summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/cms/cms_env.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/cms/cms_env.c')
-rw-r--r--src/lib/libcrypto/cms/cms_env.c572
1 files changed, 259 insertions, 313 deletions
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c
index 5e6e7033b2..a274e26226 100644
--- a/src/lib/libcrypto/cms/cms_env.c
+++ b/src/lib/libcrypto/cms/cms_env.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -71,56 +71,59 @@ DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
71 71
72DECLARE_STACK_OF(CMS_RecipientInfo) 72DECLARE_STACK_OF(CMS_RecipientInfo)
73 73
74CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms) 74CMS_EnvelopedData *
75 { 75cms_get0_enveloped(CMS_ContentInfo *cms)
76 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) 76{
77 { 77 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
78 CMSerr(CMS_F_CMS_GET0_ENVELOPED, 78 CMSerr(CMS_F_CMS_GET0_ENVELOPED,
79 CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA); 79 CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
80 return NULL; 80 return NULL;
81 }
82 return cms->d.envelopedData;
83 } 81 }
82 return cms->d.envelopedData;
83}
84 84
85static CMS_EnvelopedData *cms_enveloped_data_init(CMS_ContentInfo *cms) 85static CMS_EnvelopedData *
86 { 86cms_enveloped_data_init(CMS_ContentInfo *cms)
87 if (cms->d.other == NULL) 87{
88 { 88 if (cms->d.other == NULL) {
89 cms->d.envelopedData = M_ASN1_new_of(CMS_EnvelopedData); 89 cms->d.envelopedData = M_ASN1_new_of(CMS_EnvelopedData);
90 if (!cms->d.envelopedData) 90 if (!cms->d.envelopedData) {
91 {
92 CMSerr(CMS_F_CMS_ENVELOPED_DATA_INIT, 91 CMSerr(CMS_F_CMS_ENVELOPED_DATA_INIT,
93 ERR_R_MALLOC_FAILURE); 92 ERR_R_MALLOC_FAILURE);
94 return NULL; 93 return NULL;
95 } 94 }
96 cms->d.envelopedData->version = 0; 95 cms->d.envelopedData->version = 0;
97 cms->d.envelopedData->encryptedContentInfo->contentType = 96 cms->d.envelopedData->encryptedContentInfo->contentType =
98 OBJ_nid2obj(NID_pkcs7_data); 97 OBJ_nid2obj(NID_pkcs7_data);
99 ASN1_OBJECT_free(cms->contentType); 98 ASN1_OBJECT_free(cms->contentType);
100 cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped); 99 cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped);
101 return cms->d.envelopedData; 100 return cms->d.envelopedData;
102 }
103 return cms_get0_enveloped(cms);
104 } 101 }
102 return cms_get0_enveloped(cms);
103}
105 104
106STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms) 105STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms)
107 { 106{
108 CMS_EnvelopedData *env; 107 CMS_EnvelopedData *env;
108
109 env = cms_get0_enveloped(cms); 109 env = cms_get0_enveloped(cms);
110 if (!env) 110 if (!env)
111 return NULL; 111 return NULL;
112 return env->recipientInfos; 112 return env->recipientInfos;
113 } 113}
114 114
115int CMS_RecipientInfo_type(CMS_RecipientInfo *ri) 115int
116 { 116CMS_RecipientInfo_type(CMS_RecipientInfo *ri)
117{
117 return ri->type; 118 return ri->type;
118 } 119}
119 120
120CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher) 121CMS_ContentInfo *
121 { 122CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
123{
122 CMS_ContentInfo *cms; 124 CMS_ContentInfo *cms;
123 CMS_EnvelopedData *env; 125 CMS_EnvelopedData *env;
126
124 cms = CMS_ContentInfo_new(); 127 cms = CMS_ContentInfo_new();
125 if (!cms) 128 if (!cms)
126 goto merr; 129 goto merr;
@@ -128,15 +131,16 @@ CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
128 if (!env) 131 if (!env)
129 goto merr; 132 goto merr;
130 if (!cms_EncryptedContent_init(env->encryptedContentInfo, 133 if (!cms_EncryptedContent_init(env->encryptedContentInfo,
131 cipher, NULL, 0)) 134 cipher, NULL, 0))
132 goto merr; 135 goto merr;
133 return cms; 136 return cms;
134 merr: 137
138merr:
135 if (cms) 139 if (cms)
136 CMS_ContentInfo_free(cms); 140 CMS_ContentInfo_free(cms);
137 CMSerr(CMS_F_CMS_ENVELOPEDDATA_CREATE, ERR_R_MALLOC_FAILURE); 141 CMSerr(CMS_F_CMS_ENVELOPEDDATA_CREATE, ERR_R_MALLOC_FAILURE);
138 return NULL; 142 return NULL;
139 } 143}
140 144
141/* Key Transport Recipient Info (KTRI) routines */ 145/* Key Transport Recipient Info (KTRI) routines */
142 146
@@ -144,14 +148,15 @@ CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
144 * If we ever handle key agreement will need updating. 148 * If we ever handle key agreement will need updating.
