof(CMS_KEKRecipientInfo, keyEncryptionAlgorithm),
786 .field_name = "keyEncryptionAlgorithm",
787 .item = &X509_ALGOR_it,
788 },
789 {
790 .flags = 0,
791 .tag = 0,
792 .offset = offsetof(CMS_KEKRecipientInfo, encryptedKey),
793 .field_name = "encryptedKey",
794 .item = &ASN1_OCTET_STRING_it,
795 },
796};
797
798const ASN1_ITEM CMS_KEKRecipientInfo_it = {
799 .itype = ASN1_ITYPE_SEQUENCE,
800 .utype = V_ASN1_SEQUENCE,
801 .templates = CMS_KEKRecipientInfo_seq_tt,
802 .tcount = sizeof(CMS_KEKRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
803 .funcs = NULL,
804 .size = sizeof(CMS_KEKRecipientInfo),
805 .sname = "CMS_KEKRecipientInfo",
806};
807
808static const ASN1_TEMPLATE CMS_PasswordRecipientInfo_seq_tt[] = {
809 {
810 .flags = 0,
811 .tag = 0,
812 .offset = offsetof(CMS_PasswordRecipientInfo, version),
813 .field_name = "version",
814 .item = &LONG_it,
815 },
816 {
817 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
818 .tag = 0,
819 .offset = offsetof(CMS_PasswordRecipientInfo, keyDerivationAlgorithm),
820 .field_name = "keyDerivationAlgorithm",
821 .item = &X509_ALGOR_it,
822 },
823 {
824 .flags = 0,
825 .tag = 0,
826 .offset = offsetof(CMS_PasswordRecipientInfo, keyEncryptionAlgorithm),
827 .field_name = "keyEncryptionAlgorithm",
828 .item = &X509_ALGOR_it,
829 },
830 {
831 .flags = 0,
832 .tag = 0,
833 .offset = offsetof(CMS_PasswordRecipientInfo, encryptedKey),
834 .field_name = "encryptedKey",
835 .item = &ASN1_OCTET_STRING_it,
836 },
837};
838
839const ASN1_ITEM CMS_PasswordRecipientInfo_it = {
840 .itype = ASN1_ITYPE_SEQUENCE,
841 .utype = V_ASN1_SEQUENCE,
842 .templates = CMS_PasswordRecipientInfo_seq_tt,
843 .tcount = sizeof(CMS_PasswordRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
844 .funcs = NULL,
845 .size = sizeof(CMS_PasswordRecipientInfo),
846 .sname = "CMS_PasswordRecipientInfo",
847};
848
849static const ASN1_TEMPLATE CMS_OtherRecipientInfo_seq_tt[] = {
850 {
851 .flags = 0,
852 .tag = 0,
853 .offset = offsetof(CMS_OtherRecipientInfo, oriType),
854 .field_name = "oriType",
855 .item = &ASN1_OBJECT_it,
856 },
857 {
858 .flags = ASN1_TFLG_OPTIONAL,
859 .tag = 0,
860 .offset = offsetof(CMS_OtherRecipientInfo, oriValue),
861 .field_name = "oriValue",
862 .item = &ASN1_ANY_it,
863 },
864};
865
866const ASN1_ITEM CMS_OtherRecipientInfo_it = {
867 .itype = ASN1_ITYPE_SEQUENCE,
868 .utype = V_ASN1_SEQUENCE,
869 .templates = CMS_OtherRecipientInfo_seq_tt,
870 .tcount = sizeof(CMS_OtherRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
871 .funcs = NULL,
872 .size = sizeof(CMS_OtherRecipientInfo),
873 .sname = "CMS_OtherRecipientInfo",
874};
875
876/* Free up RecipientInfo additional data */
877static int
878cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
879{
880 if (operation == ASN1_OP_FREE_PRE) {
881 CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
882 if (ri->type == CMS_RECIPINFO_TRANS) {
883 CMS_KeyTransRecipientInfo *ktri = ri->d.ktri;
884 EVP_PKEY_free(ktri->pkey);
885 X509_free(ktri->recip);
886 } else if (ri->type == CMS_RECIPINFO_KEK) {
887 CMS_KEKRecipientInfo *kekri = ri->d.kekri;
888 if (kekri->key) {
889 explicit_bzero(kekri->key, kekri->keylen);
890 free(kekri->key);
891 }
892 } else if (ri->type == CMS_RECIPINFO_PASS) {
893 CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
894 if (pwri->pass) {
895 explicit_bzero(pwri->pass, pwri->passlen);
896 free(pwri->pass);
897 }
898 }
899 }
900 return 1;
901}
902
903static const ASN1_AUX CMS_RecipientInfo_aux = {
904 .app_data = NULL,
905 .flags = 0,
906 .ref_offset = 0,
907 .ref_lock = 0,
908 .asn1_cb = cms_ri_cb,
909 .enc_offset = 0,
910};
911static const ASN1_TEMPLATE CMS_RecipientInfo_ch_tt[] = {
912 {
913 .flags = 0,
914 .tag = 0,
915 .offset = offsetof(CMS_RecipientInfo, d.ktri),
916 .field_name = "d.ktri",
917 .item = &CMS_KeyTransRecipientInfo_it,
918 },
919 {
920 .flags = ASN1_TFLG_IMPLICIT,
921 .tag = 1,
922 .offset = offsetof(CMS_RecipientInfo, d.kari),
923 .field_name = "d.kari",
924 .item = &CMS_KeyAgreeRecipientInfo_it,
925 },
926 {
927 .flags = ASN1_TFLG_IMPLICIT,
928 .tag = 2,
929 .offset = offsetof(CMS_RecipientInfo, d.kekri),
930 .field_name = "d.kekri",
931 .item = &CMS_KEKRecipientInfo_it,
932 },
933 {
934 .flags = ASN1_TFLG_IMPLICIT,
935 .tag = 3,
936 .offset = offsetof(CMS_RecipientInfo, d.pwri),
937 .field_name = "d.pwri",
938 .item = &CMS_PasswordRecipientInfo_it,
939 },
940 {
941 .flags = ASN1_TFLG_IMPLICIT,
942 .tag = 4,
943 .offset = offsetof(CMS_RecipientInfo, d.ori),
944 .field_name = "d.ori",
945 .item = &CMS_OtherRecipientInfo_it,
946 },
947};
948
949const ASN1_ITEM CMS_RecipientInfo_it = {
950 .itype = ASN1_ITYPE_CHOICE,
951 .utype = offsetof(CMS_RecipientInfo, type),
952 .templates = CMS_RecipientInfo_ch_tt,
953 .tcount = sizeof(CMS_RecipientInfo_ch_tt) / sizeof(ASN1_TEMPLATE),
954 .funcs = &CMS_RecipientInfo_aux,
955 .size = sizeof(CMS_RecipientInfo),
956 .sname = "CMS_RecipientInfo",
957};
958
959static const ASN1_TEMPLATE CMS_EnvelopedData_seq_tt[] = {
960 {
961 .flags = 0,
962 .tag = 0,
963 .offset = offsetof(CMS_EnvelopedData, version),
964 .field_name = "version",
965 .item = &LONG_it,
966 },
967 {
968 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
969 .tag = 0,
970 .offset = offsetof(CMS_EnvelopedData, originatorInfo),
971 .field_name = "originatorInfo",
972 .item = &CMS_OriginatorInfo_it,
973 },
974 {
975 .flags = ASN1_TFLG_SET_OF,
976 .tag = 0,
977 .offset = offsetof(CMS_EnvelopedData, recipientInfos),
978 .field_name = "recipientInfos",
979 .item = &CMS_RecipientInfo_it,
980 },
981 {
982 .flags = 0,
983 .tag = 0,
984 .offset = offsetof(CMS_EnvelopedData, encryptedContentInfo),
985 .field_name = "encryptedContentInfo",
986 .item = &CMS_EncryptedContentInfo_it,
987 },
988 {
989 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
990 .tag = 1,
991 .offset = offsetof(CMS_EnvelopedData, unprotectedAttrs),
992 .field_name = "unprotectedAttrs",
993 .item = &X509_ATTRIBUTE_it,
994 },
995};
996
997const ASN1_ITEM CMS_EnvelopedData_it = {
998 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
999 .utype = V_ASN1_SEQUENCE,
1000 .templates = CMS_EnvelopedData_seq_tt,
1001 .tcount = sizeof(CMS_EnvelopedData_seq_tt) / sizeof(ASN1_TEMPLATE),
1002 .funcs = NULL,
1003 .size = sizeof(CMS_EnvelopedData),
1004 .sname = "CMS_EnvelopedData",
1005};
1006
1007static const ASN1_TEMPLATE CMS_DigestedData_seq_tt[] = {
1008 {
1009 .flags = 0,
1010 .tag = 0,
1011 .offset = offsetof(CMS_DigestedData, version),
1012 .field_name = "version",
1013 .item = &LONG_it,
1014 },
1015 {
1016 .flags = 0,
1017 .tag = 0,
1018 .offset = offsetof(CMS_DigestedData, digestAlgorithm),
1019 .field_name = "digestAlgorithm",
1020 .item = &X509_ALGOR_it,
1021 },
1022 {
1023 .flags = 0,
1024 .tag = 0,
1025 .offset = offsetof(CMS_DigestedData, encapContentInfo),
1026 .field_name = "encapContentInfo",
1027 .item = &CMS_EncapsulatedContentInfo_it,
1028 },
1029 {
1030 .flags = 0,
1031 .tag = 0,
1032 .offset = offsetof(CMS_DigestedData, digest),
1033 .field_name = "digest",
1034 .item = &ASN1_OCTET_STRING_it,
1035 },
1036};
1037
1038const ASN1_ITEM CMS_DigestedData_it = {
1039 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
1040 .utype = V_ASN1_SEQUENCE,
1041 .templates = CMS_DigestedData_seq_tt,
1042 .tcount = sizeof(CMS_DigestedData_seq_tt) / sizeof(ASN1_TEMPLATE),
1043 .funcs = NULL,
1044 .size = sizeof(CMS_DigestedData),
1045 .sname = "CMS_DigestedData",
1046};
1047
1048static const ASN1_TEMPLATE CMS_EncryptedData_seq_tt[] = {
1049 {
1050 .flags = 0,
1051 .tag = 0,
1052 .offset = offsetof(CMS_EncryptedData, version),
1053 .field_name = "version",
1054 .item = &LONG_it,
1055 },
1056 {
1057 .flags = 0,
1058 .tag = 0,
1059 .offset = offsetof(CMS_EncryptedData, encryptedContentInfo),
1060 .field_name = "encryptedContentInfo",
1061 .item = &CMS_EncryptedContentInfo_it,
1062 },
1063 {
1064 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
1065 .tag = 1,
1066 .offset = offsetof(CMS_EncryptedData, unprotectedAttrs),
1067 .field_name = "unprotectedAttrs",
1068 .item = &X509_ATTRIBUTE_it,
1069 },
1070};
1071
1072const ASN1_ITEM CMS_EncryptedData_it = {
1073 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
1074 .utype = V_ASN1_SEQUENCE,
1075 .templates = CMS_EncryptedData_seq_tt,
1076 .tcount = sizeof(CMS_EncryptedData_seq_tt) / sizeof(ASN1_TEMPLATE),
1077 .funcs = NULL,
1078 .size = sizeof(CMS_EncryptedData),
1079 .sname = "CMS_EncryptedData",
1080};
1081
1082static const ASN1_TEMPLATE CMS_AuthenticatedData_seq_tt[] = {
1083 {
1084 .flags = 0,
1085 .tag = 0,
1086 .offset = offsetof(CMS_AuthenticatedData, version),
1087 .field_name = "version",
1088 .item = &LONG_it,
1089 },
1090 {
1091 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
1092 .tag = 0,
1093 .offset = offsetof(CMS_AuthenticatedData, originatorInfo),
1094 .field_name = "originatorInfo",
1095 .item = &CMS_OriginatorInfo_it,
1096 },
1097 {
1098 .flags = ASN1_TFLG_SET_OF,
1099 .tag = 0,
1100 .offset = offsetof(CMS_AuthenticatedData, recipientInfos),
1101 .field_name = "recipientInfos",
1102 .item = &CMS_RecipientInfo_it,
1103 },
1104 {
1105 .flags = 0,
1106 .tag = 0,
1107 .offset = offsetof(CMS_AuthenticatedData, macAlgorithm),
1108 .field_name = "macAlgorithm",
1109 .item = &X509_ALGOR_it,
1110 },
1111 {
1112 .flags = ASN1_TFLG_IMPLICIT,
1113 .tag = 1,
1114 .offset = offsetof(CMS_AuthenticatedData, digestAlgorithm),
1115 .field_name = "digestAlgorithm",
1116 .item = &X509_ALGOR_it,
1117 },
1118 {
1119 .flags = 0,
1120 .tag = 0,
1121 .offset = offsetof(CMS_AuthenticatedData, encapContentInfo),
1122 .field_name = "encapContentInfo",
1123 .item = &CMS_EncapsulatedContentInfo_it,
1124 },
1125 {
1126 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
1127 .tag = 2,
1128 .offset = offsetof(CMS_AuthenticatedData, authAttrs),
1129 .field_name = "authAttrs",
1130 .item = &X509_ALGOR_it,
1131 },
1132 {
1133 .flags = 0,
1134 .tag = 0,
1135 .offset = offsetof(CMS_AuthenticatedData, mac),
1136 .field_name = "mac",
1137 .item = &ASN1_OCTET_STRING_it,
1138 },
1139 {
1140 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
1141 .tag = 3,
1142 .offset = offsetof(CMS_AuthenticatedData, unauthAttrs),
1143 .field_name = "unauthAttrs",
1144 .item = &X509_ALGOR_it,
1145 },
1146};
1147
1148const ASN1_ITEM CMS_AuthenticatedData_it = {
1149 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
1150 .utype = V_ASN1_SEQUENCE,
1151 .templates = CMS_AuthenticatedData_seq_tt,
1152 .tcount = sizeof(CMS_AuthenticatedData_seq_tt) / sizeof(ASN1_TEMPLATE),
1153 .funcs = NULL,
1154 .size = sizeof(CMS_AuthenticatedData),
1155 .sname = "CMS_AuthenticatedData",
1156};
1157
1158static const ASN1_TEMPLATE CMS_CompressedData_seq_tt[] = {
1159 {
1160 .flags = 0,
1161 .tag = 0,
1162 .offset = offsetof(CMS_CompressedData, version),
1163 .field_name = "version",
1164 .item = &LONG_it,
1165 },
1166 {
1167 .flags = 0,
1168 .tag = 0,
1169 .offset = offsetof(CMS_CompressedData, compressionAlgorithm),
1170 .field_name = "compressionAlgorithm",
1171 .item = &X509_ALGOR_it,
1172 },
1173 {
1174 .flags = 0,
1175 .tag = 0,
1176 .offset = offsetof(CMS_CompressedData, encapContentInfo),
1177 .field_name = "encapContentInfo",
1178 .item = &CMS_EncapsulatedContentInfo_it,
1179 },
1180};
1181
1182const ASN1_ITEM CMS_CompressedData_it = {
1183 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
1184 .utype = V_ASN1_SEQUENCE,
1185 .templates = CMS_CompressedData_seq_tt,
1186 .tcount = sizeof(CMS_CompressedData_seq_tt) / sizeof(ASN1_TEMPLATE),
1187 .funcs = NULL,
1188 .size = sizeof(CMS_CompressedData),
1189 .sname = "CMS_CompressedData",
1190};
1191
1192/* This is the ANY DEFINED BY table for the top level ContentInfo structure */
1193
1194static const ASN1_TEMPLATE cms_default_tt = {
1195 .flags = ASN1_TFLG_EXPLICIT,
1196 .tag = 0,
1197 .offset = offsetof(CMS_ContentInfo, d.other),
1198 .field_name = "d.other",
1199 .item = &ASN1_ANY_it,
1200};
1201
1202static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = {
1203 {
1204 .value = NID_pkcs7_data,
1205 .tt = {
1206 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1207 .tag = 0,
1208 .offset = offsetof(CMS_ContentInfo, d.data),
1209 .field_name = "d.data",
1210 .item = &ASN1_OCTET_STRING_NDEF_it,
1211 },
1212
1213 },
1214 {
1215 .value = NID_pkcs7_signed,
1216 .tt = {
1217 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1218 .tag = 0,
1219 .offset = offsetof(CMS_ContentInfo, d.signedData),
1220 .field_name = "d.signedData",
1221 .item = &CMS_SignedData_it,
1222 },
1223
1224 },
1225 {
1226 .value = NID_pkcs7_enveloped,
1227 .tt = {
1228 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1229 .tag = 0,
1230 .offset = offsetof(CMS_ContentInfo, d.envelopedData),
1231 .field_name = "d.envelopedData",
1232 .item = &CMS_EnvelopedData_it,
1233 },
1234
1235 },
1236 {
1237 .value = NID_pkcs7_digest,
1238 .tt = {
1239 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1240 .tag = 0,
1241 .offset = offsetof(CMS_ContentInfo, d.digestedData),
1242 .field_name = "d.digestedData",
1243 .item = &CMS_DigestedData_it,
1244 },
1245
1246 },
1247 {
1248 .value = NID_pkcs7_encrypted,
1249 .tt = {
1250 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1251 .tag = 0,
1252 .offset = offsetof(CMS_ContentInfo, d.encryptedData),
1253 .field_name = "d.encryptedData",
1254 .item = &CMS_EncryptedData_it,
1255 },
1256
1257 },
1258 {
1259 .value = NID_id_smime_ct_authData,
1260 .tt = {
1261 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1262 .tag = 0,
1263 .offset = offsetof(CMS_ContentInfo, d.authenticatedData),
1264 .field_name = "d.authenticatedData",
1265 .item = &CMS_AuthenticatedData_it,
1266 },
1267
1268 },
1269 {
1270 .value = NID_id_smime_ct_compressedData,
1271 .tt = {
1272 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF,
1273 .tag = 0,
1274 .offset = offsetof(CMS_ContentInfo, d.compressedData),
1275 .field_name = "d.compressedData",
1276 .item = &CMS_CompressedData_it,
1277 },
1278
1279 },
1280};
1281
1282static const ASN1_ADB CMS_ContentInfo_adb = {
1283 .flags = 0,
1284 .offset = offsetof(CMS_ContentInfo, contentType),
1285 .app_items = 0,
1286 .tbl = CMS_ContentInfo_adbtbl,
1287 .tblcount = sizeof(CMS_ContentInfo_adbtbl) / sizeof(ASN1_ADB_TABLE),
1288 .default_tt = &cms_default_tt,
1289 .null_tt = NULL,
1290};
1291
1292/* CMS streaming support */
1293static int
1294cms_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
1295{
1296 ASN1_STREAM_ARG *sarg = exarg;
1297 CMS_ContentInfo *cms = NULL;
1298
1299 if (pval)
1300 cms = (CMS_ContentInfo *)*pval;
1301 else
1302 return 1;
1303
1304 switch (operation) {
1305 case ASN1_OP_STREAM_PRE:
1306 if (CMS_stream(&sarg->boundary, cms) <= 0)
1307 return 0;
1308 case ASN1_OP_DETACHED_PRE:
1309 sarg->ndef_bio = CMS_dataInit(cms, sarg->out);
1310 if (!sarg->ndef_bio)
1311 return 0;
1312 break;
1313 case ASN1_OP_STREAM_POST:
1314 case ASN1_OP_DETACHED_POST:
1315 if (CMS_dataFinal(cms, sarg->ndef_bio) <= 0)
1316 return 0;
1317 break;
1318 }
1319 return 1;
1320}
1321
1322static const ASN1_AUX CMS_ContentInfo_aux = {
1323 .app_data = NULL,
1324 .flags = 0,
1325 .ref_offset = 0,
1326 .ref_lock = 0,
1327 .asn1_cb = cms_cb,
1328 .enc_offset = 0,
1329};
1330static const ASN1_TEMPLATE CMS_ContentInfo_seq_tt[] = {
1331 {
1332 .flags = 0,
1333 .tag = 0,
1334 .offset = offsetof(CMS_ContentInfo, contentType),
1335 .field_name = "contentType",
1336 .item = &ASN1_OBJECT_it,
1337 },
1338 {
1339 .flags = ASN1_TFLG_ADB_OID,
1340 .tag = -1,
1341 .offset = 0,
1342 .field_name = "CMS_ContentInfo",
1343 .item = (const ASN1_ITEM *)&CMS_ContentInfo_adb,
1344 },
1345};
1346
1347const ASN1_ITEM CMS_ContentInfo_it = {
1348 .itype = ASN1_ITYPE_NDEF_SEQUENCE,
1349 .utype = V_ASN1_SEQUENCE,
1350 .templates = CMS_ContentInfo_seq_tt,
1351 .tcount = sizeof(CMS_ContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE),
1352 .funcs = &CMS_ContentInfo_aux,
1353 .size = sizeof(CMS_ContentInfo),
1354 .sname = "CMS_ContentInfo",
1355};
1356
1357/* Specials for signed attributes */
1358
1359/* When signing attributes we want to reorder them to match the sorted
1360 * encoding.
1361 */
1362
1363static const ASN1_TEMPLATE CMS_Attributes_Sign_item_tt = {
1364 .flags = ASN1_TFLG_SET_ORDER,
1365 .tag = 0,
1366 .offset = 0,
1367 .field_name = "CMS_ATTRIBUTES",
1368 .item = &X509_ATTRIBUTE_it,
1369};
1370
1371const ASN1_ITEM CMS_Attributes_Sign_it = {
1372 .itype = ASN1_ITYPE_PRIMITIVE,
1373 .utype = -1,
1374 .templates = &CMS_Attributes_Sign_item_tt,
1375 .tcount = 0,
1376 .funcs = NULL,
1377 .size = 0,
1378 .sname = "CMS_Attributes_Sign",
1379};
1380
1381/* When verifying attributes we need to use the received order. So
1382 * we use SEQUENCE OF and tag it to SET OF
1383 */
1384
1385static const ASN1_TEMPLATE CMS_Attributes_Verify_item_tt = {
1386 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_IMPTAG | ASN1_TFLG_UNIVERSAL,
1387 .tag = V_ASN1_SET,
1388 .offset = 0,
1389 .field_name = "CMS_ATTRIBUTES",
1390 .item = &X509_ATTRIBUTE_it,
1391};
1392
1393const ASN1_ITEM CMS_Attributes_Verify_it = {
1394 .itype = ASN1_ITYPE_PRIMITIVE,
1395 .utype = -1,
1396 .templates = &CMS_Attributes_Verify_item_tt,
1397 .tcount = 0,
1398 .funcs = NULL,
1399 .size = 0,
1400 .sname = "CMS_Attributes_Verify",
1401};
1402
1403static const ASN1_TEMPLATE CMS_ReceiptsFrom_ch_tt[] = {
1404 {
1405 .flags = ASN1_TFLG_IMPLICIT,
1406 .tag = 0,
1407 .offset = offsetof(CMS_ReceiptsFrom, d.allOrFirstTier),
1408 .field_name = "d.allOrFirstTier",
1409 .item = &LONG_it,
1410 },
1411 {
1412 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF,
1413 .tag = 1,
1414 .offset = offsetof(CMS_ReceiptsFrom, d.receiptList),
1415 .field_name = "d.receiptList",
1416 .item = &GENERAL_NAMES_it,
1417 },
1418};
1419
1420const ASN1_ITEM CMS_ReceiptsFrom_it = {
1421 .itype = ASN1_ITYPE_CHOICE,
1422 .utype = offsetof(CMS_ReceiptsFrom, type),
1423 .templates = CMS_ReceiptsFrom_ch_tt,
1424 .tcount = sizeof(CMS_ReceiptsFrom_ch_tt) / sizeof(ASN1_TEMPLATE),
1425 .funcs = NULL,
1426 .size = sizeof(CMS_ReceiptsFrom),
1427 .sname = "CMS_ReceiptsFrom",
1428};
1429
1430static const ASN1_TEMPLATE CMS_ReceiptRequest_seq_tt[] = {
1431 {
1432 .flags = 0,
1433 .tag = 0,
1434 .offset = offsetof(CMS_ReceiptRequest, signedContentIdentifier),
1435 .field_name = "signedContentIdentifier",
1436 .item = &ASN1_OCTET_STRING_it,
1437 },
1438 {
1439 .flags = 0,
1440 .tag = 0,
1441 .offset = offsetof(CMS_ReceiptRequest, receiptsFrom),
1442 .field_name = "receiptsFrom",
1443 .item = &CMS_ReceiptsFrom_it,
1444 },
1445 {
1446 .flags = ASN1_TFLG_SEQUENCE_OF,
1447 .tag = 0,
1448 .offset = offsetof(CMS_ReceiptRequest, receiptsTo),
1449 .field_name = "receiptsTo",
1450 .item = &GENERAL_NAMES_it,
1451 },
1452};
1453
1454const ASN1_ITEM CMS_ReceiptRequest_it = {
1455 .itype = ASN1_ITYPE_SEQUENCE,
1456 .utype = V_ASN1_SEQUENCE,
1457 .templates = CMS_ReceiptRequest_seq_tt,
1458 .tcount = sizeof(CMS_ReceiptRequest_seq_tt) / sizeof(ASN1_TEMPLATE),
1459 .funcs = NULL,
1460 .size = sizeof(CMS_ReceiptRequest),
1461 .sname = "CMS_ReceiptRequest",
1462};
1463
1464static const ASN1_TEMPLATE CMS_Receipt_seq_tt[] = {
1465 {
1466 .flags = 0,
1467 .tag = 0,
1468 .offset = offsetof(CMS_Receipt, version),
1469 .field_name = "version",
1470 .item = &LONG_it,
1471 },
1472 {
1473 .flags = 0,
1474 .tag = 0,
1475 .offset = offsetof(CMS_Receipt, contentType),
1476 .field_name = "contentType",
1477 .item = &ASN1_OBJECT_it,
1478 },
1479 {
1480 .flags = 0,
1481 .tag = 0,
1482 .offset = offsetof(CMS_Receipt, signedContentIdentifier),
1483 .field_name = "signedContentIdentifier",
1484 .item = &ASN1_OCTET_STRING_it,
1485 },
1486 {
1487 .flags = 0,
1488 .tag = 0,
1489 .offset = offsetof(CMS_Receipt, originatorSignatureValue),
1490 .field_name = "originatorSignatureValue",
1491 .item = &ASN1_OCTET_STRING_it,
1492 },
1493};
1494
1495const ASN1_ITEM CMS_Receipt_it = {
1496 .itype = ASN1_ITYPE_SEQUENCE,
1497 .utype = V_ASN1_SEQUENCE,
1498 .templates = CMS_Receipt_seq_tt,
1499 .tcount = sizeof(CMS_Receipt_seq_tt) / sizeof(ASN1_TEMPLATE),
1500 .funcs = NULL,
1501 .size = sizeof(CMS_Receipt),
1502 .sname = "CMS_Receipt",
1503};
diff --git a/src/lib/libcrypto/cms/cms_att.c b/src/lib/libcrypto/cms/cms_att.c
deleted file mode 100644
index b38c7c4699..0000000000
--- a/src/lib/libcrypto/cms/cms_att.c
+++ /dev/null
@@ -1,211 +0,0 @@
1/* $OpenBSD: cms_att.c,v 1.3 2014/06/12 15:49:28 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/pem.h>
56#include <openssl/x509v3.h>
57#include <openssl/err.h>
58#include "cms.h"
59#include "cms_lcl.h"
60
61/* CMS SignedData Attribute utilities */
62
63int
64CMS_signed_get_attr_count(const CMS_SignerInfo *si)
65{
66 return X509at_get_attr_count(si->signedAttrs);
67}
68
69int
70CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos)
71{
72 return X509at_get_attr_by_NID(si->signedAttrs, nid, lastpos);
73}
74
75int
76CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, ASN1_OBJECT *obj,
77 int lastpos)
78{
79 return X509at_get_attr_by_OBJ(si->signedAttrs, obj, lastpos);
80}
81
82X509_ATTRIBUTE *
83CMS_signed_get_attr(const CMS_SignerInfo *si, int loc)
84{
85 return X509at_get_attr(si->signedAttrs, loc);
86}
87
88X509_ATTRIBUTE *
89CMS_signed_delete_attr(CMS_SignerInfo *si, int loc)
90{
91 return X509at_delete_attr(si->signedAttrs, loc);
92}
93
94int
95CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr)
96{
97 if (X509at_add1_attr(&si->signedAttrs, attr))
98 return 1;
99 return 0;
100}
101
102int
103CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj,
104 int type, const void *bytes, int len)
105{
106 if (X509at_add1_attr_by_OBJ(&si->signedAttrs, obj, type, bytes, len))
107 return 1;
108 return 0;
109}
110
111int
112CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type,
113 const void *bytes, int len)
114{
115 if (X509at_add1_attr_by_NID(&si->signedAttrs, nid, type, bytes, len))
116 return 1;
117 return 0;
118}
119
120int
121CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, int type,
122 const void *bytes, int len)
123{
124 if (X509at_add1_attr_by_txt(&si->signedAttrs, attrname, type,
125 bytes, len))
126 return 1;
127 return 0;
128}
129
130void *
131CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos,
132 int type)
133{
134 return X509at_get0_data_by_OBJ(si->signedAttrs, oid, lastpos, type);
135}
136
137int
138CMS_unsigned_get_attr_count(const CMS_SignerInfo *si)
139{
140 return X509at_get_attr_count(si->unsignedAttrs);
141}
142
143int
144CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos)
145{
146 return X509at_get_attr_by_NID(si->unsignedAttrs, nid, lastpos);
147}
148
149int
150CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si, ASN1_OBJECT *obj,
151 int lastpos)
152{
153 return X509at_get_attr_by_OBJ(si->unsignedAttrs, obj, lastpos);
154}
155
156X509_ATTRIBUTE *
157CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc)
158{
159 return X509at_get_attr(si->unsignedAttrs, loc);
160}
161
162X509_ATTRIBUTE *
163CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc)
164{
165 return X509at_delete_attr(si->unsignedAttrs, loc);
166}
167
168int
169CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr)
170{
171 if (X509at_add1_attr(&si->unsignedAttrs, attr))
172 return 1;
173 return 0;
174}
175
176int
177CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj,
178 int type, const void *bytes, int len)
179{
180 if (X509at_add1_attr_by_OBJ(&si->unsignedAttrs, obj, type, bytes, len))
181 return 1;
182 return 0;
183}
184
185int
186CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type,
187 const void *bytes, int len)
188{
189 if (X509at_add1_attr_by_NID(&si->unsignedAttrs, nid, type, bytes, len))
190 return 1;
191 return 0;
192}
193
194int
195CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname,
196 int type, const void *bytes, int len)
197{
198 if (X509at_add1_attr_by_txt(&si->unsignedAttrs, attrname, type,
199 bytes, len))
200 return 1;
201 return 0;
202}
203
204void *
205CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
206 int lastpos, int type)
207{
208 return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type);
209}
210
211/* Specific attribute cases */
diff --git a/src/lib/libcrypto/cms/cms_cd.c b/src/lib/libcrypto/cms/cms_cd.c
deleted file mode 100644
index 0489a3d8a3..0000000000
--- a/src/lib/libcrypto/cms/cms_cd.c
+++ /dev/null
@@ -1,135 +0,0 @@
1/* $OpenBSD: cms_cd.c,v 1.6 2015/02/11 03:55:00 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/opensslconf.h>
55
56#include <openssl/asn1t.h>
57#include <openssl/bio.h>
58#include <openssl/cms.h>
59#include <openssl/err.h>
60#include <openssl/pem.h>
61#include <openssl/x509v3.h>
62
63
64#include "cms_lcl.h"
65
66DECLARE_ASN1_ITEM(CMS_CompressedData)
67
68#ifdef ZLIB
69
70/* CMS CompressedData Utilities */
71
72CMS_ContentInfo *
73cms_CompressedData_create(int comp_nid)
74{
75 CMS_ContentInfo *cms;
76 CMS_CompressedData *cd;
77
78 /* Will need something cleverer if there is ever more than one
79 * compression algorithm or parameters have some meaning...
80 */
81 if (comp_nid != NID_zlib_compression) {
82 CMSerr(CMS_F_CMS_COMPRESSEDDATA_CREATE,
83 CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
84 return NULL;
85 }
86 cms = CMS_ContentInfo_new();
87 if (!cms)
88 return NULL;
89
90 cd = M_ASN1_new_of(CMS_CompressedData);
91
92 if (!cd)
93 goto err;
94
95 cms->contentType = OBJ_nid2obj(NID_id_smime_ct_compressedData);
96 cms->d.compressedData = cd;
97
98 cd->version = 0;
99
100 X509_ALGOR_set0(cd->compressionAlgorithm,
101 OBJ_nid2obj(NID_zlib_compression),
102 V_ASN1_UNDEF, NULL);
103
104 cd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data);
105
106 return cms;
107
108err:
109 if (cms)
110 CMS_ContentInfo_free(cms);
111 return NULL;
112}
113
114BIO *
115cms_CompressedData_init_bio(CMS_ContentInfo *cms)
116{
117 CMS_CompressedData *cd;
118 ASN1_OBJECT *compoid;
119
120 if (OBJ_obj2nid(cms->contentType) != NID_id_smime_ct_compressedData) {
121 CMSerr(CMS_F_CMS_COMPRESSEDDATA_INIT_BIO,
122 CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA);
123 return NULL;
124 }
125 cd = cms->d.compressedData;
126 X509_ALGOR_get0(&compoid, NULL, NULL, cd->compressionAlgorithm);
127 if (OBJ_obj2nid(compoid) != NID_zlib_compression) {
128 CMSerr(CMS_F_CMS_COMPRESSEDDATA_INIT_BIO,
129 CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
130 return NULL;
131 }
132 return BIO_new(BIO_f_zlib());
133}
134
135#endif
diff --git a/src/lib/libcrypto/cms/cms_dd.c b/src/lib/libcrypto/cms/cms_dd.c
deleted file mode 100644
index eee25f5f07..0000000000
--- a/src/lib/libcrypto/cms/cms_dd.c
+++ /dev/null
@@ -1,147 +0,0 @@
1/* $OpenBSD: cms_dd.c,v 1.4 2014/07/11 08:44:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/cms.h>
56#include <openssl/err.h>
57#include <openssl/pem.h>
58#include <openssl/x509v3.h>
59
60#include "cms_lcl.h"
61
62DECLARE_ASN1_ITEM(CMS_DigestedData)
63
64/* CMS DigestedData Utilities */
65
66CMS_ContentInfo *
67cms_DigestedData_create(const EVP_MD *md)
68{
69 CMS_ContentInfo *cms;
70 CMS_DigestedData *dd;
71
72 cms = CMS_ContentInfo_new();
73 if (!cms)
74 return NULL;
75
76 dd = M_ASN1_new_of(CMS_DigestedData);
77
78 if (!dd)
79 goto err;
80
81 cms->contentType = OBJ_nid2obj(NID_pkcs7_digest);
82 cms->d.digestedData = dd;
83
84 dd->version = 0;
85 dd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data);
86
87 cms_DigestAlgorithm_set(dd->digestAlgorithm, md);
88
89 return cms;
90
91err:
92 if (cms)
93 CMS_ContentInfo_free(cms);
94 return NULL;
95}
96
97BIO *
98cms_DigestedData_init_bio(CMS_ContentInfo *cms)
99{
100 CMS_DigestedData *dd;
101
102 dd = cms->d.digestedData;
103 return cms_DigestAlgorithm_init_bio(dd->digestAlgorithm);
104}
105
106int
107cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify)
108{
109 EVP_MD_CTX mctx;
110 unsigned char md[EVP_MAX_MD_SIZE];
111 unsigned int mdlen;
112 int r = 0;
113 CMS_DigestedData *dd;
114
115 EVP_MD_CTX_init(&mctx);
116
117 dd = cms->d.digestedData;
118
119 if (!cms_DigestAlgorithm_find_ctx(&mctx, chain, dd->digestAlgorithm))
120 goto err;
121
122 if (EVP_DigestFinal_ex(&mctx, md, &mdlen) <= 0)
123 goto err;
124
125 if (verify) {
126 if (mdlen != (unsigned int)dd->digest->length) {
127 CMSerr(CMS_F_CMS_DIGESTEDDATA_DO_FINAL,
128 CMS_R_MESSAGEDIGEST_WRONG_LENGTH);
129 goto err;
130 }
131
132 if (memcmp(md, dd->digest->data, mdlen))
133 CMSerr(CMS_F_CMS_DIGESTEDDATA_DO_FINAL,
134 CMS_R_VERIFICATION_FAILURE);
135 else
136 r = 1;
137 } else {
138 if (!ASN1_STRING_set(dd->digest, md, mdlen))
139 goto err;
140 r = 1;
141 }
142
143err:
144 EVP_MD_CTX_cleanup(&mctx);
145
146 return r;
147}
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
deleted file mode 100644
index c967a18a3c..0000000000
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ /dev/null
@@ -1,267 +0,0 @@
1/* $OpenBSD: cms_enc.c,v 1.7 2015/09/10 15:56:25 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <stdlib.h>
55
56#include <openssl/asn1t.h>
57#include <openssl/cms.h>
58#include <openssl/err.h>
59#include <openssl/pem.h>
60#include <openssl/x509v3.h>
61
62#include "cms_lcl.h"
63
64/* CMS EncryptedData Utilities */
65
66DECLARE_ASN1_ITEM(CMS_EncryptedData)
67
68/* Return BIO based on EncryptedContentInfo and key */
69
70BIO *
71cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
72{
73 BIO *b;
74 EVP_CIPHER_CTX *ctx;
75 const EVP_CIPHER *ciph;
76 X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
77 unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
78 unsigned char *tkey = NULL;
79 size_t tkeylen = 0;
80 int ok = 0;
81 int enc, keep_key = 0;
82
83 enc = ec->cipher ? 1 : 0;
84
85 b = BIO_new(BIO_f_cipher());
86 if (!b) {
87 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
88 ERR_R_MALLOC_FAILURE);
89 return NULL;
90 }
91
92 BIO_get_cipher_ctx(b, &ctx);
93
94 if (enc) {
95 ciph = ec->cipher;
96 /* If not keeping key set cipher to NULL so subsequent calls
97 * decrypt.
98 */
99 if (ec->key)
100 ec->cipher = NULL;
101 } else {
102 ciph = EVP_get_cipherbyobj(calg->algorithm);
103
104 if (!ciph) {
105 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
106 CMS_R_UNKNOWN_CIPHER);
107 goto err;
108 }
109 }
110
111 if (EVP_CipherInit_ex(ctx, ciph, NULL, NULL, NULL, enc) <= 0) {
112 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
113 CMS_R_CIPHER_INITIALISATION_ERROR);
114 goto err;
115 }
116
117 if (enc) {
118 int ivlen;
119 calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx));
120 /* Generate a random IV if we need one */
121 ivlen = EVP_CIPHER_CTX_iv_length(ctx);
122 if (ivlen > 0) {
123 arc4random_buf(iv, ivlen);
124 piv = iv;
125 }
126 } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) {
127 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
128 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
129 goto err;
130 }
131 tkeylen = EVP_CIPHER_CTX_key_length(ctx);
132 /* Generate random session key */
133 if (!enc || !ec->key) {
134 tkey = malloc(tkeylen);
135 if (!tkey) {
136 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
137 ERR_R_MALLOC_FAILURE);
138 goto err;
139 }
140 if (EVP_CIPHER_CTX_rand_key(ctx, tkey) <= 0)
141 goto err;
142 }
143
144 if (!ec->key) {
145 ec->key = tkey;
146 ec->keylen = tkeylen;
147 tkey = NULL;
148 if (enc)
149 keep_key = 1;
150 else
151 ERR_clear_error();
152
153 }
154
155 if (ec->keylen != tkeylen) {
156 /* If necessary set key length */
157 if (EVP_CIPHER_CTX_set_key_length(ctx, ec->keylen) <= 0) {
158 /* Only reveal failure if debugging so we don't
159 * leak information which may be useful in MMA.
160 */
161 if (enc || ec->debug) {
162 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
163 CMS_R_INVALID_KEY_LENGTH);
164 goto err;
165 } else {
166 /* Use random key */
167 explicit_bzero(ec->key, ec->keylen);
168 free(ec->key);
169 ec->key = tkey;
170 ec->keylen = tkeylen;
171 tkey = NULL;
172 ERR_clear_error();
173 }
174 }
175 }
176
177 if (EVP_CipherInit_ex(ctx, NULL, NULL, ec->key, piv, enc) <= 0) {
178 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
179 CMS_R_CIPHER_INITIALISATION_ERROR);
180 goto err;
181 }
182
183 if (piv) {
184 calg->parameter = ASN1_TYPE_new();
185 if (!calg->parameter) {
186 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
187 ERR_R_MALLOC_FAILURE);
188 goto err;
189 }
190 if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) {
191 CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
192 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
193 goto err;
194 }
195 }
196 ok = 1;
197
198err:
199 if (ec->key && !keep_key) {
200 explicit_bzero(ec->key, ec->keylen);
201 free(ec->key);
202 ec->key = NULL;
203 }
204 if (tkey) {
205 explicit_bzero(tkey, tkeylen);
206 free(tkey);
207 }
208 if (ok)
209 return b;
210 BIO_free(b);
211 return NULL;
212}
213
214int
215cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
216 const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen)
217{
218 ec->cipher = cipher;
219 if (key) {
220 ec->key = malloc(keylen);
221 if (!ec->key)
222 return 0;
223 memcpy(ec->key, key, keylen);
224 }
225 ec->keylen = keylen;
226 if (cipher)
227 ec->contentType = OBJ_nid2obj(NID_pkcs7_data);
228 return 1;
229}
230
231int
232CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph,
233 const unsigned char *key, size_t keylen)
234{
235 CMS_EncryptedContentInfo *ec;
236
237 if (!key || !keylen) {
238 CMSerr(CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY, CMS_R_NO_KEY);
239 return 0;
240 }
241 if (ciph) {
242 cms->d.encryptedData = M_ASN1_new_of(CMS_EncryptedData);
243 if (!cms->d.encryptedData) {
244 CMSerr(CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY,
245 ERR_R_MALLOC_FAILURE);
246 return 0;
247 }
248 cms->contentType = OBJ_nid2obj(NID_pkcs7_encrypted);
249 cms->d.encryptedData->version = 0;
250 } else if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_encrypted) {
251 CMSerr(CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY,
252 CMS_R_NOT_ENCRYPTED_DATA);
253 return 0;
254 }
255 ec = cms->d.encryptedData->encryptedContentInfo;
256 return cms_EncryptedContent_init(ec, ciph, key, keylen);
257}
258
259BIO *
260cms_EncryptedData_init_bio(CMS_ContentInfo *cms)
261{
262 CMS_EncryptedData *enc = cms->d.encryptedData;
263
264 if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs)
265 enc->version = 2;
266 return cms_EncryptedContent_init_bio(enc->encryptedContentInfo);
267}
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c
deleted file mode 100644
index e483c4539f..0000000000
--- a/src/lib/libcrypto/cms/cms_env.c
+++ /dev/null
@@ -1,818 +0,0 @@
1/* $OpenBSD: cms_env.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/aes.h>
55#include <openssl/asn1t.h>
56#include <openssl/cms.h>
57#include <openssl/err.h>
58#include <openssl/pem.h>
59#include <openssl/x509v3.h>
60
61#include "cms_lcl.h"
62#include "asn1_locl.h"
63
64/* CMS EnvelopedData Utilities */
65
66DECLARE_ASN1_ITEM(CMS_EnvelopedData)
67DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
68DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
69DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
70
71DECLARE_STACK_OF(CMS_RecipientInfo)
72
73CMS_EnvelopedData *
74cms_get0_enveloped(CMS_ContentInfo *cms)
75{
76 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
77 CMSerr(CMS_F_CMS_GET0_ENVELOPED,
78 CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
79 return NULL;
80 }
81 return cms->d.envelopedData;
82}
83
84static CMS_EnvelopedData *
85cms_enveloped_data_init(CMS_ContentInfo *cms)
86{
87 if (cms->d.other == NULL) {
88 cms->d.envelopedData = M_ASN1_new_of(CMS_EnvelopedData);
89 if (!cms->d.envelopedData) {
90 CMSerr(CMS_F_CMS_ENVELOPED_DATA_INIT,
91 ERR_R_MALLOC_FAILURE);
92 return NULL;
93 }
94 cms->d.envelopedData->version = 0;
95 cms->d.envelopedData->encryptedContentInfo->contentType =
96 OBJ_nid2obj(NID_pkcs7_data);
97 ASN1_OBJECT_free(cms->contentType);
98 cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped);
99 return cms->d.envelopedData;
100 }
101 return cms_get0_enveloped(cms);
102}
103
104STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms)
105{
106 CMS_EnvelopedData *env;
107
108 env = cms_get0_enveloped(cms);
109 if (!env)
110 return NULL;
111 return env->recipientInfos;
112}
113
114int
115CMS_RecipientInfo_type(CMS_RecipientInfo *ri)
116{
117 return ri->type;
118}
119
120CMS_ContentInfo *
121CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
122{
123 CMS_ContentInfo *cms;
124 CMS_EnvelopedData *env;
125
126 cms = CMS_ContentInfo_new();
127 if (!cms)
128 goto merr;
129 env = cms_enveloped_data_init(cms);
130 if (!env)
131 goto merr;
132 if (!cms_EncryptedContent_init(env->encryptedContentInfo,
133 cipher, NULL, 0))
134 goto merr;
135 return cms;
136
137merr:
138 if (cms)
139 CMS_ContentInfo_free(cms);
140 CMSerr(CMS_F_CMS_ENVELOPEDDATA_CREATE, ERR_R_MALLOC_FAILURE);
141 return NULL;
142}
143
144/* Key Transport Recipient Info (KTRI) routines */
145
146/* Add a recipient certificate. For now only handle key transport.