145 */ 149 */
146 150
147CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, 151CMS_RecipientInfo *
148 X509 *recip, unsigned int flags) 152CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags)
149 { 153{
150 CMS_RecipientInfo *ri = NULL; 154 CMS_RecipientInfo *ri = NULL;
151 CMS_KeyTransRecipientInfo *ktri; 155 CMS_KeyTransRecipientInfo *ktri;
152 CMS_EnvelopedData *env; 156 CMS_EnvelopedData *env;
153 EVP_PKEY *pk = NULL; 157 EVP_PKEY *pk = NULL;
154 int i, type; 158 int i, type;
159
155 env = cms_get0_enveloped(cms); 160 env = cms_get0_enveloped(cms);
156 if (!env) 161 if (!env)
157 goto err; 162 goto err;
@@ -172,26 +177,22 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
172 177
173 X509_check_purpose(recip, -1, -1); 178 X509_check_purpose(recip, -1, -1);
174 pk = X509_get_pubkey(recip); 179 pk = X509_get_pubkey(recip);
175 if (!pk) 180 if (!pk) {
176 {
177 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, 181 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
178 CMS_R_ERROR_GETTING_PUBLIC_KEY); 182 CMS_R_ERROR_GETTING_PUBLIC_KEY);
179 goto err; 183 goto err;
180 } 184 }
181 CRYPTO_add(&recip->references, 1, CRYPTO_LOCK_X509); 185 CRYPTO_add(&recip->references, 1, CRYPTO_LOCK_X509);
182 ktri->pkey = pk; 186 ktri->pkey = pk;
183 ktri->recip = recip; 187 ktri->recip = recip;
184 188
185 if (flags & CMS_USE_KEYID) 189 if (flags & CMS_USE_KEYID) {
186 {
187 ktri->version = 2; 190 ktri->version = 2;
188 type = CMS_RECIPINFO_KEYIDENTIFIER; 191 type = CMS_RECIPINFO_KEYIDENTIFIER;
189 } 192 } else {
190 else
191 {
192 ktri->version = 0; 193 ktri->version = 0;
193 type = CMS_RECIPINFO_ISSUER_SERIAL; 194 type = CMS_RECIPINFO_ISSUER_SERIAL;
194 } 195 }
195 196
196 /* Not a typo: RecipientIdentifier and SignerIdentifier are the 197 /* Not a typo: RecipientIdentifier and SignerIdentifier are the
197 * same structure. 198 * same structure.
@@ -200,49 +201,45 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
200 if (!cms_set1_SignerIdentifier(ktri->rid, recip, type)) 201 if (!cms_set1_SignerIdentifier(ktri->rid, recip, type))
201 goto err; 202 goto err;
202 203
203 if (pk->ameth && pk->ameth->pkey_ctrl) 204 if (pk->ameth && pk->ameth->pkey_ctrl) {
204 {
205 i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_ENVELOPE, 205 i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_ENVELOPE,
206 0, ri); 206 0, ri);
207 if (i == -2) 207 if (i == -2) {
208 {
209 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, 208 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
210 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); 209 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
211 goto err; 210 goto err;
212 } 211 }
213 if (i <= 0) 212 if (i <= 0) {
214 {
215 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, 213 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
216 CMS_R_CTRL_FAILURE); 214 CMS_R_CTRL_FAILURE);
217 goto err; 215 goto err;
218 }
219 } 216 }
217 }
220 218
221 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) 219 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
222 goto merr; 220 goto merr;
223 221
224 return ri; 222 return ri;
225 223
226 merr: 224merr:
227 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE); 225 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
228 err: 226err:
229 if (ri) 227 if (ri)
230 M_ASN1_free_of(ri, CMS_RecipientInfo); 228 M_ASN1_free_of(ri, CMS_RecipientInfo);
231 return NULL; 229 return NULL;
230}
232 231
233 } 232int
234 233CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, EVP_PKEY **pk,
235int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, 234 X509 **recip, X509_ALGOR **palg)
236 EVP_PKEY **pk, X509 **recip, 235{
237 X509_ALGOR **palg)
238 {
239 CMS_KeyTransRecipientInfo *ktri; 236 CMS_KeyTransRecipientInfo *ktri;
240 if (ri->type != CMS_RECIPINFO_TRANS) 237
241 { 238 if (ri->type != CMS_RECIPINFO_TRANS) {
242 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS, 239 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS,