147 * If we ever handle key agreement will need updating.
148 */
149
150CMS_RecipientInfo *
151CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags)
152{
153 CMS_RecipientInfo *ri = NULL;
154 CMS_KeyTransRecipientInfo *ktri;
155 CMS_EnvelopedData *env;
156 EVP_PKEY *pk = NULL;
157 int i, type;
158
159 env = cms_get0_enveloped(cms);
160 if (!env)
161 goto err;
162
163 /* Initialize recipient info */
164 ri = M_ASN1_new_of(CMS_RecipientInfo);
165 if (!ri)
166 goto merr;
167
168 /* Initialize and add key transport recipient info */
169
170 ri->d.ktri = M_ASN1_new_of(CMS_KeyTransRecipientInfo);
171 if (!ri->d.ktri)
172 goto merr;
173 ri->type = CMS_RECIPINFO_TRANS;
174
175 ktri = ri->d.ktri;
176
177 X509_check_purpose(recip, -1, -1);
178 pk = X509_get_pubkey(recip);
179 if (!pk) {
180 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
181 CMS_R_ERROR_GETTING_PUBLIC_KEY);
182 goto err;
183 }
184 CRYPTO_add(&recip->references, 1, CRYPTO_LOCK_X509);
185 ktri->pkey = pk;
186 ktri->recip = recip;
187
188 if (flags & CMS_USE_KEYID) {
189 ktri->version = 2;
190 type = CMS_RECIPINFO_KEYIDENTIFIER;
191 } else {
192 ktri->version = 0;
193 type = CMS_RECIPINFO_ISSUER_SERIAL;
194 }
195
196 /* Not a typo: RecipientIdentifier and SignerIdentifier are the
197 * same structure.
198 */
199
200 if (!cms_set1_SignerIdentifier(ktri->rid, recip, type))
201 goto err;
202
203 if (pk->ameth && pk->ameth->pkey_ctrl) {
204 i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_ENVELOPE,
205 0, ri);
206 if (i == -2) {
207 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
208 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
209 goto err;
210 }
211 if (i <= 0) {
212 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
213 CMS_R_CTRL_FAILURE);
214 goto err;
215 }
216 }
217
218 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
219 goto merr;
220
221 return ri;
222
223merr:
224 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
225err:
226 if (ri)
227 M_ASN1_free_of(ri, CMS_RecipientInfo);
228 return NULL;
229}
230
231int
232CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, EVP_PKEY **pk,
233 X509 **recip, X509_ALGOR **palg)
234{
235 CMS_KeyTransRecipientInfo *ktri;
236
237 if (ri->type != CMS_RECIPINFO_TRANS) {
238 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS,
239 CMS_R_NOT_KEY_TRANSPORT);
240 return 0;
241 }
242
243 ktri = ri->d.ktri;
244
245 if (pk)
246 *pk = ktri->pkey;
247 if (recip)
248 *recip = ktri->recip;
249 if (palg)
250 *palg = ktri->keyEncryptionAlgorithm;
251 return 1;
252}
253
254int
255CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri,
256 ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno)
257{
258 CMS_KeyTransRecipientInfo *ktri;
259
260 if (ri->type != CMS_RECIPINFO_TRANS) {
261 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID,
262 CMS_R_NOT_KEY_TRANSPORT);
263 return 0;
264 }
265 ktri = ri->d.ktri;
266
267 return cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid,
268 issuer, sno);
269}
270
271int
272CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
273{
274 if (ri->type != CMS_RECIPINFO_TRANS) {
275 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP,
276 CMS_R_NOT_KEY_TRANSPORT);
277 return -2;
278 }
279 return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert);
280}
281
282int
283CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey)
284{
285 if (ri->type != CMS_RECIPINFO_TRANS) {
286 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY,
287 CMS_R_NOT_KEY_TRANSPORT);
288 return 0;
289 }
290 ri->d.ktri->pkey = pkey;
291 return 1;
292}
293
294/* Encrypt content key in key transport recipient info */
295
296static int
297cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
298{
299 CMS_KeyTransRecipientInfo *ktri;
300 CMS_EncryptedContentInfo *ec;
301 EVP_PKEY_CTX *pctx = NULL;
302 unsigned char *ek = NULL;
303 size_t eklen;
304
305 int ret = 0;
306
307 if (ri->type != CMS_RECIPINFO_TRANS) {
308 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT,
309 CMS_R_NOT_KEY_TRANSPORT);
310 return 0;
311 }
312 ktri = ri->d.ktri;
313 ec = cms->d.envelopedData->encryptedContentInfo;
314
315 pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
316 if (!pctx)
317 return 0;
318
319 if (EVP_PKEY_encrypt_init(pctx) <= 0)
320 goto err;
321
322 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
323 EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) {
324 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, CMS_R_CTRL_ERROR);
325 goto err;
326 }
327
328 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
329 goto err;
330
331 ek = malloc(eklen);
332
333 if (ek == NULL) {
334 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT,
335 ERR_R_MALLOC_FAILURE);
336 goto err;
337 }
338
339 if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0)
340 goto err;
341
342 ASN1_STRING_set0(ktri->encryptedKey, ek, eklen);
343 ek = NULL;
344
345 ret = 1;
346
347err:
348 EVP_PKEY_CTX_free(pctx);
349 free(ek);
350 return ret;
351}
352
353/* Decrypt content key from KTRI */
354
355static int
356cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
357{
358 CMS_KeyTransRecipientInfo *ktri = ri->d.ktri;
359 EVP_PKEY_CTX *pctx = NULL;
360 unsigned char *ek = NULL;
361 size_t eklen;
362 int ret = 0;
363 CMS_EncryptedContentInfo *ec;
364
365 ec = cms->d.envelopedData->encryptedContentInfo;
366
367 if (ktri->pkey == NULL) {
368 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT,
369 CMS_R_NO_PRIVATE_KEY);
370 return 0;
371 }
372
373 pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
374 if (!pctx)
375 return 0;
376
377 if (EVP_PKEY_decrypt_init(pctx) <= 0)
378 goto err;
379
380 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT,
381 EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) {
382 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CTRL_ERROR);
383 goto err;
384 }
385
386 if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
387 ktri->encryptedKey->data,
388 ktri->encryptedKey->length) <= 0)
389 goto err;
390
391 ek = malloc(eklen);
392
393 if (ek == NULL) {
394 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT,
395 ERR_R_MALLOC_FAILURE);
396 goto err;
397 }
398
399 if (EVP_PKEY_decrypt(pctx, ek, &eklen,
400 ktri->encryptedKey->data,
401 ktri->encryptedKey->length) <= 0) {
402 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
403 goto err;
404 }
405
406 ret = 1;
407
408 if (ec->key) {
409 explicit_bzero(ec->key, ec->keylen);
410 free(ec->key);
411 }
412
413 ec->key = ek;
414 ec->keylen = eklen;
415
416err:
417 EVP_PKEY_CTX_free(pctx);
418 if (!ret && ek)
419 free(ek);
420
421 return ret;
422}
423
424/* Key Encrypted Key (KEK) RecipientInfo routines */
425
426int
427CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id,
428 size_t idlen)
429{
430 ASN1_OCTET_STRING tmp_os;
431 CMS_KEKRecipientInfo *kekri;
432
433 if (ri->type != CMS_RECIPINFO_KEK) {
434 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP, CMS_R_NOT_KEK);
435 return -2;
436 }
437 kekri = ri->d.kekri;
438 tmp_os.type = V_ASN1_OCTET_STRING;
439 tmp_os.flags = 0;
440 tmp_os.data = (unsigned char *)id;
441 tmp_os.length = (int)idlen;
442 return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier);
443}
444
445/* For now hard code AES key wrap info */
446
447static size_t
448aes_wrap_keylen(int nid)
449{
450 switch (nid) {
451 case NID_id_aes128_wrap:
452 return 16;
453 case NID_id_aes192_wrap:
454 return 24;
455 case NID_id_aes256_wrap:
456 return 32;
457 default:
458 return 0;
459 }
460}
461
462CMS_RecipientInfo *
463CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, unsigned char *key,
464 size_t keylen, unsigned char *id, size_t idlen, ASN1_GENERALIZEDTIME *date,
465 ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType)
466{
467 CMS_RecipientInfo *ri = NULL;
468 CMS_EnvelopedData *env;
469 CMS_KEKRecipientInfo *kekri;
470
471 env = cms_get0_enveloped(cms);
472 if (!env)
473 goto err;
474
475 if (nid == NID_undef) {
476 switch (keylen) {
477 case 16:
478 nid = NID_id_aes128_wrap;
479 break;
480 case 24:
481 nid = NID_id_aes192_wrap;
482 break;
483 case 32:
484 nid = NID_id_aes256_wrap;
485 break;
486 default:
487 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
488 CMS_R_INVALID_KEY_LENGTH);
489 goto err;
490 }
491 } else {
492 size_t exp_keylen = aes_wrap_keylen(nid);
493
494 if (!exp_keylen) {
495 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
496 CMS_R_UNSUPPORTED_KEK_ALGORITHM);
497 goto err;
498 }
499
500 if (keylen != exp_keylen) {
501 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
502 CMS_R_INVALID_KEY_LENGTH);
503 goto err;
504 }
505
506 }
507
508 /* Initialize recipient info */
509 ri = M_ASN1_new_of(CMS_RecipientInfo);
510 if (!ri)
511 goto merr;
512
513 ri->d.kekri = M_ASN1_new_of(CMS_KEKRecipientInfo);
514 if (!ri->d.kekri)
515 goto merr;
516 ri->type = CMS_RECIPINFO_KEK;
517
518 kekri = ri->d.kekri;
519
520 if (otherTypeId) {
521 kekri->kekid->other = M_ASN1_new_of(CMS_OtherKeyAttribute);
522 if (kekri->kekid->other == NULL)
523 goto merr;
524 }
525
526 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
527 goto merr;
528
529 /* After this point no calls can fail */
530
531 kekri->version = 4;
532
533 kekri->key = key;
534 kekri->keylen = keylen;
535
536 ASN1_STRING_set0(kekri->kekid->keyIdentifier, id, idlen);
537
538 kekri->kekid->date = date;
539
540 if (kekri->kekid->other) {
541 kekri->kekid->other->keyAttrId = otherTypeId;
542 kekri->kekid->other->keyAttr = otherType;
543 }
544
545 X509_ALGOR_set0(kekri->keyEncryptionAlgorithm,
546 OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL);
547
548 return ri;
549
550merr:
551 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE);
552err:
553 if (ri)
554 M_ASN1_free_of(ri, CMS_RecipientInfo);
555 return NULL;
556}
557
558int
559CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
560 ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate,
561 ASN1_OBJECT **potherid, ASN1_TYPE **pothertype)
562{
563 CMS_KEKIdentifier *rkid;
564
565 if (ri->type != CMS_RECIPINFO_KEK) {
566 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID, CMS_R_NOT_KEK);
567 return 0;
568 }
569 rkid = ri->d.kekri->kekid;
570 if (palg)
571 *palg = ri->d.kekri->keyEncryptionAlgorithm;
572 if (pid)
573 *pid = rkid->keyIdentifier;
574 if (pdate)
575 *pdate = rkid->date;
576 if (potherid) {
577 if (rkid->other)
578 *potherid = rkid->other->keyAttrId;
579 else
580 *potherid = NULL;
581 }
582 if (pothertype) {
583 if (rkid->other)
584 *pothertype = rkid->other->keyAttr;
585 else
586 *pothertype = NULL;
587 }
588 return 1;
589}
590
591int
592CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key,
593 size_t keylen)
594{
595 CMS_KEKRecipientInfo *kekri;
596
597 if (ri->type != CMS_RECIPINFO_KEK) {
598 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, CMS_R_NOT_KEK);
599 return 0;
600 }
601
602 kekri = ri->d.kekri;
603 kekri->key = key;
604 kekri->keylen = keylen;
605 return 1;
606}
607
608/* Encrypt content key in KEK recipient info */
609
610static int
611cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
612{
613 CMS_EncryptedContentInfo *ec;
614 CMS_KEKRecipientInfo *kekri;
615 AES_KEY actx;
616 unsigned char *wkey = NULL;
617 int wkeylen;
618 int r = 0;
619
620 ec = cms->d.envelopedData->encryptedContentInfo;
621
622 kekri = ri->d.kekri;
623
624 if (!kekri->key) {
625 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_NO_KEY);
626 return 0;
627 }
628
629 if (AES_set_encrypt_key(kekri->key, kekri->keylen << 3, &actx)) {
630 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT,
631 CMS_R_ERROR_SETTING_KEY);
632 goto err;
633 }
634
635 wkey = malloc(ec->keylen + 8);
636
637 if (!wkey) {
638 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT,
639 ERR_R_MALLOC_FAILURE);
640 goto err;
641 }
642
643 wkeylen = AES_wrap_key(&actx, NULL, wkey, ec->key, ec->keylen);
644
645 if (wkeylen <= 0) {
646 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_WRAP_ERROR);
647 goto err;
648 }
649
650 ASN1_STRING_set0(kekri->encryptedKey, wkey, wkeylen);
651
652 r = 1;
653
654err:
655 if (!r && wkey)
656 free(wkey);
657 explicit_bzero(&actx, sizeof(actx));
658
659 return r;
660}
661
662/* Decrypt content key in KEK recipient info */
663
664static int
665cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
666{
667 CMS_EncryptedContentInfo *ec;
668 CMS_KEKRecipientInfo *kekri;
669 AES_KEY actx;
670 unsigned char *ukey = NULL;
671 int ukeylen;
672 int r = 0, wrap_nid;
673
674 ec = cms->d.envelopedData->encryptedContentInfo;
675
676 kekri = ri->d.kekri;
677
678 if (!kekri->key) {
679 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_NO_KEY);
680 return 0;
681 }
682
683 wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm);
684 if (aes_wrap_keylen(wrap_nid) != kekri->keylen) {
685 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
686 CMS_R_INVALID_KEY_LENGTH);
687 return 0;
688 }
689
690 /* If encrypted key length is invalid don't bother */
691
692 if (kekri->encryptedKey->length < 16) {
693 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
694 CMS_R_INVALID_ENCRYPTED_KEY_LENGTH);
695 goto err;
696 }
697
698 if (AES_set_decrypt_key(kekri->key, kekri->keylen << 3, &actx)) {
699 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
700 CMS_R_ERROR_SETTING_KEY);
701 goto err;
702 }
703
704 ukey = malloc(kekri->encryptedKey->length - 8);
705
706 if (!ukey) {
707 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
708 ERR_R_MALLOC_FAILURE);
709 goto err;
710 }
711
712 ukeylen = AES_unwrap_key(&actx, NULL, ukey,
713 kekri->encryptedKey->data,
714 kekri->encryptedKey->length);
715
716 if (ukeylen <= 0) {
717 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
718 CMS_R_UNWRAP_ERROR);
719 goto err;
720 }
721
722 ec->key = ukey;
723 ec->keylen = ukeylen;
724
725 r = 1;
726
727err:
728 if (!r && ukey)
729 free(ukey);
730 explicit_bzero(&actx, sizeof(actx));
731
732 return r;
733}
734
735int
736CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
737{
738 switch (ri->type) {
739 case CMS_RECIPINFO_TRANS:
740 return cms_RecipientInfo_ktri_decrypt(cms, ri);
741 case CMS_RECIPINFO_KEK:
742 return cms_RecipientInfo_kekri_decrypt(cms, ri);
743 case CMS_RECIPINFO_PASS:
744 return cms_RecipientInfo_pwri_crypt(cms, ri, 0);
745 default:
746 CMSerr(CMS_F_CMS_RECIPIENTINFO_DECRYPT,
747 CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE);
748 return 0;
749 }
750}
751
752BIO *
753cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
754{
755 CMS_EncryptedContentInfo *ec;
756 STACK_OF(CMS_RecipientInfo) *rinfos;
757 CMS_RecipientInfo *ri;
758 int i, r, ok = 0;
759 BIO *ret;
760
761 /* Get BIO first to set up key */
762
763 ec = cms->d.envelopedData->encryptedContentInfo;
764 ret = cms_EncryptedContent_init_bio(ec);
765
766 /* If error or no cipher end of processing */
767
768 if (!ret || !ec->cipher)
769 return ret;
770
771 /* Now encrypt content key according to each RecipientInfo type */
772
773 rinfos = cms->d.envelopedData->recipientInfos;
774
775 for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
776 ri = sk_CMS_RecipientInfo_value(rinfos, i);
777
778 switch (ri->type) {
779 case CMS_RECIPINFO_TRANS:
780 r = cms_RecipientInfo_ktri_encrypt(cms, ri);
781 break;
782
783 case CMS_RECIPINFO_KEK:
784 r = cms_RecipientInfo_kekri_encrypt(cms, ri);
785 break;
786
787 case CMS_RECIPINFO_PASS:
788 r = cms_RecipientInfo_pwri_crypt(cms, ri, 1);
789 break;
790
791 default:
792 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
793 CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
794 goto err;
795 }
796
797 if (r <= 0) {
798 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
799 CMS_R_ERROR_SETTING_RECIPIENTINFO);
800 goto err;
801 }
802 }
803
804 ok = 1;
805
806err:
807 ec->cipher = NULL;
808 if (ec->key) {
809 explicit_bzero(ec->key, ec->keylen);
810 free(ec->key);
811 ec->key = NULL;
812 ec->keylen = 0;
813 }
814 if (ok)
815 return ret;
816 BIO_free(ret);
817 return NULL;
818}
diff --git a/src/lib/libcrypto/cms/cms_err.c b/src/lib/libcrypto/cms/cms_err.c
deleted file mode 100644
index 4eb9188fd2..0000000000
--- a/src/lib/libcrypto/cms/cms_err.c
+++ /dev/null
@@ -1,245 +0,0 @@
1/* $OpenBSD: cms_err.c,v 1.4 2014/07/10 22:45:56 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/cms.h>
66#include <openssl/err.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CMS,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CMS,0,reason)
73
74static ERR_STRING_DATA CMS_str_functs[]= {
75 {ERR_FUNC(CMS_F_CHECK_CONTENT), "CHECK_CONTENT"},
76 {ERR_FUNC(CMS_F_CMS_ADD0_CERT), "CMS_add0_cert"},
77 {ERR_FUNC(CMS_F_CMS_ADD0_RECIPIENT_KEY), "CMS_add0_recipient_key"},
78 {ERR_FUNC(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD), "CMS_add0_recipient_password"},
79 {ERR_FUNC(CMS_F_CMS_ADD1_RECEIPTREQUEST), "CMS_add1_ReceiptRequest"},
80 {ERR_FUNC(CMS_F_CMS_ADD1_RECIPIENT_CERT), "CMS_add1_recipient_cert"},
81 {ERR_FUNC(CMS_F_CMS_ADD1_SIGNER), "CMS_add1_signer"},
82 {ERR_FUNC(CMS_F_CMS_ADD1_SIGNINGTIME), "CMS_ADD1_SIGNINGTIME"},
83 {ERR_FUNC(CMS_F_CMS_COMPRESS), "CMS_compress"},
84 {ERR_FUNC(CMS_F_CMS_COMPRESSEDDATA_CREATE), "cms_CompressedData_create"},
85 {ERR_FUNC(CMS_F_CMS_COMPRESSEDDATA_INIT_BIO), "cms_CompressedData_init_bio"},
86 {ERR_FUNC(CMS_F_CMS_COPY_CONTENT), "CMS_COPY_CONTENT"},
87 {ERR_FUNC(CMS_F_CMS_COPY_MESSAGEDIGEST), "CMS_COPY_MESSAGEDIGEST"},
88 {ERR_FUNC(CMS_F_CMS_DATA), "CMS_data"},
89 {ERR_FUNC(CMS_F_CMS_DATAFINAL), "CMS_dataFinal"},
90 {ERR_FUNC(CMS_F_CMS_DATAINIT), "CMS_dataInit"},
91 {ERR_FUNC(CMS_F_CMS_DECRYPT), "CMS_decrypt"},
92 {ERR_FUNC(CMS_F_CMS_DECRYPT_SET1_KEY), "CMS_decrypt_set1_key"},
93 {ERR_FUNC(CMS_F_CMS_DECRYPT_SET1_PASSWORD), "CMS_decrypt_set1_password"},
94 {ERR_FUNC(CMS_F_CMS_DECRYPT_SET1_PKEY), "CMS_decrypt_set1_pkey"},
95 {ERR_FUNC(CMS_F_CMS_DIGESTALGORITHM_FIND_CTX), "cms_DigestAlgorithm_find_ctx"},
96 {ERR_FUNC(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO), "cms_DigestAlgorithm_init_bio"},