243 CMS_R_NOT_KEY_TRANSPORT); 240 CMS_R_NOT_KEY_TRANSPORT);
244 return 0; 241 return 0;
245 } 242 }
246 243
247 ktri = ri->d.ktri; 244 ktri = ri->d.ktri;
248 245
@@ -253,53 +250,53 @@ int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
253 if (palg) 250 if (palg)
254 *palg = ktri->keyEncryptionAlgorithm; 251 *palg = ktri->keyEncryptionAlgorithm;
255 return 1; 252 return 1;
256 } 253}
257 254
258int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, 255int
259 ASN1_OCTET_STRING **keyid, 256CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri,
260 X509_NAME **issuer, ASN1_INTEGER **sno) 257 ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno)
261 { 258{
262 CMS_KeyTransRecipientInfo *ktri; 259 CMS_KeyTransRecipientInfo *ktri;
263 if (ri->type != CMS_RECIPINFO_TRANS) 260
264 { 261 if (ri->type != CMS_RECIPINFO_TRANS) {
265 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID, 262 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID,
266 CMS_R_NOT_KEY_TRANSPORT); 263 CMS_R_NOT_KEY_TRANSPORT);
267 return 0; 264 return 0;
268 } 265 }
269 ktri = ri->d.ktri; 266 ktri = ri->d.ktri;
270 267
271 return cms_SignerIdentifier_get0_signer_id(ktri->rid, 268 return cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid,
272 keyid, issuer, sno); 269 issuer, sno);
273 } 270}
274 271
275int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert) 272int
276 { 273CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
277 if (ri->type != CMS_RECIPINFO_TRANS) 274{
278 { 275 if (ri->type != CMS_RECIPINFO_TRANS) {
279 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP, 276 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP,
280 CMS_R_NOT_KEY_TRANSPORT); 277 CMS_R_NOT_KEY_TRANSPORT);
281 return -2; 278 return -2;
282 }
283 return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert);
284 } 279 }
280 return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert);
281}
285 282
286int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) 283int
287 { 284CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey)
288 if (ri->type != CMS_RECIPINFO_TRANS) 285{
289 { 286 if (ri->type != CMS_RECIPINFO_TRANS) {
290 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, 287 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY,
291 CMS_R_NOT_KEY_TRANSPORT); 288 CMS_R_NOT_KEY_TRANSPORT);
292 return 0; 289 return 0;
293 } 290 }
294 ri->d.ktri->pkey = pkey; 291 ri->d.ktri->pkey = pkey;
295 return 1; 292 return 1;
296 } 293}
297 294
298/* Encrypt content key in key transport recipient info */ 295/* Encrypt content key in key transport recipient info */
299 296
300static int cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms, 297static int
301 CMS_RecipientInfo *ri) 298cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
302 { 299{
303 CMS_KeyTransRecipientInfo *ktri; 300 CMS_KeyTransRecipientInfo *ktri;
304 CMS_EncryptedContentInfo *ec; 301 CMS_EncryptedContentInfo *ec;
305 EVP_PKEY_CTX *pctx = NULL; 302 EVP_PKEY_CTX *pctx = NULL;
@@ -308,12 +305,11 @@ static int cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms,
308 305
309 int ret = 0; 306 int ret = 0;
310 307
311 if (ri->type != CMS_RECIPINFO_TRANS) 308 if (ri->type != CMS_RECIPINFO_TRANS) {
312 {
313 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, 309 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT,
314 CMS_R_NOT_KEY_TRANSPORT); 310 CMS_R_NOT_KEY_TRANSPORT);
315 return 0; 311 return 0;
316 } 312 }
317 ktri = ri->d.ktri; 313 ktri = ri->d.ktri;
318 ec = cms->d.envelopedData->encryptedContentInfo; 314 ec = cms->d.envelopedData->encryptedContentInfo;
319 315
@@ -325,23 +321,21 @@ static int cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms,
325 goto err; 321 goto err;
326 322
327 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 323 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
328 EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) 324 EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) {
329 {