97 {ERR_FUNC(CMS_F_CMS_DIGESTEDDATA_DO_FINAL), "cms_DigestedData_do_final"},
98 {ERR_FUNC(CMS_F_CMS_DIGEST_VERIFY), "CMS_digest_verify"},
99 {ERR_FUNC(CMS_F_CMS_ENCODE_RECEIPT), "cms_encode_Receipt"},
100 {ERR_FUNC(CMS_F_CMS_ENCRYPT), "CMS_encrypt"},
101 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO), "cms_EncryptedContent_init_bio"},
102 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDDATA_DECRYPT), "CMS_EncryptedData_decrypt"},
103 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT), "CMS_EncryptedData_encrypt"},
104 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY), "CMS_EncryptedData_set1_key"},
105 {ERR_FUNC(CMS_F_CMS_ENVELOPEDDATA_CREATE), "CMS_EnvelopedData_create"},
106 {ERR_FUNC(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO), "cms_EnvelopedData_init_bio"},
107 {ERR_FUNC(CMS_F_CMS_ENVELOPED_DATA_INIT), "CMS_ENVELOPED_DATA_INIT"},
108 {ERR_FUNC(CMS_F_CMS_FINAL), "CMS_final"},
109 {ERR_FUNC(CMS_F_CMS_GET0_CERTIFICATE_CHOICES), "CMS_GET0_CERTIFICATE_CHOICES"},
110 {ERR_FUNC(CMS_F_CMS_GET0_CONTENT), "CMS_get0_content"},
111 {ERR_FUNC(CMS_F_CMS_GET0_ECONTENT_TYPE), "CMS_GET0_ECONTENT_TYPE"},
112 {ERR_FUNC(CMS_F_CMS_GET0_ENVELOPED), "cms_get0_enveloped"},
113 {ERR_FUNC(CMS_F_CMS_GET0_REVOCATION_CHOICES), "CMS_GET0_REVOCATION_CHOICES"},
114 {ERR_FUNC(CMS_F_CMS_GET0_SIGNED), "CMS_GET0_SIGNED"},
115 {ERR_FUNC(CMS_F_CMS_MSGSIGDIGEST_ADD1), "cms_msgSigDigest_add1"},
116 {ERR_FUNC(CMS_F_CMS_RECEIPTREQUEST_CREATE0), "CMS_ReceiptRequest_create0"},
117 {ERR_FUNC(CMS_F_CMS_RECEIPT_VERIFY), "cms_Receipt_verify"},
118 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_DECRYPT), "CMS_RecipientInfo_decrypt"},
119 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT), "CMS_RECIPIENTINFO_KEKRI_DECRYPT"},
120 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT), "CMS_RECIPIENTINFO_KEKRI_ENCRYPT"},
121 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID), "CMS_RecipientInfo_kekri_get0_id"},
122 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP), "CMS_RecipientInfo_kekri_id_cmp"},
123 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP), "CMS_RecipientInfo_ktri_cert_cmp"},
124 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT), "CMS_RECIPIENTINFO_KTRI_DECRYPT"},
125 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT), "CMS_RECIPIENTINFO_KTRI_ENCRYPT"},
126 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS), "CMS_RecipientInfo_ktri_get0_algs"},
127 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID), "CMS_RecipientInfo_ktri_get0_signer_id"},
128 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT), "cms_RecipientInfo_pwri_crypt"},
129 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_SET0_KEY), "CMS_RecipientInfo_set0_key"},
130 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD), "CMS_RecipientInfo_set0_password"},
131 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY), "CMS_RecipientInfo_set0_pkey"},
132 {ERR_FUNC(CMS_F_CMS_SET1_SIGNERIDENTIFIER), "cms_set1_SignerIdentifier"},
133 {ERR_FUNC(CMS_F_CMS_SET_DETACHED), "CMS_set_detached"},
134 {ERR_FUNC(CMS_F_CMS_SIGN), "CMS_sign"},
135 {ERR_FUNC(CMS_F_CMS_SIGNED_DATA_INIT), "CMS_SIGNED_DATA_INIT"},
136 {ERR_FUNC(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN), "CMS_SIGNERINFO_CONTENT_SIGN"},
137 {ERR_FUNC(CMS_F_CMS_SIGNERINFO_SIGN), "CMS_SignerInfo_sign"},
138 {ERR_FUNC(CMS_F_CMS_SIGNERINFO_VERIFY), "CMS_SignerInfo_verify"},
139 {ERR_FUNC(CMS_F_CMS_SIGNERINFO_VERIFY_CERT), "CMS_SIGNERINFO_VERIFY_CERT"},
140 {ERR_FUNC(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT), "CMS_SignerInfo_verify_content"},
141 {ERR_FUNC(CMS_F_CMS_SIGN_RECEIPT), "CMS_sign_receipt"},
142 {ERR_FUNC(CMS_F_CMS_STREAM), "CMS_stream"},
143 {ERR_FUNC(CMS_F_CMS_UNCOMPRESS), "CMS_uncompress"},
144 {ERR_FUNC(CMS_F_CMS_VERIFY), "CMS_verify"},
145 {0, NULL}
146};
147
148static ERR_STRING_DATA CMS_str_reasons[]= {
149 {ERR_REASON(CMS_R_ADD_SIGNER_ERROR) , "add signer error"},
150 {ERR_REASON(CMS_R_CERTIFICATE_ALREADY_PRESENT), "certificate already present"},
151 {ERR_REASON(CMS_R_CERTIFICATE_HAS_NO_KEYID), "certificate has no keyid"},
152 {ERR_REASON(CMS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
153 {ERR_REASON(CMS_R_CIPHER_INITIALISATION_ERROR), "cipher initialisation error"},
154 {ERR_REASON(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR), "cipher parameter initialisation error"},
155 {ERR_REASON(CMS_R_CMS_DATAFINAL_ERROR) , "cms datafinal error"},
156 {ERR_REASON(CMS_R_CMS_LIB) , "cms lib"},
157 {ERR_REASON(CMS_R_CONTENTIDENTIFIER_MISMATCH), "contentidentifier mismatch"},
158 {ERR_REASON(CMS_R_CONTENT_NOT_FOUND) , "content not found"},
159 {ERR_REASON(CMS_R_CONTENT_TYPE_MISMATCH) , "content type mismatch"},
160 {ERR_REASON(CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA), "content type not compressed data"},
161 {ERR_REASON(CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA), "content type not enveloped data"},
162 {ERR_REASON(CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA), "content type not signed data"},
163 {ERR_REASON(CMS_R_CONTENT_VERIFY_ERROR) , "content verify error"},
164 {ERR_REASON(CMS_R_CTRL_ERROR) , "ctrl error"},
165 {ERR_REASON(CMS_R_CTRL_FAILURE) , "ctrl failure"},
166 {ERR_REASON(CMS_R_DECRYPT_ERROR) , "decrypt error"},
167 {ERR_REASON(CMS_R_DIGEST_ERROR) , "digest error"},
168 {ERR_REASON(CMS_R_ERROR_GETTING_PUBLIC_KEY), "error getting public key"},
169 {ERR_REASON(CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE), "error reading messagedigest attribute"},
170 {ERR_REASON(CMS_R_ERROR_SETTING_KEY) , "error setting key"},
171 {ERR_REASON(CMS_R_ERROR_SETTING_RECIPIENTINFO), "error setting recipientinfo"},
172 {ERR_REASON(CMS_R_INVALID_ENCRYPTED_KEY_LENGTH), "invalid encrypted key length"},
173 {ERR_REASON(CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER), "invalid key encryption parameter"},
174 {ERR_REASON(CMS_R_INVALID_KEY_LENGTH) , "invalid key length"},
175 {ERR_REASON(CMS_R_MD_BIO_INIT_ERROR) , "md bio init error"},
176 {ERR_REASON(CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH), "messagedigest attribute wrong length"},
177 {ERR_REASON(CMS_R_MESSAGEDIGEST_WRONG_LENGTH), "messagedigest wrong length"},
178 {ERR_REASON(CMS_R_MSGSIGDIGEST_ERROR) , "msgsigdigest error"},
179 {ERR_REASON(CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE), "msgsigdigest verification failure"},
180 {ERR_REASON(CMS_R_MSGSIGDIGEST_WRONG_LENGTH), "msgsigdigest wrong length"},
181 {ERR_REASON(CMS_R_NEED_ONE_SIGNER) , "need one signer"},
182 {ERR_REASON(CMS_R_NOT_A_SIGNED_RECEIPT) , "not a signed receipt"},
183 {ERR_REASON(CMS_R_NOT_ENCRYPTED_DATA) , "not encrypted data"},
184 {ERR_REASON(CMS_R_NOT_KEK) , "not kek"},
185 {ERR_REASON(CMS_R_NOT_KEY_TRANSPORT) , "not key transport"},
186 {ERR_REASON(CMS_R_NOT_PWRI) , "not pwri"},
187 {ERR_REASON(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE), "not supported for this key type"},
188 {ERR_REASON(CMS_R_NO_CIPHER) , "no cipher"},
189 {ERR_REASON(CMS_R_NO_CONTENT) , "no content"},
190 {ERR_REASON(CMS_R_NO_CONTENT_TYPE) , "no content type"},
191 {ERR_REASON(CMS_R_NO_DEFAULT_DIGEST) , "no default digest"},
192 {ERR_REASON(CMS_R_NO_DIGEST_SET) , "no digest set"},
193 {ERR_REASON(CMS_R_NO_KEY) , "no key"},
194 {ERR_REASON(CMS_R_NO_KEY_OR_CERT) , "no key or cert"},
195 {ERR_REASON(CMS_R_NO_MATCHING_DIGEST) , "no matching digest"},
196 {ERR_REASON(CMS_R_NO_MATCHING_RECIPIENT) , "no matching recipient"},
197 {ERR_REASON(CMS_R_NO_MATCHING_SIGNATURE) , "no matching signature"},
198 {ERR_REASON(CMS_R_NO_MSGSIGDIGEST) , "no msgsigdigest"},
199 {ERR_REASON(CMS_R_NO_PASSWORD) , "no password"},
200 {ERR_REASON(CMS_R_NO_PRIVATE_KEY) , "no private key"},
201 {ERR_REASON(CMS_R_NO_PUBLIC_KEY) , "no public key"},
202 {ERR_REASON(CMS_R_NO_RECEIPT_REQUEST) , "no receipt request"},
203 {ERR_REASON(CMS_R_NO_SIGNERS) , "no signers"},
204 {ERR_REASON(CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
205 {ERR_REASON(CMS_R_RECEIPT_DECODE_ERROR) , "receipt decode error"},
206 {ERR_REASON(CMS_R_RECIPIENT_ERROR) , "recipient error"},
207 {ERR_REASON(CMS_R_SIGNER_CERTIFICATE_NOT_FOUND), "signer certificate not found"},
208 {ERR_REASON(CMS_R_SIGNFINAL_ERROR) , "signfinal error"},
209 {ERR_REASON(CMS_R_SMIME_TEXT_ERROR) , "smime text error"},
210 {ERR_REASON(CMS_R_STORE_INIT_ERROR) , "store init error"},
211 {ERR_REASON(CMS_R_TYPE_NOT_COMPRESSED_DATA), "type not compressed data"},
212 {ERR_REASON(CMS_R_TYPE_NOT_DATA) , "type not data"},
213 {ERR_REASON(CMS_R_TYPE_NOT_DIGESTED_DATA), "type not digested data"},
214 {ERR_REASON(CMS_R_TYPE_NOT_ENCRYPTED_DATA), "type not encrypted data"},
215 {ERR_REASON(CMS_R_TYPE_NOT_ENVELOPED_DATA), "type not enveloped data"},
216 {ERR_REASON(CMS_R_UNABLE_TO_FINALIZE_CONTEXT), "unable to finalize context"},
217 {ERR_REASON(CMS_R_UNKNOWN_CIPHER) , "unknown cipher"},
218 {ERR_REASON(CMS_R_UNKNOWN_DIGEST_ALGORIHM), "unknown digest algorihm"},
219 {ERR_REASON(CMS_R_UNKNOWN_ID) , "unknown id"},
220 {ERR_REASON(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"},
221 {ERR_REASON(CMS_R_UNSUPPORTED_CONTENT_TYPE), "unsupported content type"},
222 {ERR_REASON(CMS_R_UNSUPPORTED_KEK_ALGORITHM), "unsupported kek algorithm"},
223 {ERR_REASON(CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM), "unsupported key encryption algorithm"},
224 {ERR_REASON(CMS_R_UNSUPPORTED_RECIPIENT_TYPE), "unsupported recipient type"},
225 {ERR_REASON(CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE), "unsupported recpientinfo type"},
226 {ERR_REASON(CMS_R_UNSUPPORTED_TYPE) , "unsupported type"},
227 {ERR_REASON(CMS_R_UNWRAP_ERROR) , "unwrap error"},
228 {ERR_REASON(CMS_R_UNWRAP_FAILURE) , "unwrap failure"},
229 {ERR_REASON(CMS_R_VERIFICATION_FAILURE) , "verification failure"},
230 {ERR_REASON(CMS_R_WRAP_ERROR) , "wrap error"},
231 {0, NULL}
232};
233
234#endif
235
236void
237ERR_load_CMS_strings(void)
238{
239#ifndef OPENSSL_NO_ERR
240 if (ERR_func_error_string(CMS_str_functs[0].error) == NULL) {
241 ERR_load_strings(0, CMS_str_functs);
242 ERR_load_strings(0, CMS_str_reasons);
243 }
244#endif
245}
diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c
deleted file mode 100644
index fca62e0627..0000000000
--- a/src/lib/libcrypto/cms/cms_ess.c
+++ /dev/null
@@ -1,385 +0,0 @@
1/* $OpenBSD: cms_ess.c,v 1.7 2014/10/22 13:02:04 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <stdlib.h>
55
56#include <openssl/asn1t.h>
57#include <openssl/cms.h>
58#include <openssl/err.h>
59#include <openssl/pem.h>
60#include <openssl/x509v3.h>
61
62#include "cms_lcl.h"
63
64DECLARE_ASN1_ITEM(CMS_ReceiptRequest)
65DECLARE_ASN1_ITEM(CMS_Receipt)
66
67IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest)
68
69/* ESS services: for now just Signed Receipt related */
70
71int
72CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
73{
74 ASN1_STRING *str;
75 CMS_ReceiptRequest *rr = NULL;
76
77 if (prr)
78 *prr = NULL;
79 str = CMS_signed_get0_data_by_OBJ(si,
80 OBJ_nid2obj(NID_id_smime_aa_receiptRequest),
81 -3, V_ASN1_SEQUENCE);
82 if (!str)
83 return 0;
84
85 rr = ASN1_item_unpack(str, ASN1_ITEM_rptr(CMS_ReceiptRequest));
86 if (!rr)
87 return -1;
88 if (prr)
89 *prr = rr;
90 else
91 CMS_ReceiptRequest_free(rr);
92 return 1;
93}
94
95CMS_ReceiptRequest *
96CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst,
97 STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo)
98{
99 CMS_ReceiptRequest *rr = NULL;
100
101 rr = CMS_ReceiptRequest_new();
102 if (!rr)
103 goto merr;
104 if (id)
105 ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen);
106 else {
107 if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
108 goto merr;
109 arc4random_buf(rr->signedContentIdentifier->data, 32);
110 }
111
112 sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
113 rr->receiptsTo = receiptsTo;
114
115 if (receiptList) {
116 rr->receiptsFrom->type = 1;
117 rr->receiptsFrom->d.receiptList = receiptList;
118 } else {
119 rr->receiptsFrom->type = 0;
120 rr->receiptsFrom->d.allOrFirstTier = allorfirst;
121 }
122
123 return rr;
124
125merr:
126 CMSerr(CMS_F_CMS_RECEIPTREQUEST_CREATE0, ERR_R_MALLOC_FAILURE);
127err:
128 if (rr)
129 CMS_ReceiptRequest_free(rr);
130 return NULL;
131}
132
133int
134CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr)
135{
136 unsigned char *rrder = NULL;
137 int rrderlen, r = 0;
138
139 rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder);
140 if (rrderlen < 0)
141 goto merr;
142
143 if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest,
144 V_ASN1_SEQUENCE, rrder, rrderlen))
145 goto merr;
146
147 r = 1;
148
149merr:
150 if (!r)
151 CMSerr(CMS_F_CMS_ADD1_RECEIPTREQUEST, ERR_R_MALLOC_FAILURE);
152 free(rrder);
153 return r;
154}
155
156void
157CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid,
158 int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist,
159 STACK_OF(GENERAL_NAMES) **prto)
160{
161 if (pcid)
162 *pcid = rr->signedContentIdentifier;
163 if (rr->receiptsFrom->type == 0) {
164 if (pallorfirst)
165 *pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier;
166 if (plist)
167 *plist = NULL;
168 } else {
169 if (pallorfirst)
170 *pallorfirst = -1;
171 if (plist)
172 *plist = rr->receiptsFrom->d.receiptList;
173 }
174 if (prto)
175 *prto = rr->receiptsTo;
176}
177
178/* Digest a SignerInfo structure for msgSigDigest attribute processing */
179
180static int
181cms_msgSigDigest(CMS_SignerInfo *si, unsigned char *dig, unsigned int *diglen)
182{
183 const EVP_MD *md;
184
185 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
186 if (md == NULL)
187 return 0;
188 if (!ASN1_item_digest(ASN1_ITEM_rptr(CMS_Attributes_Verify), md,
189 si->signedAttrs, dig, diglen))
190 return 0;
191 return 1;
192}
193
194/* Add a msgSigDigest attribute to a SignerInfo */
195
196int
197cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src)
198{
199 unsigned char dig[EVP_MAX_MD_SIZE];
200 unsigned int diglen;
201
202 if (!cms_msgSigDigest(src, dig, &diglen)) {
203 CMSerr(CMS_F_CMS_MSGSIGDIGEST_ADD1, CMS_R_MSGSIGDIGEST_ERROR);
204 return 0;
205 }
206 if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest,
207 V_ASN1_OCTET_STRING, dig, diglen)) {
208 CMSerr(CMS_F_CMS_MSGSIGDIGEST_ADD1, ERR_R_MALLOC_FAILURE);
209 return 0;
210 }
211 return 1;
212}
213
214/* Verify signed receipt after it has already passed normal CMS verify */
215
216int
217cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms)
218{
219 int r = 0, i;
220 CMS_ReceiptRequest *rr = NULL;
221 CMS_Receipt *rct = NULL;
222 STACK_OF(CMS_SignerInfo) *sis, *osis;
223 CMS_SignerInfo *si, *osi = NULL;
224 ASN1_OCTET_STRING *msig, **pcont;
225 ASN1_OBJECT *octype;
226 unsigned char dig[EVP_MAX_MD_SIZE];
227 unsigned int diglen;
228
229 /* Get SignerInfos, also checks SignedData content type */
230 osis = CMS_get0_SignerInfos(req_cms);
231 sis = CMS_get0_SignerInfos(cms);
232 if (!osis || !sis)
233 goto err;
234
235 if (sk_CMS_SignerInfo_num(sis) != 1) {
236 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NEED_ONE_SIGNER);
237 goto err;
238 }
239
240 /* Check receipt content type */
241 if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) {
242 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NOT_A_SIGNED_RECEIPT);
243 goto err;
244 }
245
246 /* Extract and decode receipt content */
247 pcont = CMS_get0_content(cms);
248 if (!pcont || !*pcont) {
249 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_CONTENT);
250 goto err;
251 }
252
253 rct = ASN1_item_unpack(*pcont, ASN1_ITEM_rptr(CMS_Receipt));
254
255 if (!rct) {
256 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_RECEIPT_DECODE_ERROR);
257 goto err;
258 }
259
260 /* Locate original request */
261
262 for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) {
263 osi = sk_CMS_SignerInfo_value(osis, i);
264 if (!ASN1_STRING_cmp(osi->signature,
265 rct->originatorSignatureValue))
266 break;
267 }
268
269 if (i == sk_CMS_SignerInfo_num(osis)) {
270 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_MATCHING_SIGNATURE);
271 goto err;
272 }
273
274 si = sk_CMS_SignerInfo_value(sis, 0);
275
276 /* Get msgSigDigest value and compare */
277
278 msig = CMS_signed_get0_data_by_OBJ(si,
279 OBJ_nid2obj(NID_id_smime_aa_msgSigDigest), -3, V_ASN1_OCTET_STRING);
280
281 if (!msig) {
282 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_MSGSIGDIGEST);
283 goto err;
284 }
285
286 if (!cms_msgSigDigest(osi, dig, &diglen)) {
287 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_MSGSIGDIGEST_ERROR);
288 goto err;
289 }
290
291 if (diglen != (unsigned int)msig->length) {
292 CMSerr(CMS_F_CMS_RECEIPT_VERIFY,
293 CMS_R_MSGSIGDIGEST_WRONG_LENGTH);
294 goto err;
295 }
296
297 if (memcmp(dig, msig->data, diglen)) {
298 CMSerr(CMS_F_CMS_RECEIPT_VERIFY,
299 CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE);
300 goto err;
301 }
302
303 /* Compare content types */
304
305 octype = CMS_signed_get0_data_by_OBJ(osi,
306 OBJ_nid2obj(NID_pkcs9_contentType), -3, V_ASN1_OBJECT);
307 if (!octype) {
308 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_CONTENT_TYPE);
309 goto err;
310 }
311
312 /* Compare details in receipt request */
313
314 if (OBJ_cmp(octype, rct->contentType)) {
315 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_CONTENT_TYPE_MISMATCH);
316 goto err;
317 }
318
319 /* Get original receipt request details */
320
321 if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) {
322 CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_RECEIPT_REQUEST);
323 goto err;
324 }
325
326 if (ASN1_STRING_cmp(rr->signedContentIdentifier,
327 rct->signedContentIdentifier)) {
328 CMSerr(CMS_F_CMS_RECEIPT_VERIFY,
329 CMS_R_CONTENTIDENTIFIER_MISMATCH);
330 goto err;
331 }
332
333 r = 1;
334
335err:
336 if (rr)
337 CMS_ReceiptRequest_free(rr);
338 if (rct)
339 M_ASN1_free_of(rct, CMS_Receipt);
340
341 return r;
342}
343
344/* Encode a Receipt into an OCTET STRING read for including into content of
345 * a SignedData ContentInfo.
346 */
347
348ASN1_OCTET_STRING *
349cms_encode_Receipt(CMS_SignerInfo *si)
350{
351 CMS_Receipt rct;
352 CMS_ReceiptRequest *rr = NULL;
353 ASN1_OBJECT *ctype;
354 ASN1_OCTET_STRING *os = NULL;
355
356 /* Get original receipt request */
357
358 /* Get original receipt request details */
359
360 if (CMS_get1_ReceiptRequest(si, &rr) <= 0) {
361 CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_RECEIPT_REQUEST);
362 goto err;
363 }
364
365 /* Get original content type */
366
367 ctype = CMS_signed_get0_data_by_OBJ(si,
368 OBJ_nid2obj(NID_pkcs9_contentType), -3, V_ASN1_OBJECT);
369 if (!ctype) {
370 CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_CONTENT_TYPE);
371 goto err;
372 }
373
374 rct.version = 1;
375 rct.contentType = ctype;
376 rct.signedContentIdentifier = rr->signedContentIdentifier;
377 rct.originatorSignatureValue = si->signature;
378
379 os = ASN1_item_pack(&rct, ASN1_ITEM_rptr(CMS_Receipt), NULL);
380
381err:
382 if (rr)
383 CMS_ReceiptRequest_free(rr);
384 return os;
385}
diff --git a/src/lib/libcrypto/cms/cms_io.c b/src/lib/libcrypto/cms/cms_io.c
deleted file mode 100644
index c26def099c..0000000000
--- a/src/lib/libcrypto/cms/cms_io.c
+++ /dev/null
@@ -1,139 +0,0 @@
1/* $OpenBSD: cms_io.c,v 1.3 2014/06/12 15:49:28 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/x509.h>
56#include <openssl/err.h>
57#include <openssl/pem.h>
58#include "cms.h"
59#include "cms_lcl.h"
60
61int
62CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms)
63{
64 ASN1_OCTET_STRING **pos;
65
66 pos = CMS_get0_content(cms);
67 if (!pos)
68 return 0;
69 if (!*pos)
70 *pos = ASN1_OCTET_STRING_new();
71 if (*pos) {
72 (*pos)->flags |= ASN1_STRING_FLAG_NDEF;
73 (*pos)->flags &= ~ASN1_STRING_FLAG_CONT;
74 *boundary = &(*pos)->data;
75 return 1;
76 }
77 CMSerr(CMS_F_CMS_STREAM, ERR_R_MALLOC_FAILURE);
78 return 0;
79}
80
81CMS_ContentInfo *
82d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms)
83{
84 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(CMS_ContentInfo), bp, cms);
85}
86
87int
88i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms)
89{
90 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(CMS_ContentInfo), bp, cms);
91}
92
93IMPLEMENT_PEM_rw_const(CMS, CMS_ContentInfo, PEM_STRING_CMS, CMS_ContentInfo)
94
95BIO *
96BIO_new_CMS(BIO *out, CMS_ContentInfo *cms)
97{
98 return BIO_new_NDEF(out, (ASN1_VALUE *)cms,
99 ASN1_ITEM_rptr(CMS_ContentInfo));
100}
101
102/* CMS wrappers round generalised stream and MIME routines */
103
104int
105i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags)
106{
107 return i2d_ASN1_bio_stream(out, (ASN1_VALUE *)cms, in, flags,
108 ASN1_ITEM_rptr(CMS_ContentInfo));
109}
110
111int
112PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags)
113{
114 return PEM_write_bio_ASN1_stream(out, (ASN1_VALUE *) cms, in, flags,
115 "CMS", ASN1_ITEM_rptr(CMS_ContentInfo));
116}
117
118int
119SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags)
120{
121 STACK_OF(X509_ALGOR) *mdalgs;
122 int ctype_nid = OBJ_obj2nid(cms->contentType);
123 int econt_nid = OBJ_obj2nid(CMS_get0_eContentType(cms));
124
125 if (ctype_nid == NID_pkcs7_signed)
126 mdalgs = cms->d.signedData->digestAlgorithms;
127 else
128 mdalgs = NULL;
129
130 return SMIME_write_ASN1(bio, (ASN1_VALUE *)cms, data, flags,
131 ctype_nid, econt_nid, mdalgs, ASN1_ITEM_rptr(CMS_ContentInfo));
132}
133
134CMS_ContentInfo *
135SMIME_read_CMS(BIO *bio, BIO **bcont)
136{
137 return (CMS_ContentInfo *)SMIME_read_ASN1(bio, bcont,
138 ASN1_ITEM_rptr(CMS_ContentInfo));
139}
diff --git a/src/lib/libcrypto/cms/cms_lcl.h b/src/lib/libcrypto/cms/cms_lcl.h
deleted file mode 100644
index d5feec0969..0000000000
--- a/src/lib/libcrypto/cms/cms_lcl.h
+++ /dev/null
@@ -1,438 +0,0 @@
1/* $OpenBSD: cms_lcl.h,v 1.3 2014/06/12 15:49:28 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#ifndef HEADER_CMS_LCL_H
55#define HEADER_CMS_LCL_H
56
57#ifdef __cplusplus
58extern "C" {
59#endif
60
61#include <openssl/x509.h>
62
63/* Cryptographic message syntax (CMS) structures: taken
64 * from RFC3852
65 */
66
67/* Forward references */
68
69typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber;
70typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo;
71typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier;
72typedef struct CMS_SignedData_st CMS_SignedData;
73typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat;
74typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo;
75typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo;
76typedef struct CMS_EnvelopedData_st CMS_EnvelopedData;
77typedef struct CMS_DigestedData_st CMS_DigestedData;
78typedef struct CMS_EncryptedData_st CMS_EncryptedData;
79typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData;
80typedef struct CMS_CompressedData_st CMS_CompressedData;
81typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat;
82typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo;
83typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey;
84typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey;
85typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo;
86typedef struct CMS_OtherKeyAttribute_st CMS_OtherKeyAttribute;
87typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier;
88typedef struct CMS_KeyAgreeRecipientIdentifier_st CMS_KeyAgreeRecipientIdentifier;
89typedef struct CMS_RecipientEncryptedKey_st CMS_RecipientEncryptedKey;
90typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
91typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
92typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
93typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
94typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
95
96struct CMS_ContentInfo_st {
97 ASN1_OBJECT *contentType;
98 union {
99 ASN1_OCTET_STRING *data;
100 CMS_SignedData *signedData;
101 CMS_EnvelopedData *envelopedData;
102 CMS_DigestedData *digestedData;
103 CMS_EncryptedData *encryptedData;
104 CMS_AuthenticatedData *authenticatedData;
105 CMS_CompressedData *compressedData;
106 ASN1_TYPE *other;
107 /* Other types ... */
108 void *otherData;
109 } d;
110};
111
112struct CMS_SignedData_st {
113 long version;
114 STACK_OF(X509_ALGOR) *digestAlgorithms;
115 CMS_EncapsulatedContentInfo *encapContentInfo;
116 STACK_OF(CMS_CertificateChoices) *certificates;
117 STACK_OF(CMS_RevocationInfoChoice) *crls;
118 STACK_OF(CMS_SignerInfo) *signerInfos;
119};
120
121struct CMS_EncapsulatedContentInfo_st {
122 ASN1_OBJECT *eContentType;
123 ASN1_OCTET_STRING *eContent;
124 /* Set to 1 if incomplete structure only part set up */
125 int partial;
126};
127
128struct CMS_SignerInfo_st {
129 long version;
130 CMS_SignerIdentifier *sid;
131 X509_ALGOR *digestAlgorithm;
132 STACK_OF(X509_ATTRIBUTE) *signedAttrs;
133 X509_ALGOR *signatureAlgorithm;
134 ASN1_OCTET_STRING *signature;
135 STACK_OF(X509_ATTRIBUTE) *unsignedAttrs;
136 /* Signing certificate and key */
137 X509 *signer;
138 EVP_PKEY *pkey;
139};
140
141struct CMS_SignerIdentifier_st {
142 int type;
143 union {
144 CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
145 ASN1_OCTET_STRING *subjectKeyIdentifier;
146 } d;
147};
148
149struct CMS_EnvelopedData_st {
150 long version;
151 CMS_OriginatorInfo *originatorInfo;
152 STACK_OF(CMS_RecipientInfo) *recipientInfos;
153 CMS_EncryptedContentInfo *encryptedContentInfo;
154 STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
155};
156
157struct CMS_OriginatorInfo_st {
158 STACK_OF(CMS_CertificateChoices) *certificates;
159 STACK_OF(CMS_RevocationInfoChoice) *crls;
160};
161
162struct CMS_EncryptedContentInfo_st {
163 ASN1_OBJECT *contentType;
164 X509_ALGOR *contentEncryptionAlgorithm;
165 ASN1_OCTET_STRING *encryptedContent;
166 /* Content encryption algorithm and key */
167 const EVP_CIPHER *cipher;
168 unsigned char *key;
169 size_t keylen;
170 /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
171 int debug;
172};
173
174struct CMS_RecipientInfo_st {
175 int type;
176 union {
177 CMS_KeyTransRecipientInfo *ktri;
178 CMS_KeyAgreeRecipientInfo *kari;
179 CMS_KEKRecipientInfo *kekri;
180 CMS_PasswordRecipientInfo *pwri;
181 CMS_OtherRecipientInfo *ori;
182 } d;
183};
184
185typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
186
187struct CMS_KeyTransRecipientInfo_st {
188 long version;
189 CMS_RecipientIdentifier *rid;
190 X509_ALGOR *keyEncryptionAlgorithm;
191 ASN1_OCTET_STRING *encryptedKey;
192 /* Recipient Key and cert */
193 X509 *recip;
194 EVP_PKEY *pkey;
195};
196
197struct CMS_KeyAgreeRecipientInfo_st {
198 long version;
199 CMS_OriginatorIdentifierOrKey *originator;
200 ASN1_OCTET_STRING *ukm;
201 X509_ALGOR *keyEncryptionAlgorithm;
202 STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys;
203};
204
205struct CMS_OriginatorIdentifierOrKey_st {
206 int type;
207 union {
208 CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
209 ASN1_OCTET_STRING *subjectKeyIdentifier;
210 CMS_OriginatorPublicKey *originatorKey;
211 } d;
212};
213
214struct CMS_OriginatorPublicKey_st {
215 X509_ALGOR *algorithm;
216 ASN1_BIT_STRING *publicKey;
217};
218
219struct CMS_RecipientEncryptedKey_st {
220 CMS_KeyAgreeRecipientIdentifier *rid;
221 ASN1_OCTET_STRING *encryptedKey;
222};
223
224struct CMS_KeyAgreeRecipientIdentifier_st {
225 int type;
226 union {
227 CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
228 CMS_RecipientKeyIdentifier *rKeyId;
229 } d;
230};
231
232struct CMS_RecipientKeyIdentifier_st {
233 ASN1_OCTET_STRING *subjectKeyIdentifier;
234 ASN1_GENERALIZEDTIME *date;
235 CMS_OtherKeyAttribute *other;
236};
237
238struct CMS_KEKRecipientInfo_st {
239 long version;
240 CMS_KEKIdentifier *kekid;
241 X509_ALGOR *keyEncryptionAlgorithm;
242 ASN1_OCTET_STRING *encryptedKey;
243 /* Extra info: symmetric key to use */
244 unsigned char *key;
245 size_t keylen;
246};
247
248struct CMS_KEKIdentifier_st {
249 ASN1_OCTET_STRING *keyIdentifier;
250 ASN1_GENERALIZEDTIME *date;
251 CMS_OtherKeyAttribute *other;
252};
253
254struct CMS_PasswordRecipientInfo_st {
255 long version;
256 X509_ALGOR *keyDerivationAlgorithm;
257 X509_ALGOR *keyEncryptionAlgorithm;
258 ASN1_OCTET_STRING *encryptedKey;
259 /* Extra info: password to use */
260 unsigned char *pass;
261 size_t passlen;
262};
263
264struct CMS_OtherRecipientInfo_st {
265 ASN1_OBJECT *oriType;
266 ASN1_TYPE *oriValue;
267};
268
269struct CMS_DigestedData_st {
270 long version;
271 X509_ALGOR *digestAlgorithm;
272 CMS_EncapsulatedContentInfo *encapContentInfo;
273 ASN1_OCTET_STRING *digest;
274};
275
276struct CMS_EncryptedData_st {
277 long version;
278 CMS_EncryptedContentInfo *encryptedContentInfo;
279 STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
280};
281
282struct CMS_AuthenticatedData_st {
283 long version;
284 CMS_OriginatorInfo *originatorInfo;
285 STACK_OF(CMS_RecipientInfo) *recipientInfos;
286 X509_ALGOR *macAlgorithm;
287 X509_ALGOR *digestAlgorithm;
288 CMS_EncapsulatedContentInfo *encapContentInfo;
289 STACK_OF(X509_ATTRIBUTE) *authAttrs;
290 ASN1_OCTET_STRING *mac;
291 STACK_OF(X509_ATTRIBUTE) *unauthAttrs;
292};
293
294struct CMS_CompressedData_st {
295 long version;
296 X509_ALGOR *compressionAlgorithm;
297 STACK_OF(CMS_RecipientInfo) *recipientInfos;
298 CMS_EncapsulatedContentInfo *encapContentInfo;
299};
300
301struct CMS_RevocationInfoChoice_st {
302 int type;
303 union {
304 X509_CRL *crl;
305 CMS_OtherRevocationInfoFormat *other;
306 } d;
307};
308
309#define CMS_REVCHOICE_CRL 0
310#define CMS_REVCHOICE_OTHER 1
311
312struct CMS_OtherRevocationInfoFormat_st {
313 ASN1_OBJECT *otherRevInfoFormat;
314 ASN1_TYPE *otherRevInfo;
315};
316
317struct CMS_CertificateChoices {
318 int type;
319 union {
320 X509 *certificate;
321 ASN1_STRING *extendedCertificate; /* Obsolete */
322 ASN1_STRING *v1AttrCert; /* Left encoded for now */
323 ASN1_STRING *v2AttrCert; /* Left encoded for now */
324 CMS_OtherCertificateFormat *other;
325 } d;
326};
327
328#define CMS_CERTCHOICE_CERT 0
329#define CMS_CERTCHOICE_EXCERT 1
330#define CMS_CERTCHOICE_V1ACERT 2
331#define CMS_CERTCHOICE_V2ACERT 3
332#define CMS_CERTCHOICE_OTHER 4
333
334struct CMS_OtherCertificateFormat_st {
335 ASN1_OBJECT *otherCertFormat;
336 ASN1_TYPE *otherCert;
337};
338
339/* This is also defined in pkcs7.h but we duplicate it
340 * to allow the CMS code to be independent of PKCS#7
341 */
342
343struct CMS_IssuerAndSerialNumber_st {
344 X509_NAME *issuer;
345 ASN1_INTEGER *serialNumber;
346};
347
348struct CMS_OtherKeyAttribute_st {
349 ASN1_OBJECT *keyAttrId;
350 ASN1_TYPE *keyAttr;
351};
352
353/* ESS structures */
354
355#ifdef HEADER_X509V3_H
356
357struct CMS_ReceiptRequest_st {
358 ASN1_OCTET_STRING *signedContentIdentifier;
359 CMS_ReceiptsFrom *receiptsFrom;
360 STACK_OF(GENERAL_NAMES) *receiptsTo;
361};
362
363
364struct CMS_ReceiptsFrom_st {
365 int type;
366 union
367 {
368 long allOrFirstTier;
369 STACK_OF(GENERAL_NAMES) *receiptList;
370 } d;
371};
372#endif
373
374struct CMS_Receipt_st {
375 long version;
376 ASN1_OBJECT *contentType;
377 ASN1_OCTET_STRING *signedContentIdentifier;
378 ASN1_OCTET_STRING *originatorSignatureValue;
379};
380
381DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
382DECLARE_ASN1_ITEM(CMS_SignerInfo)
383DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber)
384DECLARE_ASN1_ITEM(CMS_Attributes_Sign)
385DECLARE_ASN1_ITEM(CMS_Attributes_Verify)
386DECLARE_ASN1_ITEM(CMS_RecipientInfo)
387DECLARE_ASN1_ITEM(CMS_PasswordRecipientInfo)
388DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerAndSerialNumber)
389
390#define CMS_SIGNERINFO_ISSUER_SERIAL 0
391#define CMS_SIGNERINFO_KEYIDENTIFIER 1
392
393#define CMS_RECIPINFO_ISSUER_SERIAL 0
394#define CMS_RECIPINFO_KEYIDENTIFIER 1
395
396BIO *cms_content_bio(CMS_ContentInfo *cms);
397
398CMS_ContentInfo *cms_Data_create(void);
399
400CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md);
401BIO *cms_DigestedData_init_bio(CMS_ContentInfo *cms);
402int cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify);
403
404BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms);
405int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain);
406int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type);
407int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
408 ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);
409int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert);
410
411CMS_ContentInfo *cms_CompressedData_create(int comp_nid);
412BIO *cms_CompressedData_init_bio(CMS_ContentInfo *cms);
413
414void cms_DigestAlgorithm_set(X509_ALGOR *alg, const EVP_MD *md);
415BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm);
416int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
417 X509_ALGOR *mdalg);
418
419BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec);
420BIO *cms_EncryptedData_init_bio(CMS_ContentInfo *cms);
421int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
422 const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen);
423
424int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms);
425int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
426ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
427
428BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
429CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
430
431/* PWRI routines */
432int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
433 int en_de);
434
435#ifdef __cplusplus
436}
437#endif
438#endif
diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c
deleted file mode 100644
index 4ca38e2428..0000000000
--- a/src/lib/libcrypto/cms/cms_lib.c
+++ /dev/null
@@ -1,594 +0,0 @@
1/* $OpenBSD: cms_lib.c,v 1.4 2014/07/25 06:05:32 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/x509.h>
56#include <openssl/err.h>
57#include <openssl/pem.h>
58#include <openssl/bio.h>
59#include <openssl/asn1.h>
60#include "cms.h"
61#include "cms_lcl.h"
62
63IMPLEMENT_ASN1_FUNCTIONS(CMS_ContentInfo)
64IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
65
66DECLARE_ASN1_ITEM(CMS_CertificateChoices)
67DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice)
68DECLARE_STACK_OF(CMS_CertificateChoices)
69DECLARE_STACK_OF(CMS_RevocationInfoChoice)
70
71const ASN1_OBJECT *
72CMS_get0_type(CMS_ContentInfo *cms)
73{
74 return cms->contentType;
75}
76
77CMS_ContentInfo *
78cms_Data_create(void)
79{
80 CMS_ContentInfo *cms;
81
82 cms = CMS_ContentInfo_new();
83 if (cms) {
84 cms->contentType = OBJ_nid2obj(NID_pkcs7_data);
85 /* Never detached */
86 CMS_set_detached(cms, 0);
87 }
88 return cms;
89}
90
91BIO *
92cms_content_bio(CMS_ContentInfo *cms)
93{
94 ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
95
96 if (!pos)
97 return NULL;
98 /* If content detached data goes nowhere: create NULL BIO */
99 if (!*pos)
100 return BIO_new(BIO_s_null());
101 /* If content not detached and created return memory BIO
102 */
103 if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT))
104 return BIO_new(BIO_s_mem());
105 /* Else content was read in: return read only BIO for it */
106 return BIO_new_mem_buf((*pos)->data, (*pos)->length);
107}
108
109BIO *
110CMS_dataInit(CMS_ContentInfo *cms, BIO *icont)
111{
112 BIO *cmsbio, *cont;
113
114 if (icont)
115 cont = icont;
116 else
117 cont = cms_content_bio(cms);
118 if (!cont) {
119 CMSerr(CMS_F_CMS_DATAINIT, CMS_R_NO_CONTENT);
120 return NULL;
121 }
122 switch (OBJ_obj2nid(cms->contentType)) {
123 case NID_pkcs7_data:
124 return cont;
125 case NID_pkcs7_signed:
126 cmsbio = cms_SignedData_init_bio(cms);
127 break;
128 case NID_pkcs7_digest:
129 cmsbio = cms_DigestedData_init_bio(cms);
130 break;
131#ifdef ZLIB
132 case NID_id_smime_ct_compressedData:
133 cmsbio = cms_CompressedData_init_bio(cms);
134 break;
135#endif
136 case NID_pkcs7_encrypted:
137 cmsbio = cms_EncryptedData_init_bio(cms);
138 break;
139 case NID_pkcs7_enveloped:
140 cmsbio = cms_EnvelopedData_init_bio(cms);
141 break;
142 default:
143 CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE);
144 return NULL;
145 }
146
147 if (cmsbio)
148 return BIO_push(cmsbio, cont);
149
150 if (!icont)
151 BIO_free(cont);
152 return NULL;
153}
154
155int
156CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio)
157{
158 ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
159
160 if (!pos)
161 return 0;
162 /* If ebmedded content find memory BIO and set content */
163 if (*pos && ((*pos)->flags & ASN1_STRING_FLAG_CONT)) {
164 BIO *mbio;
165 unsigned char *cont;
166 long contlen;
167 mbio = BIO_find_type(cmsbio, BIO_TYPE_MEM);
168 if (!mbio) {
169 CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_CONTENT_NOT_FOUND);
170 return 0;
171 }
172 contlen = BIO_get_mem_data(mbio, &cont);
173 /* Set bio as read only so its content can't be clobbered */
174 BIO_set_flags(mbio, BIO_FLAGS_MEM_RDONLY);
175 BIO_set_mem_eof_return(mbio, 0);
176 ASN1_STRING_set0(*pos, cont, contlen);
177 (*pos)->flags &= ~ASN1_STRING_FLAG_CONT;
178 }
179
180 switch (OBJ_obj2nid(cms->contentType)) {
181 case NID_pkcs7_data:
182 case NID_pkcs7_enveloped:
183 case NID_pkcs7_encrypted:
184 case NID_id_smime_ct_compressedData:
185 /* Nothing to do */
186 return 1;
187 case NID_pkcs7_signed:
188 return cms_SignedData_final(cms, cmsbio);
189 case NID_pkcs7_digest:
190 return cms_DigestedData_do_final(cms, cmsbio, 0);
191 default:
192 CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_UNSUPPORTED_TYPE);
193 return 0;
194 }
195}
196
197/* Return an OCTET STRING pointer to content. This allows it to
198 * be accessed or set later.
199 */
200
201ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms)
202{
203 switch (OBJ_obj2nid(cms->contentType)) {
204 case NID_pkcs7_data:
205 return &cms->d.data;
206 case NID_pkcs7_signed:
207 return &cms->d.signedData->encapContentInfo->eContent;
208 case NID_pkcs7_enveloped:
209 return &cms->d.envelopedData->encryptedContentInfo->encryptedContent;
210 case NID_pkcs7_digest:
211 return &cms->d.digestedData->encapContentInfo->eContent;
212 case NID_pkcs7_encrypted:
213 return &cms->d.encryptedData->encryptedContentInfo->encryptedContent;
214 case NID_id_smime_ct_authData:
215 return &cms->d.authenticatedData->encapContentInfo->eContent;
216 case NID_id_smime_ct_compressedData:
217 return &cms->d.compressedData->encapContentInfo->eContent;
218 default:
219 if (cms->d.other->type == V_ASN1_OCTET_STRING)
220 return &cms->d.other->value.octet_string;
221 CMSerr(CMS_F_CMS_GET0_CONTENT, CMS_R_UNSUPPORTED_CONTENT_TYPE);
222 return NULL;
223 }
224}
225
226/* Return an ASN1_OBJECT pointer to content type. This allows it to
227 * be accessed or set later.
228 */
229
230static ASN1_OBJECT **cms_get0_econtent_type(CMS_ContentInfo *cms)
231{
232 switch (OBJ_obj2nid(cms->contentType)) {
233 case NID_pkcs7_signed:
234 return &cms->d.signedData->encapContentInfo->eContentType;
235 case NID_pkcs7_enveloped:
236 return &cms->d.envelopedData->encryptedContentInfo->contentType;
237 case NID_pkcs7_digest:
238 return &cms->d.digestedData->encapContentInfo->eContentType;
239 case NID_pkcs7_encrypted:
240 return &cms->d.encryptedData->encryptedContentInfo->contentType;
241 case NID_id_smime_ct_authData:
242 return &cms->d.authenticatedData->encapContentInfo->eContentType;
243 case NID_id_smime_ct_compressedData:
244 return &cms->d.compressedData->encapContentInfo->eContentType;
245 default:
246 CMSerr(CMS_F_CMS_GET0_ECONTENT_TYPE,
247 CMS_R_UNSUPPORTED_CONTENT_TYPE);
248 return NULL;
249 }
250}
251
252const ASN1_OBJECT *
253CMS_get0_eContentType(CMS_ContentInfo *cms)
254{
255 ASN1_OBJECT **petype;
256
257 petype = cms_get0_econtent_type(cms);
258 if (petype)
259 return *petype;
260 return NULL;
261}
262
263int
264CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid)
265{
266 ASN1_OBJECT **petype, *etype;
267
268 petype = cms_get0_econtent_type(cms);
269 if (!petype)
270 return 0;
271 if (!oid)
272 return 1;
273 etype = OBJ_dup(oid);
274 if (!etype)
275 return 0;
276 ASN1_OBJECT_free(*petype);
277 *petype = etype;
278 return 1;
279}
280
281int
282CMS_is_detached(CMS_ContentInfo *cms)
283{
284 ASN1_OCTET_STRING **pos;
285
286 pos = CMS_get0_content(cms);
287 if (!pos)
288 return -1;
289 if (*pos)
290 return 0;
291 return 1;
292}
293
294int
295CMS_set_detached(CMS_ContentInfo *cms, int detached)
296{
297 ASN1_OCTET_STRING **pos;
298
299 pos = CMS_get0_content(cms);
300 if (!pos)
301 return 0;
302 if (detached) {
303 if (*pos) {
304 ASN1_OCTET_STRING_free(*pos);
305 *pos = NULL;
306 }
307 return 1;
308 }
309 if (!*pos)
310 *pos = ASN1_OCTET_STRING_new();
311 if (*pos) {
312 /* NB: special flag to show content is created and not
313 * read in.