330 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, CMS_R_CTRL_ERROR); 325 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, CMS_R_CTRL_ERROR);
331 goto err; 326 goto err;
332 } 327 }
333 328
334 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) 329 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
335 goto err; 330 goto err;
336 331
337 ek = malloc(eklen); 332 ek = malloc(eklen);
338 333
339 if (ek == NULL) 334 if (ek == NULL) {
340 {
341 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, 335 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT,
342 ERR_R_MALLOC_FAILURE); 336 ERR_R_MALLOC_FAILURE);
343 goto err; 337 goto err;
344 } 338 }
345 339
346 if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0) 340 if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0)
347 goto err; 341 goto err;
@@ -351,33 +345,32 @@ static int cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms,
351 345
352 ret = 1; 346 ret = 1;
353 347
354 err: 348err:
355 if (pctx) 349 if (pctx)
356 EVP_PKEY_CTX_free(pctx); 350 EVP_PKEY_CTX_free(pctx);
357 free(ek); 351 free(ek);
358 return ret; 352 return ret;
359 353}
360 }
361 354
362/* Decrypt content key from KTRI */ 355/* Decrypt content key from KTRI */
363 356
364static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, 357static int
365 CMS_RecipientInfo *ri) 358cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
366 { 359{
367 CMS_KeyTransRecipientInfo *ktri = ri->d.ktri; 360 CMS_KeyTransRecipientInfo *ktri = ri->d.ktri;
368 EVP_PKEY_CTX *pctx = NULL; 361 EVP_PKEY_CTX *pctx = NULL;
369 unsigned char *ek = NULL; 362 unsigned char *ek = NULL;
370 size_t eklen; 363 size_t eklen;
371 int ret = 0; 364 int ret = 0;
372 CMS_EncryptedContentInfo *ec; 365 CMS_EncryptedContentInfo *ec;
366
373 ec = cms->d.envelopedData->encryptedContentInfo; 367 ec = cms->d.envelopedData->encryptedContentInfo;
374 368
375 if (ktri->pkey == NULL) 369 if (ktri->pkey == NULL) {
376 {
377 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, 370 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT,
378 CMS_R_NO_PRIVATE_KEY); 371 CMS_R_NO_PRIVATE_KEY);
379 return 0; 372 return 0;
380 } 373 }
381 374
382 pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL); 375 pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
383 if (!pctx) 376 if (!pctx)
@@ -387,152 +380,134 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
387 goto err; 380 goto err;
388 381
389 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 382 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT,
390 EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) 383 EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) {
391 {
392 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CTRL_ERROR); 384 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CTRL_ERROR);
393 goto err; 385 goto err;
394 } 386 }
395 387
396 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 388 if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
397 ktri->encryptedKey->data, 389 ktri->encryptedKey->data,
398 ktri->encryptedKey->length) <= 0) 390 ktri->encryptedKey->length) <= 0)
399 goto err; 391 goto err;
400 392
401 ek = malloc(eklen); 393 ek = malloc(eklen);
402 394
403 if (ek == NULL) 395 if (ek == NULL) {
404 {
405 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, 396 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT,
406 ERR_R_MALLOC_FAILURE); 397 ERR_R_MALLOC_FAILURE);
407 goto err; 398 goto err;
408 } 399 }
409 400
410 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 401 if (EVP_PKEY_decrypt(pctx, ek, &eklen,
411 ktri->encryptedKey->data, 402 ktri->encryptedKey->data,
412 ktri->encryptedKey->length) <= 0) 403 ktri->encryptedKey->length) <= 0) {
413 {
414 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); 404 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
415 goto err; 405 goto err;
416 } 406 }
417 407
418 ret = 1; 408 ret = 1;
419 409
420 if (ec->key) 410 if (ec->key) {
421 {
422 OPENSSL_cleanse(ec->key, ec->keylen); 411 OPENSSL_cleanse(ec->key, ec->keylen);
423 free(ec->key); 412 free(ec->key);