314 */
315 (*pos)->flags |= ASN1_STRING_FLAG_CONT;
316 return 1;
317 }
318 CMSerr(CMS_F_CMS_SET_DETACHED, ERR_R_MALLOC_FAILURE);
319 return 0;
320}
321
322/* Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD */
323
324void
325cms_DigestAlgorithm_set(X509_ALGOR *alg, const EVP_MD *md)
326{
327 int param_type;
328
329 if (md->flags & EVP_MD_FLAG_DIGALGID_ABSENT)
330 param_type = V_ASN1_UNDEF;
331 else
332 param_type = V_ASN1_NULL;
333
334 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
335
336}
337
338/* Create a digest BIO from an X509_ALGOR structure */
339
340BIO *
341cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm)
342{
343 BIO *mdbio = NULL;
344 ASN1_OBJECT *digestoid;
345 const EVP_MD *digest;
346
347 X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
348 digest = EVP_get_digestbyobj(digestoid);
349 if (!digest) {
350 CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO,
351 CMS_R_UNKNOWN_DIGEST_ALGORIHM);
352 goto err;
353 }
354 mdbio = BIO_new(BIO_f_md());
355 if (!mdbio || !BIO_set_md(mdbio, digest)) {
356 CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO,
357 CMS_R_MD_BIO_INIT_ERROR);
358 goto err;
359 }
360 return mdbio;
361
362err:
363 BIO_free(mdbio);
364 return NULL;
365}
366
367/* Locate a message digest content from a BIO chain based on SignerInfo */
368
369int
370cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, X509_ALGOR *mdalg)
371{
372 int nid;
373 ASN1_OBJECT *mdoid;
374
375 X509_ALGOR_get0(&mdoid, NULL, NULL, mdalg);
376 nid = OBJ_obj2nid(mdoid);
377
378 /* Look for digest type to match signature */
379 for (;;) {
380 EVP_MD_CTX *mtmp;
381 chain = BIO_find_type(chain, BIO_TYPE_MD);
382 if (chain == NULL) {
383 CMSerr(CMS_F_CMS_DIGESTALGORITHM_FIND_CTX,
384 CMS_R_NO_MATCHING_DIGEST);
385 return 0;
386 }
387 BIO_get_md_ctx(chain, &mtmp);
388 if (EVP_MD_CTX_type(mtmp) == nid
389 /* Workaround for broken implementations that use signature
390 * algorithm OID instead of digest.
391 */ ||
392 EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
393 return EVP_MD_CTX_copy_ex(mctx, mtmp);
394 chain = BIO_next(chain);
395 }
396}
397
398static STACK_OF(CMS_CertificateChoices) **
399cms_get0_certificate_choices(CMS_ContentInfo *cms)
400{
401 switch (OBJ_obj2nid(cms->contentType)) {
402 case NID_pkcs7_signed:
403 return &cms->d.signedData->certificates;
404 case NID_pkcs7_enveloped:
405 return &cms->d.envelopedData->originatorInfo->certificates;
406 default:
407 CMSerr(CMS_F_CMS_GET0_CERTIFICATE_CHOICES,
408 CMS_R_UNSUPPORTED_CONTENT_TYPE);
409 return NULL;
410 }
411}
412
413CMS_CertificateChoices *
414CMS_add0_CertificateChoices(CMS_ContentInfo *cms)
415{
416 STACK_OF(CMS_CertificateChoices) **pcerts;
417 CMS_CertificateChoices *cch;
418
419 pcerts = cms_get0_certificate_choices(cms);
420 if (!pcerts)
421 return NULL;
422 if (!*pcerts)
423 *pcerts = sk_CMS_CertificateChoices_new_null();
424 if (!*pcerts)
425 return NULL;
426 cch = M_ASN1_new_of(CMS_CertificateChoices);
427 if (!cch)
428 return NULL;
429 if (!sk_CMS_CertificateChoices_push(*pcerts, cch)) {
430 M_ASN1_free_of(cch, CMS_CertificateChoices);
431 return NULL;
432 }
433 return cch;
434}
435
436int
437CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
438{
439 CMS_CertificateChoices *cch;
440 STACK_OF(CMS_CertificateChoices) **pcerts;
441 int i;
442
443 pcerts = cms_get0_certificate_choices(cms);
444 if (!pcerts)
445 return 0;
446 for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
447 cch = sk_CMS_CertificateChoices_value(*pcerts, i);
448 if (cch->type == CMS_CERTCHOICE_CERT) {
449 if (!X509_cmp(cch->d.certificate, cert)) {
450 CMSerr(CMS_F_CMS_ADD0_CERT,
451 CMS_R_CERTIFICATE_ALREADY_PRESENT);
452 return 0;
453 }
454 }
455 }
456 cch = CMS_add0_CertificateChoices(cms);
457 if (!cch)
458 return 0;
459 cch->type = CMS_CERTCHOICE_CERT;
460 cch->d.certificate = cert;
461 return 1;
462}
463
464int
465CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert)
466{
467 int r;
468
469 r = CMS_add0_cert(cms, cert);
470 if (r > 0)
471 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
472 return r;
473}
474
475static STACK_OF(CMS_RevocationInfoChoice) **
476cms_get0_revocation_choices(CMS_ContentInfo *cms)
477{
478 switch (OBJ_obj2nid(cms->contentType)) {
479 case NID_pkcs7_signed:
480 return &cms->d.signedData->crls;
481 case NID_pkcs7_enveloped:
482 return &cms->d.envelopedData->originatorInfo->crls;
483 default:
484 CMSerr(CMS_F_CMS_GET0_REVOCATION_CHOICES,
485 CMS_R_UNSUPPORTED_CONTENT_TYPE);
486 return NULL;
487 }
488}
489
490CMS_RevocationInfoChoice *
491CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms)
492{
493 STACK_OF(CMS_RevocationInfoChoice) **pcrls;
494 CMS_RevocationInfoChoice *rch;
495
496 pcrls = cms_get0_revocation_choices(cms);
497 if (!pcrls)
498 return NULL;
499 if (!*pcrls)
500 *pcrls = sk_CMS_RevocationInfoChoice_new_null();
501 if (!*pcrls)
502 return NULL;
503 rch = M_ASN1_new_of(CMS_RevocationInfoChoice);
504 if (!rch)
505 return NULL;
506 if (!sk_CMS_RevocationInfoChoice_push(*pcrls, rch)) {
507 M_ASN1_free_of(rch, CMS_RevocationInfoChoice);
508 return NULL;
509 }
510 return rch;
511}
512
513int
514CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl)
515{
516 CMS_RevocationInfoChoice *rch;
517
518 rch = CMS_add0_RevocationInfoChoice(cms);
519 if (!rch)
520 return 0;
521 rch->type = CMS_REVCHOICE_CRL;
522 rch->d.crl = crl;
523 return 1;
524}
525
526int
527CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl)
528{
529 int r;
530
531 r = CMS_add0_crl(cms, crl);
532 if (r > 0)
533 CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
534 return r;
535}
536
537STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)
538{
539 STACK_OF(X509) *certs = NULL;
540 CMS_CertificateChoices *cch;
541 STACK_OF(CMS_CertificateChoices) **pcerts;
542 int i;
543
544 pcerts = cms_get0_certificate_choices(cms);
545 if (!pcerts)
546 return NULL;
547 for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
548 cch = sk_CMS_CertificateChoices_value(*pcerts, i);
549 if (cch->type == 0) {
550 if (!certs) {
551 certs = sk_X509_new_null();
552 if (!certs)
553 return NULL;
554 }
555 if (!sk_X509_push(certs, cch->d.certificate)) {
556 sk_X509_pop_free(certs, X509_free);
557 return NULL;
558 }
559 CRYPTO_add(&cch->d.certificate->references,
560 1, CRYPTO_LOCK_X509);
561 }
562 }
563 return certs;
564
565}
566
567STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms)
568{
569 STACK_OF(X509_CRL) *crls = NULL;
570 STACK_OF(CMS_RevocationInfoChoice) **pcrls;
571 CMS_RevocationInfoChoice *rch;
572 int i;
573
574 pcrls = cms_get0_revocation_choices(cms);
575 if (!pcrls)
576 return NULL;
577 for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++) {
578 rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i);
579 if (rch->type == 0) {
580 if (!crls) {
581 crls = sk_X509_CRL_new_null();
582 if (!crls)
583 return NULL;
584 }
585 if (!sk_X509_CRL_push(crls, rch->d.crl)) {
586 sk_X509_CRL_pop_free(crls, X509_CRL_free);
587 return NULL;
588 }
589 CRYPTO_add(&rch->d.crl->references,
590 1, CRYPTO_LOCK_X509_CRL);
591 }
592 }
593 return crls;
594}
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
deleted file mode 100644
index 7055ba5d3b..0000000000
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ /dev/null
@@ -1,431 +0,0 @@
1/* $OpenBSD: cms_pwri.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2009 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <stdlib.h>
55
56#include <openssl/aes.h>
57#include <openssl/asn1t.h>
58#include <openssl/cms.h>
59#include <openssl/err.h>
60#include <openssl/pem.h>
61#include <openssl/x509v3.h>
62
63#include "asn1_locl.h"
64#include "cms_lcl.h"
65
66int
67CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, unsigned char *pass,
68 ssize_t passlen)
69{
70 CMS_PasswordRecipientInfo *pwri;
71
72 if (ri->type != CMS_RECIPINFO_PASS) {
73 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD, CMS_R_NOT_PWRI);
74 return 0;
75 }
76
77 pwri = ri->d.pwri;
78 pwri->pass = pass;
79 if (pass && passlen < 0)
80 passlen = strlen((char *)pass);
81 pwri->passlen = passlen;
82 return 1;
83}
84
85CMS_RecipientInfo *
86CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid,
87 int pbe_nid, unsigned char *pass, ssize_t passlen,
88 const EVP_CIPHER *kekciph)
89{
90 CMS_RecipientInfo *ri = NULL;
91 CMS_EnvelopedData *env;
92 CMS_PasswordRecipientInfo *pwri;
93 EVP_CIPHER_CTX ctx;
94 X509_ALGOR *encalg = NULL;
95 unsigned char iv[EVP_MAX_IV_LENGTH];
96 int ivlen;
97
98 env = cms_get0_enveloped(cms);
99 if (!env)
100 return NULL;
101
102 if (wrap_nid <= 0)
103 wrap_nid = NID_id_alg_PWRI_KEK;
104
105 if (pbe_nid <= 0)
106 pbe_nid = NID_id_pbkdf2;
107
108 /* Get from enveloped data */
109 if (kekciph == NULL)
110 kekciph = env->encryptedContentInfo->cipher;
111
112 if (kekciph == NULL) {
113 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, CMS_R_NO_CIPHER);
114 return NULL;
115 }
116 if (wrap_nid != NID_id_alg_PWRI_KEK) {
117 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
118 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
119 return NULL;
120 }
121
122 /* Setup algorithm identifier for cipher */
123 encalg = X509_ALGOR_new();
124 EVP_CIPHER_CTX_init(&ctx);
125
126 if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0) {
127 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
128 goto err;
129 }
130
131 ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
132
133 if (ivlen > 0) {
134 arc4random_buf(iv, ivlen);
135 if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) {
136 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
137 ERR_R_EVP_LIB);
138 goto err;
139 }
140 encalg->parameter = ASN1_TYPE_new();
141 if (!encalg->parameter) {
142 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
143 ERR_R_MALLOC_FAILURE);
144 goto err;
145 }
146 if (EVP_CIPHER_param_to_asn1(&ctx, encalg->parameter) <= 0) {
147 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
148 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
149 goto err;
150 }
151 }
152
153
154 encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(&ctx));
155
156 EVP_CIPHER_CTX_cleanup(&ctx);
157
158 /* Initialize recipient info */
159 ri = M_ASN1_new_of(CMS_RecipientInfo);
160 if (!ri)
161 goto merr;
162
163 ri->d.pwri = M_ASN1_new_of(CMS_PasswordRecipientInfo);
164 if (!ri->d.pwri)
165 goto merr;
166 ri->type = CMS_RECIPINFO_PASS;
167
168 pwri = ri->d.pwri;
169 /* Since this is overwritten, free up empty structure already there */
170 X509_ALGOR_free(pwri->keyEncryptionAlgorithm);
171 pwri->keyEncryptionAlgorithm = X509_ALGOR_new();
172 if (!pwri->keyEncryptionAlgorithm)
173 goto merr;
174 pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid);
175 pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new();
176 if (!pwri->keyEncryptionAlgorithm->parameter)
177 goto merr;
178
179 if (!ASN1_item_pack(encalg, ASN1_ITEM_rptr(X509_ALGOR),
180 &pwri->keyEncryptionAlgorithm->parameter->value.sequence))
181 goto merr;
182 pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE;
183
184 X509_ALGOR_free(encalg);
185 encalg = NULL;
186
187 /* Setup PBE algorithm */
188
189 pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1);
190
191 if (!pwri->keyDerivationAlgorithm)
192 goto err;
193
194 CMS_RecipientInfo_set0_password(ri, pass, passlen);
195 pwri->version = 0;
196
197 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
198 goto merr;
199
200 return ri;
201
202merr:
203 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE);
204err:
205 EVP_CIPHER_CTX_cleanup(&ctx);
206 if (ri)
207 M_ASN1_free_of(ri, CMS_RecipientInfo);
208 if (encalg)
209 X509_ALGOR_free(encalg);
210 return NULL;
211}
212
213/* This is an implementation of the key wrapping mechanism in RFC3211,
214 * at some point this should go into EVP.
215 */
216
217static int
218kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
219 size_t inlen, EVP_CIPHER_CTX *ctx)
220{
221 size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
222 unsigned char *tmp;
223 int outl, rv = 0;
224
225 if (inlen < 2 * blocklen) {
226 /* too small */
227 return 0;
228 }
229 if (inlen % blocklen) {
230 /* Invalid size */
231 return 0;
232 }
233 tmp = malloc(inlen);
234 /* setup IV by decrypting last two blocks */
235 EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
236 in + inlen - 2 * blocklen, blocklen * 2);
237 /* Do a decrypt of last decrypted block to set IV to correct value
238 * output it to start of buffer so we don't corrupt decrypted block
239 * this works because buffer is at least two block lengths long.
240 */
241 EVP_DecryptUpdate(ctx, tmp, &outl,
242 tmp + inlen - blocklen, blocklen);
243 /* Can now decrypt first n - 1 blocks */
244 EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen);
245
246 /* Reset IV to original value */
247 EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL);
248 /* Decrypt again */
249 EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen);
250 /* Check check bytes */
251 if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) &
252 (tmp[3] ^ tmp[6])) != 0xff) {
253 /* Check byte failure */
254 goto err;
255 }
256 if (inlen < (size_t)(tmp[0] - 4 )) {
257 /* Invalid length value */
258 goto err;
259 }
260 *outlen = (size_t)tmp[0];
261 memcpy(out, tmp + 4, *outlen);
262 rv = 1;
263
264err:
265 explicit_bzero(tmp, inlen);
266 free(tmp);
267 return rv;
268}
269
270static int
271kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
272 size_t inlen, EVP_CIPHER_CTX *ctx)
273{
274 size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
275 size_t olen;
276 int dummy;
277
278 /* First decide length of output buffer: need header and round up to
279 * multiple of block length.
280 */
281 olen = (inlen + 4 + blocklen - 1)/blocklen;
282 olen *= blocklen;
283 if (olen < 2 * blocklen) {
284 /* Key too small */
285 return 0;
286 }
287 if (inlen > 0xFF) {
288 /* Key too large */
289 return 0;
290 }
291 if (out) {
292 /* Set header */
293 out[0] = (unsigned char)inlen;
294 out[1] = in[0] ^ 0xFF;
295 out[2] = in[1] ^ 0xFF;
296 out[3] = in[2] ^ 0xFF;
297 memcpy(out + 4, in, inlen);
298 /* Add random padding to end */
299 if (olen > inlen + 4)
300 arc4random_buf(out + 4 + inlen, olen - 4 - inlen);
301 /* Encrypt twice */
302 EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
303 EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
304 }
305
306 *outlen = olen;
307
308 return 1;
309}
310
311/* Encrypt/Decrypt content key in PWRI recipient info */
312
313int
314cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
315 int en_de)
316{
317 CMS_EncryptedContentInfo *ec;
318 CMS_PasswordRecipientInfo *pwri;
319 const unsigned char *p = NULL;
320 int plen;
321 int r = 0;
322 X509_ALGOR *algtmp, *kekalg = NULL;
323 EVP_CIPHER_CTX kekctx;
324 const EVP_CIPHER *kekcipher;
325 unsigned char *key = NULL;
326 size_t keylen;
327
328 ec = cms->d.envelopedData->encryptedContentInfo;
329
330 pwri = ri->d.pwri;
331 EVP_CIPHER_CTX_init(&kekctx);
332
333 if (!pwri->pass) {
334 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_NO_PASSWORD);
335 goto err;
336 }
337 algtmp = pwri->keyEncryptionAlgorithm;
338
339 if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK) {
340 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
341 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
342 goto err;
343 }
344
345 if (algtmp->parameter->type == V_ASN1_SEQUENCE) {
346 p = algtmp->parameter->value.sequence->data;
347 plen = algtmp->parameter->value.sequence->length;
348 kekalg = d2i_X509_ALGOR(NULL, &p, plen);
349 }
350 if (kekalg == NULL) {
351 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
352 CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER);
353 goto err;
354 }
355
356 kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
357
358 if (!kekcipher) {
359 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
360 CMS_R_UNKNOWN_CIPHER);
361 goto err;
362 }
363
364 /* Fixup cipher based on AlgorithmIdentifier to set IV etc */
365 if (!EVP_CipherInit_ex(&kekctx, kekcipher, NULL, NULL, NULL, en_de))
366 goto err;
367 EVP_CIPHER_CTX_set_padding(&kekctx, 0);
368 if (EVP_CIPHER_asn1_to_param(&kekctx, kekalg->parameter) < 0) {
369 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
370 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
371 goto err;
372 }
373
374 algtmp = pwri->keyDerivationAlgorithm;
375
376 /* Finish password based key derivation to setup key in "ctx" */
377
378 if (EVP_PBE_CipherInit(algtmp->algorithm,
379 (char *)pwri->pass, pwri->passlen,
380 algtmp->parameter, &kekctx, en_de) < 0) {
381 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_EVP_LIB);
382 goto err;
383 }
384
385 /* Finally wrap/unwrap the key */
386
387 if (en_de) {
388
389 if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, &kekctx))
390 goto err;
391
392 key = malloc(keylen);
393
394 if (!key)
395 goto err;
396
397 if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, &kekctx))
398 goto err;
399 pwri->encryptedKey->data = key;
400 pwri->encryptedKey->length = keylen;
401 } else {
402 key = malloc(pwri->encryptedKey->length);
403
404 if (!key) {
405 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
406 ERR_R_MALLOC_FAILURE);
407 goto err;
408 }
409 if (!kek_unwrap_key(key, &keylen,
410 pwri->encryptedKey->data,
411 pwri->encryptedKey->length, &kekctx)) {
412 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
413 CMS_R_UNWRAP_FAILURE);
414 goto err;
415 }
416
417 ec->key = key;
418 ec->keylen = keylen;
419
420 }
421
422 r = 1;
423
424err:
425 EVP_CIPHER_CTX_cleanup(&kekctx);
426 if (!r && key)
427 free(key);
428 X509_ALGOR_free(kekalg);
429
430 return r;
431}
diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c
deleted file mode 100644
index 1623126e77..0000000000
--- a/src/lib/libcrypto/cms/cms_sd.c
+++ /dev/null
@@ -1,934 +0,0 @@
1/* $OpenBSD: cms_sd.c,v 1.10 2016/03/11 07:08:44 mmcc Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/cms.h>
56#include <openssl/err.h>
57#include <openssl/pem.h>
58#include <openssl/x509v3.h>
59
60#include "asn1_locl.h"
61#include "cms_lcl.h"
62
63/* CMS SignedData Utilities */
64
65DECLARE_ASN1_ITEM(CMS_SignedData)
66
67static CMS_SignedData *
68cms_get0_signed(CMS_ContentInfo *cms)
69{
70 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_signed) {
71 CMSerr(CMS_F_CMS_GET0_SIGNED,
72 CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA);
73 return NULL;
74 }
75 return cms->d.signedData;
76}
77
78static CMS_SignedData *
79cms_signed_data_init(CMS_ContentInfo *cms)
80{
81 if (cms->d.other == NULL) {
82 cms->d.signedData = M_ASN1_new_of(CMS_SignedData);
83 if (!cms->d.signedData) {
84 CMSerr(CMS_F_CMS_SIGNED_DATA_INIT,
85 ERR_R_MALLOC_FAILURE);
86 return NULL;
87 }
88 cms->d.signedData->version = 1;
89 cms->d.signedData->encapContentInfo->eContentType =
90 OBJ_nid2obj(NID_pkcs7_data);
91 cms->d.signedData->encapContentInfo->partial = 1;
92 ASN1_OBJECT_free(cms->contentType);
93 cms->contentType = OBJ_nid2obj(NID_pkcs7_signed);
94 return cms->d.signedData;
95 }
96 return cms_get0_signed(cms);
97}
98
99/* Just initialize SignedData e.g. for certs only structure */
100
101int
102CMS_SignedData_init(CMS_ContentInfo *cms)
103{
104 if (cms_signed_data_init(cms))
105 return 1;
106 else
107 return 0;
108}
109
110/* Check structures and fixup version numbers (if necessary) */
111
112static void
113cms_sd_set_version(CMS_SignedData *sd)
114{
115 int i;
116 CMS_CertificateChoices *cch;
117 CMS_RevocationInfoChoice *rch;
118 CMS_SignerInfo *si;
119
120 for (i = 0; i < sk_CMS_CertificateChoices_num(sd->certificates); i++) {
121 cch = sk_CMS_CertificateChoices_value(sd->certificates, i);
122 if (cch->type == CMS_CERTCHOICE_OTHER) {
123 if (sd->version < 5)
124 sd->version = 5;
125 } else if (cch->type == CMS_CERTCHOICE_V2ACERT) {
126 if (sd->version < 4)
127 sd->version = 4;
128 } else if (cch->type == CMS_CERTCHOICE_V1ACERT) {
129 if (sd->version < 3)
130 sd->version = 3;
131 }
132 }
133
134 for (i = 0; i < sk_CMS_RevocationInfoChoice_num(sd->crls); i++) {
135 rch = sk_CMS_RevocationInfoChoice_value(sd->crls, i);
136 if (rch->type == CMS_REVCHOICE_OTHER) {
137 if (sd->version < 5)
138 sd->version = 5;
139 }
140 }
141
142 if ((OBJ_obj2nid(sd->encapContentInfo->eContentType) !=
143 NID_pkcs7_data) && (sd->version < 3))
144 sd->version = 3;
145
146 for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) {
147 si = sk_CMS_SignerInfo_value(sd->signerInfos, i);
148 if (si->sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) {
149 if (si->version < 3)
150 si->version = 3;
151 if (sd->version < 3)
152 sd->version = 3;
153 } else if (si->version < 1)
154 si->version = 1;
155 }
156
157 if (sd->version < 1)
158 sd->version = 1;
159}
160
161/* Copy an existing messageDigest value */
162
163static int
164cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si)
165{
166 STACK_OF(CMS_SignerInfo) *sinfos;
167 CMS_SignerInfo *sitmp;
168 int i;
169
170 sinfos = CMS_get0_SignerInfos(cms);
171 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
172 ASN1_OCTET_STRING *messageDigest;
173 sitmp = sk_CMS_SignerInfo_value(sinfos, i);
174 if (sitmp == si)
175 continue;
176 if (CMS_signed_get_attr_count(sitmp) < 0)
177 continue;
178 if (OBJ_cmp(si->digestAlgorithm->algorithm,
179 sitmp->digestAlgorithm->algorithm))
180 continue;
181 messageDigest = CMS_signed_get0_data_by_OBJ(sitmp,
182 OBJ_nid2obj(NID_pkcs9_messageDigest),
183 -3, V_ASN1_OCTET_STRING);
184 if (!messageDigest) {
185 CMSerr(CMS_F_CMS_COPY_MESSAGEDIGEST,
186 CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE);
187 return 0;
188 }
189
190 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest,
191 V_ASN1_OCTET_STRING,
192 messageDigest, -1))
193 return 1;
194 else
195 return 0;
196 }
197 CMSerr(CMS_F_CMS_COPY_MESSAGEDIGEST, CMS_R_NO_MATCHING_DIGEST);
198 return 0;
199}
200
201int
202cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type)
203{
204 switch (type) {
205 case CMS_SIGNERINFO_ISSUER_SERIAL:
206 sid->d.issuerAndSerialNumber =
207 M_ASN1_new_of(CMS_IssuerAndSerialNumber);
208 if (!sid->d.issuerAndSerialNumber)
209 goto merr;
210 if (!X509_NAME_set(&sid->d.issuerAndSerialNumber->issuer,
211 X509_get_issuer_name(cert)))
212 goto merr;
213 if (!ASN1_STRING_copy(
214 sid->d.issuerAndSerialNumber->serialNumber,
215 X509_get_serialNumber(cert)))
216 goto merr;
217 break;
218
219 case CMS_SIGNERINFO_KEYIDENTIFIER:
220 if (!cert->skid) {
221 CMSerr(CMS_F_CMS_SET1_SIGNERIDENTIFIER,
222 CMS_R_CERTIFICATE_HAS_NO_KEYID);
223 return 0;
224 }
225 sid->d.subjectKeyIdentifier = ASN1_STRING_dup(cert->skid);
226 if (!sid->d.subjectKeyIdentifier)
227 goto merr;
228 break;
229
230 default:
231 CMSerr(CMS_F_CMS_SET1_SIGNERIDENTIFIER, CMS_R_UNKNOWN_ID);
232 return 0;
233 }
234
235 sid->type = type;
236
237 return 1;
238
239merr:
240 CMSerr(CMS_F_CMS_SET1_SIGNERIDENTIFIER, ERR_R_MALLOC_FAILURE);
241 return 0;
242}
243
244int
245cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
246 ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno)
247{
248 if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) {
249 if (issuer)
250 *issuer = sid->d.issuerAndSerialNumber->issuer;
251 if (sno)
252 *sno = sid->d.issuerAndSerialNumber->serialNumber;
253 } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) {
254 if (keyid)
255 *keyid = sid->d.subjectKeyIdentifier;
256 } else
257 return 0;
258 return 1;
259}
260
261int
262cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert)
263{
264 int ret;
265
266 if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) {
267 ret = X509_NAME_cmp(sid->d.issuerAndSerialNumber->issuer,
268 X509_get_issuer_name(cert));
269 if (ret)
270 return ret;
271 return ASN1_INTEGER_cmp(sid->d.issuerAndSerialNumber->serialNumber,
272 X509_get_serialNumber(cert));
273 } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) {
274 X509_check_purpose(cert, -1, -1);
275 if (!cert->skid)
276 return -1;
277 return ASN1_OCTET_STRING_cmp(sid->d.subjectKeyIdentifier,
278 cert->skid);
279 } else
280 return -1;
281}
282
283CMS_SignerInfo *
284CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
285 const EVP_MD *md, unsigned int flags)
286{
287 CMS_SignedData *sd;
288 CMS_SignerInfo *si = NULL;
289 X509_ALGOR *alg;
290 int i, type;
291
292 if (!X509_check_private_key(signer, pk)) {
293 CMSerr(CMS_F_CMS_ADD1_SIGNER,
294 CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
295 return NULL;
296 }
297 sd = cms_signed_data_init(cms);
298 if (!sd)
299 goto err;
300 si = M_ASN1_new_of(CMS_SignerInfo);
301 if (!si)
302 goto merr;
303 X509_check_purpose(signer, -1, -1);
304
305 CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY);
306 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
307
308 si->pkey = pk;
309 si->signer = signer;
310
311 if (flags & CMS_USE_KEYID) {
312 si->version = 3;
313 if (sd->version < 3)
314 sd->version = 3;
315 type = CMS_SIGNERINFO_KEYIDENTIFIER;
316 } else {
317 type = CMS_SIGNERINFO_ISSUER_SERIAL;
318 si->version = 1;
319 }
320
321 if (!cms_set1_SignerIdentifier(si->sid, signer, type))
322 goto err;
323
324 if (md == NULL) {
325 int def_nid;
326 if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0)
327 goto err;
328 md = EVP_get_digestbynid(def_nid);
329 if (md == NULL) {
330 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DEFAULT_DIGEST);
331 goto err;
332 }
333 }
334
335 if (!md) {
336 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DIGEST_SET);
337 goto err;
338 }
339
340 cms_DigestAlgorithm_set(si->digestAlgorithm, md);
341
342 /* See if digest is present in digestAlgorithms */
343 for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
344 ASN1_OBJECT *aoid;
345 alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
346 X509_ALGOR_get0(&aoid, NULL, NULL, alg);
347 if (OBJ_obj2nid(aoid) == EVP_MD_type(md))
348 break;
349 }
350
351 if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) {
352 alg = X509_ALGOR_new();
353 if (!alg)
354 goto merr;
355 cms_DigestAlgorithm_set(alg, md);
356 if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) {
357 X509_ALGOR_free(alg);
358 goto merr;
359 }
360 }
361
362 if (pk->ameth && pk->ameth->pkey_ctrl) {
363 i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_SIGN,
364 0, si);
365 if (i == -2) {
366 CMSerr(CMS_F_CMS_ADD1_SIGNER,
367 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
368 goto err;
369 }
370 if (i <= 0) {
371 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_CTRL_FAILURE);
372 goto err;
373 }
374 }
375
376 if (!(flags & CMS_NOATTR)) {
377 /* Initialialize signed attributes strutucture so other
378 * attributes such as signing time etc are added later
379 * even if we add none here.
380 */
381 if (!si->signedAttrs) {
382 si->signedAttrs = sk_X509_ATTRIBUTE_new_null();
383 if (!si->signedAttrs)
384 goto merr;
385 }
386
387 if (!(flags & CMS_NOSMIMECAP)) {
388 STACK_OF(X509_ALGOR) *smcap = NULL;
389 i = CMS_add_standard_smimecap(&smcap);
390 if (i)
391 i = CMS_add_smimecap(si, smcap);
392 sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
393 if (!i)
394 goto merr;
395 }
396 if (flags & CMS_REUSE_DIGEST) {
397 if (!cms_copy_messageDigest(cms, si))
398 goto err;
399 if (!(flags & CMS_PARTIAL) &&
400 !CMS_SignerInfo_sign(si))
401 goto err;
402 }
403 }
404
405 if (!(flags & CMS_NOCERTS)) {
406 /* NB ignore -1 return for duplicate cert */
407 if (!CMS_add1_cert(cms, signer))
408 goto merr;
409 }
410
411 if (!sd->signerInfos)
412 sd->signerInfos = sk_CMS_SignerInfo_new_null();
413 if (!sd->signerInfos ||
414 !sk_CMS_SignerInfo_push(sd->signerInfos, si))
415 goto merr;
416
417 return si;
418
419merr:
420 CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE);
421err:
422 if (si)
423 M_ASN1_free_of(si, CMS_SignerInfo);
424 return NULL;
425}
426
427static int
428cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
429{
430 ASN1_TIME *tt;
431 int r = 0;
432
433 if (t)
434 tt = t;
435 else
436 tt = X509_gmtime_adj(NULL, 0);
437
438 if (!tt)
439 goto merr;
440
441 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
442 tt->type, tt, -1) <= 0)
443 goto merr;
444
445 r = 1;
446
447merr:
448 if (!t)
449 ASN1_TIME_free(tt);
450 if (!r)
451 CMSerr(CMS_F_CMS_ADD1_SIGNINGTIME, ERR_R_MALLOC_FAILURE);
452
453 return r;
454}
455
456STACK_OF(CMS_SignerInfo) *
457CMS_get0_SignerInfos(CMS_ContentInfo *cms)
458{
459 CMS_SignedData *sd;
460
461 sd = cms_get0_signed(cms);
462 if (!sd)
463 return NULL;
464 return sd->signerInfos;
465}
466
467STACK_OF(X509) *
468CMS_get0_signers(CMS_ContentInfo *cms)
469{
470 STACK_OF(X509) *signers = NULL;
471 STACK_OF(CMS_SignerInfo) *sinfos;
472 CMS_SignerInfo *si;
473 int i;
474
475 sinfos = CMS_get0_SignerInfos(cms);
476 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
477 si = sk_CMS_SignerInfo_value(sinfos, i);
478 if (si->signer) {
479 if (!signers) {
480 signers = sk_X509_new_null();
481 if (!signers)
482 return NULL;
483 }
484 if (!sk_X509_push(signers, si->signer)) {
485 sk_X509_free(signers);
486 return NULL;
487 }
488 }
489 }
490 return signers;
491}
492
493void
494CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer)
495{
496 if (signer) {
497 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
498 EVP_PKEY_free(si->pkey);
499 si->pkey = X509_get_pubkey(signer);
500 }
501 X509_free(si->signer);
502 si->signer = signer;
503}
504
505int
506CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid,
507 X509_NAME **issuer, ASN1_INTEGER **sno)
508{
509 return cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno);
510}
511
512int
513CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert)
514{
515 return cms_SignerIdentifier_cert_cmp(si->sid, cert);
516}
517
518int
519CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts,
520 unsigned int flags)
521{
522 CMS_SignedData *sd;
523 CMS_SignerInfo *si;
524 CMS_CertificateChoices *cch;
525 STACK_OF(CMS_CertificateChoices) *certs;
526 X509 *x;
527 int i, j;
528 int ret = 0;
529
530 sd = cms_get0_signed(cms);
531 if (!sd)
532 return -1;
533 certs = sd->certificates;
534 for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) {
535 si = sk_CMS_SignerInfo_value(sd->signerInfos, i);
536 if (si->signer)
537 continue;
538
539 for (j = 0; j < sk_X509_num(scerts); j++) {
540 x = sk_X509_value(scerts, j);
541 if (CMS_SignerInfo_cert_cmp(si, x) == 0) {
542 CMS_SignerInfo_set1_signer_cert(si, x);
543 ret++;
544 break;
545 }
546 }
547
548 if (si->signer || (flags & CMS_NOINTERN))
549 continue;
550
551 for (j = 0; j < sk_CMS_CertificateChoices_num(certs); j++) {
552 cch = sk_CMS_CertificateChoices_value(certs, j);
553 if (cch->type != 0)
554 continue;
555 x = cch->d.certificate;
556 if (CMS_SignerInfo_cert_cmp(si, x) == 0) {
557 CMS_SignerInfo_set1_signer_cert(si, x);
558 ret++;
559 break;
560 }
561 }
562 }
563 return ret;
564}
565
566void
567CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, X509 **signer,
568 X509_ALGOR **pdig, X509_ALGOR **psig)
569{
570 if (pk)
571 *pk = si->pkey;
572 if (signer)
573 *signer = si->signer;
574 if (pdig)
575 *pdig = si->digestAlgorithm;
576 if (psig)
577 *psig = si->signatureAlgorithm;
578}
579
580static int
581cms_SignerInfo_content_sign(CMS_ContentInfo *cms, CMS_SignerInfo *si,
582 BIO *chain)
583{
584 EVP_MD_CTX mctx;
585 int r = 0;
586 EVP_MD_CTX_init(&mctx);
587
588 if (!si->pkey) {
589 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_NO_PRIVATE_KEY);
590 return 0;
591 }
592
593 if (!cms_DigestAlgorithm_find_ctx(&mctx, chain, si->digestAlgorithm))
594 goto err;
595
596 /* If any signed attributes calculate and add messageDigest attribute */
597
598 if (CMS_signed_get_attr_count(si) >= 0) {
599 ASN1_OBJECT *ctype =
600 cms->d.signedData->encapContentInfo->eContentType;
601 unsigned char md[EVP_MAX_MD_SIZE];
602 unsigned int mdlen;
603 if (!EVP_DigestFinal_ex(&mctx, md, &mdlen))
604 goto err;
605 if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest,
606 V_ASN1_OCTET_STRING,
607 md, mdlen))
608 goto err;
609 /* Copy content type across */
610 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType,
611 V_ASN1_OBJECT, ctype, -1) <= 0)
612 goto err;
613 if (!CMS_SignerInfo_sign(si))
614 goto err;
615 } else {
616 unsigned char *sig;
617 unsigned int siglen;
618 sig = malloc(EVP_PKEY_size(si->pkey));
619 if (!sig) {
620 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN,
621 ERR_R_MALLOC_FAILURE);
622 goto err;
623 }
624 if (!EVP_SignFinal(&mctx, sig, &siglen, si->pkey)) {
625 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN,
626 CMS_R_SIGNFINAL_ERROR);
627 free(sig);
628 goto err;
629 }
630 ASN1_STRING_set0(si->signature, sig, siglen);
631 }
632
633 r = 1;
634
635err:
636 EVP_MD_CTX_cleanup(&mctx);
637 return r;
638}
639
640int
641cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
642{
643 STACK_OF(CMS_SignerInfo) *sinfos;
644 CMS_SignerInfo *si;
645 int i;
646
647 sinfos = CMS_get0_SignerInfos(cms);
648 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
649 si = sk_CMS_SignerInfo_value(sinfos, i);
650 if (!cms_SignerInfo_content_sign(cms, si, chain))
651 return 0;
652 }
653 cms->d.signedData->encapContentInfo->partial = 0;
654 return 1;
655}
656
657int
658CMS_SignerInfo_sign(CMS_SignerInfo *si)
659{
660 EVP_MD_CTX mctx;
661 EVP_PKEY_CTX *pctx;
662 unsigned char *abuf = NULL;
663 int alen;
664 size_t siglen;
665 const EVP_MD *md = NULL;
666
667 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
668 if (md == NULL)
669 return 0;
670
671 EVP_MD_CTX_init(&mctx);
672
673 if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
674 if (!cms_add1_signingTime(si, NULL))
675 goto err;
676 }
677
678 if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0)
679 goto err;
680
681 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
682 EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) {
683 CMSerr(CMS_F_CMS_SIGNERINFO_SIGN, CMS_R_CTRL_ERROR);
684 goto err;
685 }
686
687 alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf,
688 ASN1_ITEM_rptr(CMS_Attributes_Sign));
689 if (!abuf)
690 goto err;
691 if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0)
692 goto err;
693 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
694 goto err;
695 free(abuf);
696 abuf = malloc(siglen);
697 if (!abuf)
698 goto err;
699 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0)
700 goto err;
701
702 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
703 EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) {
704 CMSerr(CMS_F_CMS_SIGNERINFO_SIGN, CMS_R_CTRL_ERROR);
705 goto err;
706 }
707
708 EVP_MD_CTX_cleanup(&mctx);
709
710 ASN1_STRING_set0(si->signature, abuf, siglen);
711
712 return 1;
713
714err:
715 free(abuf);
716 EVP_MD_CTX_cleanup(&mctx);
717 return 0;
718}
719
720int
721CMS_SignerInfo_verify(CMS_SignerInfo *si)
722{
723 EVP_MD_CTX mctx;
724 EVP_PKEY_CTX *pctx;
725 unsigned char *abuf = NULL;
726 int alen, r = -1;
727 const EVP_MD *md = NULL;
728
729 if (!si->pkey) {
730 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_NO_PUBLIC_KEY);
731 return -1;
732 }
733
734 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
735 if (md == NULL)
736 return -1;
737 EVP_MD_CTX_init(&mctx);
738 if (EVP_DigestVerifyInit(&mctx, &pctx, md, NULL, si->pkey) <= 0)
739 goto err;
740
741 alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf,
742 ASN1_ITEM_rptr(CMS_Attributes_Verify));
743 if (!abuf)
744 goto err;
745 r = EVP_DigestVerifyUpdate(&mctx, abuf, alen);
746 free(abuf);
747 if (r <= 0) {
748 r = -1;
749 goto err;
750 }
751 r = EVP_DigestVerifyFinal(&mctx,
752 si->signature->data, si->signature->length);
753 if (r <= 0)
754 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE);
755
756err:
757 EVP_MD_CTX_cleanup(&mctx);
758 return r;
759}
760
761/* Create a chain of digest BIOs from a CMS ContentInfo */
762
763BIO *
764cms_SignedData_init_bio(CMS_ContentInfo *cms)
765{
766 int i;
767 CMS_SignedData *sd;
768 BIO *chain = NULL;
769
770 sd = cms_get0_signed(cms);
771 if (!sd)
772 return NULL;
773 if (cms->d.signedData->encapContentInfo->partial)
774 cms_sd_set_version(sd);
775 for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
776 X509_ALGOR *digestAlgorithm;
777 BIO *mdbio;
778 digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
779 mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm);
780 if (!mdbio)
781 goto err;
782 if (chain)
783 BIO_push(chain, mdbio);
784 else
785 chain = mdbio;
786 }
787 return chain;
788
789err:
790 if (chain)
791 BIO_free_all(chain);
792 return NULL;
793}
794
795int
796CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain)
797{
798 ASN1_OCTET_STRING *os = NULL;
799 EVP_MD_CTX mctx;
800 int r = -1;
801
802 EVP_MD_CTX_init(&mctx);
803 /* If we have any signed attributes look for messageDigest value */
804 if (CMS_signed_get_attr_count(si) >= 0) {
805 os = CMS_signed_get0_data_by_OBJ(si,
806 OBJ_nid2obj(NID_pkcs9_messageDigest),
807 -3, V_ASN1_OCTET_STRING);
808 if (!os) {
809 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
810 CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE);
811 goto err;
812 }
813 }
814
815 if (!cms_DigestAlgorithm_find_ctx(&mctx, chain, si->digestAlgorithm))
816 goto err;
817
818 /* If messageDigest found compare it */
819
820 if (os) {
821 unsigned char mval[EVP_MAX_MD_SIZE];
822 unsigned int mlen;
823 if (EVP_DigestFinal_ex(&mctx, mval, &mlen) <= 0) {
824 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
825 CMS_R_UNABLE_TO_FINALIZE_CONTEXT);
826 goto err;
827 }
828 if (mlen != (unsigned int)os->length) {
829 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
830 CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH);
831 goto err;
832 }
833
834 if (memcmp(mval, os->data, mlen)) {
835 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
836 CMS_R_VERIFICATION_FAILURE);
837 r = 0;
838 } else
839 r = 1;
840 } else {
841 r = EVP_VerifyFinal(&mctx, si->signature->data,
842 si->signature->length, si->pkey);
843 if (r <= 0) {
844 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
845 CMS_R_VERIFICATION_FAILURE);
846 r = 0;
847 }
848 }
849
850err:
851 EVP_MD_CTX_cleanup(&mctx);
852 return r;
853}
854
855int
856CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs)
857{
858 unsigned char *smder = NULL;
859 int smderlen, r;
860
861 smderlen = i2d_X509_ALGORS(algs, &smder);
862 if (smderlen <= 0)
863 return 0;
864 r = CMS_signed_add1_attr_by_NID(si, NID_SMIMECapabilities,
865 V_ASN1_SEQUENCE, smder, smderlen);
866 free(smder);
867 return r;
868}
869
870int
871CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, int algnid, int keysize)
872{
873 X509_ALGOR *alg;
874 ASN1_INTEGER *key = NULL;
875
876 if (keysize > 0) {
877 key = ASN1_INTEGER_new();
878 if (!key || !ASN1_INTEGER_set(key, keysize))
879 return 0;
880 }
881 alg = X509_ALGOR_new();
882 if (!alg) {
883 if (key)
884 ASN1_INTEGER_free(key);
885 return 0;
886 }
887
888 X509_ALGOR_set0(alg, OBJ_nid2obj(algnid),
889 key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key);
890 if (!*algs)
891 *algs = sk_X509_ALGOR_new_null();
892 if (!*algs || !sk_X509_ALGOR_push(*algs, alg)) {
893 X509_ALGOR_free(alg);
894 return 0;
895 }
896 return 1;
897}
898
899/* Check to see if a cipher exists and if so add S/MIME capabilities */
900
901static int
902cms_add_cipher_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg)
903{
904 if (EVP_get_cipherbynid(nid))
905 return CMS_add_simple_smimecap(sk, nid, arg);
906 return 1;
907}
908
909static int
910cms_add_digest_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg)
911{
912 if (EVP_get_digestbynid(nid))
913 return CMS_add_simple_smimecap(sk, nid, arg);
914 return 1;
915}
916
917int
918CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap)
919{
920 if (!cms_add_cipher_smcap(smcap, NID_aes_256_cbc, -1) ||
921 !cms_add_digest_smcap(smcap, NID_id_GostR3411_94, -1) ||
922 !cms_add_digest_smcap(smcap, NID_id_tc26_gost3411_2012_256, -1) ||
923 !cms_add_digest_smcap(smcap, NID_id_tc26_gost3411_2012_512, -1) ||
924 !cms_add_cipher_smcap(smcap, NID_id_Gost28147_89, -1) ||
925 !cms_add_cipher_smcap(smcap, NID_aes_192_cbc, -1) ||
926 !cms_add_cipher_smcap(smcap, NID_aes_128_cbc, -1) ||
927 !cms_add_cipher_smcap(smcap, NID_des_ede3_cbc, -1) ||
928 !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 128) ||
929 !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 64) ||
930 !cms_add_cipher_smcap(smcap, NID_des_cbc, -1) ||
931 !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 40))
932 return 0;
933 return 1;
934}
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
deleted file mode 100644
index 030cf74d21..0000000000
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ /dev/null
@@ -1,821 +0,0 @@
1/* $OpenBSD: cms_smime.c,v 1.13 2015/06/11 16:02:05 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54#include <openssl/asn1t.h>
55#include <openssl/cms.h>
56#include <openssl/err.h>
57#include <openssl/x509.h>
58#include <openssl/x509v3.h>
59
60#include "cms_lcl.h"
61
62static int
63cms_copy_content(BIO *out, BIO *in, unsigned int flags)
64{
65 unsigned char buf[4096];
66 int r = 0, i;
67 BIO *tmpout = NULL;
68
69 if (out == NULL)
70 tmpout = BIO_new(BIO_s_null());
71 else if (flags & CMS_TEXT) {
72 tmpout = BIO_new(BIO_s_mem());
73 BIO_set_mem_eof_return(tmpout, 0);
74 } else
75 tmpout = out;
76
77 if (!tmpout) {
78 CMSerr(CMS_F_CMS_COPY_CONTENT, ERR_R_MALLOC_FAILURE);
79 goto err;
80 }
81
82 /* Read all content through chain to process digest, decrypt etc */
83 for (;;) {
84 i = BIO_read(in, buf, sizeof(buf));
85 if (i <= 0) {
86 if (BIO_method_type(in) == BIO_TYPE_CIPHER) {
87 if (!BIO_get_cipher_status(in))
88 goto err;
89 }
90 if (i < 0)
91 goto err;
92 break;
93 }
94
95 if (tmpout && (BIO_write(tmpout, buf, i) != i))
96 goto err;
97 }
98
99 if (flags & CMS_TEXT) {
100 if (!SMIME_text(tmpout, out)) {
101 CMSerr(CMS_F_CMS_COPY_CONTENT, CMS_R_SMIME_TEXT_ERROR);
102 goto err;
103 }
104 }
105
106 r = 1;
107
108err:
109 if (tmpout && (tmpout != out))
110 BIO_free(tmpout);
111 return r;
112}
113
114static int
115check_content(CMS_ContentInfo *cms)
116{
117 ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
118
119 if (!pos || !*pos) {
120 CMSerr(CMS_F_CHECK_CONTENT, CMS_R_NO_CONTENT);
121 return 0;
122 }
123 return 1;
124}
125
126static void
127do_free_upto(BIO *f, BIO *upto)
128{
129 if (upto) {
130 BIO *tbio;
131 do {
132 tbio = BIO_pop(f);
133 BIO_free(f);
134 f = tbio;
135 } while (f != NULL && f != upto);
136 } else
137 BIO_free_all(f);
138}
139
140int
141CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags)
142{
143 BIO *cont;
144 int r;
145
146 if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_data) {
147 CMSerr(CMS_F_CMS_DATA, CMS_R_TYPE_NOT_DATA);
148 return 0;
149 }
150 cont = CMS_dataInit(cms, NULL);
151 if (!cont)
152 return 0;
153 r = cms_copy_content(out, cont, flags);
154 BIO_free_all(cont);
155 return r;
156}
157
158CMS_ContentInfo *
159CMS_data_create(BIO *in, unsigned int flags)
160{
161 CMS_ContentInfo *cms;
162
163 cms = cms_Data_create();
164 if (!cms)
165 return NULL;
166
167 if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags))
168 return cms;
169
170 CMS_ContentInfo_free(cms);
171
172 return NULL;
173}
174
175int
176CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out,
177 unsigned int flags)
178{
179 BIO *cont;
180 int r;
181
182 if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_digest) {
183 CMSerr(CMS_F_CMS_DIGEST_VERIFY, CMS_R_TYPE_NOT_DIGESTED_DATA);
184 return 0;
185 }
186
187 if (!dcont && !check_content(cms))
188 return 0;
189
190 cont = CMS_dataInit(cms, dcont);
191 if (!cont)
192 return 0;
193 r = cms_copy_content(out, cont, flags);
194 if (r)
195 r = cms_DigestedData_do_final(cms, cont, 1);
196 do_free_upto(cont, dcont);
197 return r;
198}
199
200CMS_ContentInfo *
201CMS_digest_create(BIO *in, const EVP_MD *md, unsigned int flags)
202{
203 CMS_ContentInfo *cms;
204
205 if (!md)
206 md = EVP_sha1();
207 cms = cms_DigestedData_create(md);
208 if (!cms)
209 return NULL;
210
211 if (!(flags & CMS_DETACHED))
212 CMS_set_detached(cms, 0);
213
214 if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags))
215 return cms;
216
217 CMS_ContentInfo_free(cms);
218 return NULL;
219}
220
221int
222CMS_EncryptedData_decrypt(CMS_ContentInfo *cms, const unsigned char *key,
223 size_t keylen, BIO *dcont, BIO *out, unsigned int flags)
224{
225 BIO *cont;
226 int r;
227
228 if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_encrypted) {
229 CMSerr(CMS_F_CMS_ENCRYPTEDDATA_DECRYPT,
230 CMS_R_TYPE_NOT_ENCRYPTED_DATA);
231 return 0;
232 }
233
234 if (!dcont && !check_content(cms))
235 return 0;
236
237 if (CMS_EncryptedData_set1_key(cms, NULL, key, keylen) <= 0)
238 return 0;
239 cont = CMS_dataInit(cms, dcont);
240 if (!cont)
241 return 0;
242 r = cms_copy_content(out, cont, flags);
243 do_free_upto(cont, dcont);
244 return r;
245}
246
247CMS_ContentInfo *
248CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
249 const unsigned char *key, size_t keylen, unsigned int flags)
250{
251 CMS_ContentInfo *cms;
252
253 if (!cipher) {
254 CMSerr(CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT, CMS_R_NO_CIPHER);
255 return NULL;
256 }
257 cms = CMS_ContentInfo_new();
258 if (!cms)
259 return NULL;
260 if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
261 return NULL;
262
263 if (!(flags & CMS_DETACHED))
264 CMS_set_detached(cms, 0);
265
266 if ((flags & (CMS_STREAM|CMS_PARTIAL)) ||
267 CMS_final(cms, in, NULL, flags))
268 return cms;
269
270 CMS_ContentInfo_free(cms);
271 return NULL;
272}
273
274static int
275cms_signerinfo_verify_cert(CMS_SignerInfo *si, X509_STORE *store,
276 STACK_OF(X509) *certs, STACK_OF(X509_CRL) *crls, unsigned int flags)
277{
278 X509_STORE_CTX ctx;
279 X509 *signer;
280 int i, j, r = 0;
281
282 CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL);
283 if (!X509_STORE_CTX_init(&ctx, store, signer, certs)) {
284 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CERT,
285 CMS_R_STORE_INIT_ERROR);
286 goto err;
287 }
288 X509_STORE_CTX_set_default(&ctx, "smime_sign");
289 if (crls)
290 X509_STORE_CTX_set0_crls(&ctx, crls);
291
292 i = X509_verify_cert(&ctx);
293 if (i <= 0) {
294 j = X509_STORE_CTX_get_error(&ctx);
295 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CERT,
296 CMS_R_CERTIFICATE_VERIFY_ERROR);
297 ERR_asprintf_error_data("Verify error:%s",
298 X509_verify_cert_error_string(j));
299 goto err;
300 }
301 r = 1;
302
303err:
304 X509_STORE_CTX_cleanup(&ctx);
305 return r;
306}
307
308int
309CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store,
310 BIO *dcont, BIO *out, unsigned int flags)
311{
312 CMS_SignerInfo *si;
313 STACK_OF(CMS_SignerInfo) *sinfos;
314 STACK_OF(X509) *cms_certs = NULL;
315 STACK_OF(X509_CRL) *crls = NULL;
316 X509 *signer;
317 int i, scount = 0, ret = 0;
318 BIO *cmsbio = NULL, *tmpin = NULL;
319
320 if (!dcont && !check_content(cms))
321 return 0;
322
323 /* Attempt to find all signer certificates */
324
325 sinfos = CMS_get0_SignerInfos(cms);
326
327 if (sk_CMS_SignerInfo_num(sinfos) <= 0) {
328 CMSerr(CMS_F_CMS_VERIFY, CMS_R_NO_SIGNERS);
329 goto err;
330 }
331
332 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
333 si = sk_CMS_SignerInfo_value(sinfos, i);
334 CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL);
335 if (signer)
336 scount++;
337 }
338
339 if (scount != sk_CMS_SignerInfo_num(sinfos))
340 scount += CMS_set1_signers_certs(cms, certs, flags);
341
342 if (scount != sk_CMS_SignerInfo_num(sinfos)) {
343 CMSerr(CMS_F_CMS_VERIFY, CMS_R_SIGNER_CERTIFICATE_NOT_FOUND);
344 goto err;
345 }
346
347 /* Attempt to verify all signers certs */
348
349 if (!(flags & CMS_NO_SIGNER_CERT_VERIFY)) {
350 cms_certs = CMS_get1_certs(cms);
351 if (!(flags & CMS_NOCRL))
352 crls = CMS_get1_crls(cms);
353 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
354 si = sk_CMS_SignerInfo_value(sinfos, i);
355 if (!cms_signerinfo_verify_cert(si, store,
356 cms_certs, crls, flags))
357 goto err;
358 }
359 }
360
361 /* Attempt to verify all SignerInfo signed attribute signatures */
362
363 if (!(flags & CMS_NO_ATTR_VERIFY)) {
364 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
365 si = sk_CMS_SignerInfo_value(sinfos, i);
366 if (CMS_signed_get_attr_count(si) < 0)
367 continue;
368 if (CMS_SignerInfo_verify(si) <= 0)
369 goto err;
370 }
371 }
372
373 /* Performance optimization: if the content is a memory BIO then
374 * store its contents in a temporary read only memory BIO. This
375 * avoids potentially large numbers of slow copies of data which will
376 * occur when reading from a read write memory BIO when signatures
377 * are calculated.
378 */
379
380 if (dcont && (BIO_method_type(dcont) == BIO_TYPE_MEM)) {
381 char *ptr;
382 long len;
383 len = BIO_get_mem_data(dcont, &ptr);
384 tmpin = BIO_new_mem_buf(ptr, len);
385 if (tmpin == NULL) {
386 CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE);
387 return 0;
388 }
389 } else
390 tmpin = dcont;
391
392
393 cmsbio = CMS_dataInit(cms, tmpin);
394 if (!cmsbio)
395 goto err;
396
397 if (!cms_copy_content(out, cmsbio, flags))
398 goto err;
399
400 if (!(flags & CMS_NO_CONTENT_VERIFY)) {
401 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
402 si = sk_CMS_SignerInfo_value(sinfos, i);
403 if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0) {
404 CMSerr(CMS_F_CMS_VERIFY,
405 CMS_R_CONTENT_VERIFY_ERROR);
406 goto err;
407 }
408 }
409 }
410
411 ret = 1;
412
413err:
414 if (dcont && (tmpin == dcont))
415 do_free_upto(cmsbio, dcont);
416 else
417 BIO_free_all(cmsbio);
418
419 if (cms_certs)
420 sk_X509_pop_free(cms_certs, X509_free);
421 if (crls)
422 sk_X509_CRL_pop_free(crls, X509_CRL_free);
423
424 return ret;
425}
426
427int
428CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
429 STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags)
430{
431 int r;
432
433 flags &= ~(CMS_DETACHED|CMS_TEXT);
434 r = CMS_verify(rcms, certs, store, NULL, NULL, flags);
435 if (r <= 0)
436 return r;
437 return cms_Receipt_verify(rcms, ocms);
438}
439
440CMS_ContentInfo *
441CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data,
442 unsigned int flags)
443{
444 CMS_ContentInfo *cms;
445 int i;
446
447 cms = CMS_ContentInfo_new();
448 if (!cms || !CMS_SignedData_init(cms))
449 goto merr;
450
451 if (pkey && !CMS_add1_signer(cms, signcert, pkey, NULL, flags)) {
452 CMSerr(CMS_F_CMS_SIGN, CMS_R_ADD_SIGNER_ERROR);
453 goto err;
454 }
455
456 for (i = 0; i < sk_X509_num(certs); i++) {
457 X509 *x = sk_X509_value(certs, i);
458 if (!CMS_add1_cert(cms, x))
459 goto merr;
460 }
461
462 if (!(flags & CMS_DETACHED))
463 CMS_set_detached(cms, 0);
464
465 if ((flags & (CMS_STREAM|CMS_PARTIAL)) ||
466 CMS_final(cms, data, NULL, flags))
467 return cms;
468 else
469 goto err;
470
471merr:
472 CMSerr(CMS_F_CMS_SIGN, ERR_R_MALLOC_FAILURE);
473err:
474 if (cms)
475 CMS_ContentInfo_free(cms);
476 return NULL;
477}
478
479CMS_ContentInfo *
480CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, EVP_PKEY *pkey,
481 STACK_OF(X509) *certs, unsigned int flags)
482{
483 CMS_SignerInfo *rct_si;
484 CMS_ContentInfo *cms = NULL;
485 ASN1_OCTET_STRING **pos, *os;
486 BIO *rct_cont = NULL;
487 int r = 0;
488
489 flags &= ~(CMS_STREAM|CMS_TEXT);
490 /* Not really detached but avoids content being allocated */
491 flags |= CMS_PARTIAL|CMS_BINARY|CMS_DETACHED;
492 if (!pkey || !signcert) {
493 CMSerr(CMS_F_CMS_SIGN_RECEIPT, CMS_R_NO_KEY_OR_CERT);
494 return NULL;
495 }
496
497 /* Initialize signed data */
498
499 cms = CMS_sign(NULL, NULL, certs, NULL, flags);
500 if (!cms)
501 goto err;
502
503 /* Set inner content type to signed receipt */
504 if (!CMS_set1_eContentType(cms, OBJ_nid2obj(NID_id_smime_ct_receipt)))
505 goto err;
506
507 rct_si = CMS_add1_signer(cms, signcert, pkey, NULL, flags);
508 if (!rct_si) {
509 CMSerr(CMS_F_CMS_SIGN_RECEIPT, CMS_R_ADD_SIGNER_ERROR);
510 goto err;
511 }
512
513 os = cms_encode_Receipt(si);
514
515 if (!os)
516 goto err;
517
518 /* Set content to digest */
519 rct_cont = BIO_new_mem_buf(os->data, os->length);
520 if (!rct_cont)
521 goto err;
522
523 /* Add msgSigDigest attribute */
524
525 if (!cms_msgSigDigest_add1(rct_si, si))
526 goto err;
527
528 /* Finalize structure */
529 if (!CMS_final(cms, rct_cont, NULL, flags))
530 goto err;
531
532 /* Set embedded content */
533 pos = CMS_get0_content(cms);
534 *pos = os;
535
536 r = 1;
537
538err:
539 if (rct_cont)
540 BIO_free(rct_cont);
541 if (r)
542 return cms;
543 CMS_ContentInfo_free(cms);
544 return NULL;
545}
546
547CMS_ContentInfo *
548CMS_encrypt(STACK_OF(X509) *certs, BIO *data, const EVP_CIPHER *cipher,
549 unsigned int flags)
550{
551 CMS_ContentInfo *cms;
552 int i;
553 X509 *recip;
554
555 cms = CMS_EnvelopedData_create(cipher);
556 if (!cms)
557 goto merr;
558 for (i = 0; i < sk_X509_num(certs); i++) {
559 recip = sk_X509_value(certs, i);
560 if (!CMS_add1_recipient_cert(cms, recip, flags)) {
561 CMSerr(CMS_F_CMS_ENCRYPT, CMS_R_RECIPIENT_ERROR);
562 goto err;
563 }
564 }
565
566 if (!(flags & CMS_DETACHED))
567 CMS_set_detached(cms, 0);
568
569 if ((flags & (CMS_STREAM|CMS_PARTIAL)) ||
570 CMS_final(cms, data, NULL, flags))
571 return cms;
572 else
573 goto err;
574
575merr:
576 CMSerr(CMS_F_CMS_ENCRYPT, ERR_R_MALLOC_FAILURE);
577err:
578 if (cms)
579 CMS_ContentInfo_free(cms);
580 return NULL;
581}
582
583int
584CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
585{
586 STACK_OF(CMS_RecipientInfo) *ris;
587 CMS_RecipientInfo *ri;
588 int i, r;
589 int debug = 0, match_ri = 0;
590
591 ris = CMS_get0_RecipientInfos(cms);
592 if (ris)
593 debug = cms->d.envelopedData->encryptedContentInfo->debug;
594 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
595 ri = sk_CMS_RecipientInfo_value(ris, i);
596 if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
597 continue;
598 match_ri = 1;
599 /* If we have a cert try matching RecipientInfo
600 * otherwise try them all.
601 */
602 if (!cert || (CMS_RecipientInfo_ktri_cert_cmp(ri, cert) == 0)) {
603 CMS_RecipientInfo_set0_pkey(ri, pk);
604 r = CMS_RecipientInfo_decrypt(cms, ri);
605 CMS_RecipientInfo_set0_pkey(ri, NULL);
606 if (cert) {
607 /* If not debugging clear any error and
608 * return success to avoid leaking of
609 * information useful to MMA
610 */
611 if (!debug) {
612 ERR_clear_error();
613 return 1;
614 }
615 if (r > 0)
616 return 1;
617 CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
618 CMS_R_DECRYPT_ERROR);
619 return 0;
620 }
621 /* If no cert and not debugging don't leave loop
622 * after first successful decrypt. Always attempt
623 * to decrypt all recipients to avoid leaking timing
624 * of a successful decrypt.
625 */
626 else if (r > 0 && debug)
627 return 1;
628 }
629 }
630 /* If no cert and not debugging always return success */
631 if (match_ri && !cert && !debug) {
632 ERR_clear_error();
633 return 1;
634 }
635
636 CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
637 return 0;
638}
639
640int
641CMS_decrypt_set1_key(CMS_ContentInfo *cms, unsigned char *key, size_t keylen,
642 unsigned char *id, size_t idlen)
643{
644 STACK_OF(CMS_RecipientInfo) *ris;
645 CMS_RecipientInfo *ri;
646 int i, r;
647
648 ris = CMS_get0_RecipientInfos(cms);
649 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
650 ri = sk_CMS_RecipientInfo_value(ris, i);
651 if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK)
652 continue;
653
654 /* If we have an id try matching RecipientInfo
655 * otherwise try them all.
656 */
657 if (!id ||
658 (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) {
659 CMS_RecipientInfo_set0_key(ri, key, keylen);
660 r = CMS_RecipientInfo_decrypt(cms, ri);
661 CMS_RecipientInfo_set0_key(ri, NULL, 0);
662 if (r > 0)
663 return 1;
664 if (id) {
665 CMSerr(CMS_F_CMS_DECRYPT_SET1_KEY,
666 CMS_R_DECRYPT_ERROR);
667 return 0;
668 }
669 ERR_clear_error();
670 }
671 }
672
673 CMSerr(CMS_F_CMS_DECRYPT_SET1_KEY, CMS_R_NO_MATCHING_RECIPIENT);
674 return 0;
675}
676
677int
678CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass,
679 ssize_t passlen)
680{
681 STACK_OF(CMS_RecipientInfo) *ris;
682 CMS_RecipientInfo *ri;
683 int i, r;
684
685 ris = CMS_get0_RecipientInfos(cms);
686 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
687 ri = sk_CMS_RecipientInfo_value(ris, i);
688 if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS)
689 continue;
690 CMS_RecipientInfo_set0_password(ri, pass, passlen);
691 r = CMS_RecipientInfo_decrypt(cms, ri);
692 CMS_RecipientInfo_set0_password(ri, NULL, 0);
693 if (r > 0)
694 return 1;
695 }
696
697 CMSerr(CMS_F_CMS_DECRYPT_SET1_PASSWORD, CMS_R_NO_MATCHING_RECIPIENT);
698 return 0;
699}
700
701int
702CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, BIO *dcont,
703 BIO *out, unsigned int flags)
704{
705 int r;
706 BIO *cont;
707
708 if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_enveloped) {
709 CMSerr(CMS_F_CMS_DECRYPT, CMS_R_TYPE_NOT_ENVELOPED_DATA);
710 return 0;
711 }
712 if (!dcont && !check_content(cms))
713 return 0;
714 if (flags & CMS_DEBUG_DECRYPT)
715 cms->d.envelopedData->encryptedContentInfo->debug = 1;
716 else
717 cms->d.envelopedData->encryptedContentInfo->debug = 0;
718 if (!pk && !cert && !dcont && !out)
719 return 1;
720 if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
721 return 0;
722 cont = CMS_dataInit(cms, dcont);
723 if (!cont)
724 return 0;
725 r = cms_copy_content(out, cont, flags);
726 do_free_upto(cont, dcont);
727 return r;
728}
729
730int
731CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags)
732{
733 BIO *cmsbio;
734 int ret = 0;
735
736 if (!(cmsbio = CMS_dataInit(cms, dcont))) {
737 CMSerr(CMS_F_CMS_FINAL, ERR_R_MALLOC_FAILURE);
738 return 0;
739 }
740
741 SMIME_crlf_copy(data, cmsbio, flags);
742
743 (void)BIO_flush(cmsbio);
744
745
746 if (!CMS_dataFinal(cms, cmsbio)) {
747 CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_DATAFINAL_ERROR);
748 goto err;
749 }
750
751 ret = 1;
752
753err:
754 do_free_upto(cmsbio, dcont);
755
756 return ret;
757}
758
759#ifdef ZLIB
760
761int
762CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags)
763{
764 BIO *cont;
765 int r;
766
767 if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_id_smime_ct_compressedData) {
768 CMSerr(CMS_F_CMS_UNCOMPRESS,
769 CMS_R_TYPE_NOT_COMPRESSED_DATA);
770 return 0;
771 }
772
773 if (!dcont && !check_content(cms))
774 return 0;
775
776 cont = CMS_dataInit(cms, dcont);
777 if (!cont)
778 return 0;
779 r = cms_copy_content(out, cont, flags);
780 do_free_upto(cont, dcont);
781 return r;
782}
783
784CMS_ContentInfo *
785CMS_compress(BIO *in, int comp_nid, unsigned int flags)
786{
787 CMS_ContentInfo *cms;
788
789 if (comp_nid <= 0)
790 comp_nid = NID_zlib_compression;
791 cms = cms_CompressedData_create(comp_nid);
792 if (!cms)
793 return NULL;
794
795 if (!(flags & CMS_DETACHED))
796 CMS_set_detached(cms, 0);
797
798 if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags))
799 return cms;
800
801 CMS_ContentInfo_free(cms);
802 return NULL;
803}
804
805#else
806
807int
808CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags)
809{
810 CMSerr(CMS_F_CMS_UNCOMPRESS, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
811 return 0;
812}
813
814CMS_ContentInfo *
815CMS_compress(BIO *in, int comp_nid, unsigned int flags)
816{
817 CMSerr(CMS_F_CMS_COMPRESS, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
818 return NULL;
819}
820
821#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 18:15:56 +0000