424 } 413 }
425 414
426 ec->key = ek; 415 ec->key = ek;
427 ec->keylen = eklen; 416 ec->keylen = eklen;
428 417
429 err: 418err:
430 if (pctx) 419 if (pctx)
431 EVP_PKEY_CTX_free(pctx); 420 EVP_PKEY_CTX_free(pctx);
432 if (!ret && ek) 421 if (!ret && ek)
433 free(ek); 422 free(ek);
434 423
435 return ret; 424 return ret;
436 } 425}
437 426
438/* Key Encrypted Key (KEK) RecipientInfo routines */ 427/* Key Encrypted Key (KEK) RecipientInfo routines */
439 428
440int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, 429int
441 const unsigned char *id, size_t idlen) 430CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id,
442 { 431 size_t idlen)
432{
443 ASN1_OCTET_STRING tmp_os; 433 ASN1_OCTET_STRING tmp_os;
444 CMS_KEKRecipientInfo *kekri; 434 CMS_KEKRecipientInfo *kekri;
445 if (ri->type != CMS_RECIPINFO_KEK) 435
446 { 436 if (ri->type != CMS_RECIPINFO_KEK) {
447 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP, CMS_R_NOT_KEK); 437 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP, CMS_R_NOT_KEK);
448 return -2; 438 return -2;
449 } 439 }
450 kekri = ri->d.kekri; 440 kekri = ri->d.kekri;
451 tmp_os.type = V_ASN1_OCTET_STRING; 441 tmp_os.type = V_ASN1_OCTET_STRING;
452 tmp_os.flags = 0; 442 tmp_os.flags = 0;
453 tmp_os.data = (unsigned char *)id; 443 tmp_os.data = (unsigned char *)id;
454 tmp_os.length = (int)idlen; 444 tmp_os.length = (int)idlen;
455 return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier); 445 return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier);
456 } 446}
457 447
458/* For now hard code AES key wrap info */ 448/* For now hard code AES key wrap info */
459 449
460static size_t aes_wrap_keylen(int nid) 450static size_t
461 { 451aes_wrap_keylen(int nid)
462 switch (nid) 452{
463 { 453 switch (nid) {
464 case NID_id_aes128_wrap: 454 case NID_id_aes128_wrap:
465 return 16; 455 return 16;
466 456 case NID_id_aes192_wrap:
467 case NID_id_aes192_wrap: 457 return 24;
468 return 24; 458 case NID_id_aes256_wrap:
469 459 return 32;
470 case NID_id_aes256_wrap: 460 default:
471 return 32;
472
473 default:
474 return 0; 461 return 0;
475 }
476 } 462 }
463}
477 464
478CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, 465CMS_RecipientInfo *
479 unsigned char *key, size_t keylen, 466CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, unsigned char *key,
480 unsigned char *id, size_t idlen, 467 size_t keylen, unsigned char *id, size_t idlen, ASN1_GENERALIZEDTIME *date,
481 ASN1_GENERALIZEDTIME *date, 468 ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType)
482 ASN1_OBJECT *otherTypeId, 469{
483 ASN1_TYPE *otherType)
484 {
485 CMS_RecipientInfo *ri = NULL; 470 CMS_RecipientInfo *ri = NULL;
486 CMS_EnvelopedData *env; 471 CMS_EnvelopedData *env;
487 CMS_KEKRecipientInfo *kekri; 472 CMS_KEKRecipientInfo *kekri;
473
488 env = cms_get0_enveloped(cms); 474 env = cms_get0_enveloped(cms);
489 if (!env) 475 if (!env)
490 goto err; 476 goto err;
491 477
492 if (nid == NID_undef) 478 if (nid == NID_undef) {
493 { 479 switch (keylen) {
494 switch (keylen) 480 case 16:
495 {
496 case 16:
497 nid = NID_id_aes128_wrap; 481 nid = NID_id_aes128_wrap;
498 break; 482 break;
499 483 case 24:
500 case 24:
501 nid = NID_id_aes192_wrap; 484 nid = NID_id_aes192_wrap;
502 break; 485 break;
503 486 case 32:
504 case 32:
505 nid = NID_id_aes256_wrap; 487 nid = NID_id_aes256_wrap;
506 break; 488 break;
507 489 default:
508 default:
509 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, 490 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
510 CMS_R_INVALID_KEY_LENGTH); 491 CMS_R_INVALID_KEY_LENGTH);
511 goto err; 492 goto err;
512 }
513
514 } 493 }
515 else 494 } else {
516 {
517
518 size_t exp_keylen = aes_wrap_keylen(nid); 495 size_t exp_keylen = aes_wrap_keylen(nid);
519 496
520 if (!exp_keylen) 497 if (!exp_keylen) {
521 {
522 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, 498 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
523 CMS_R_UNSUPPORTED_KEK_ALGORITHM); 499 CMS_R_UNSUPPORTED_KEK_ALGORITHM);
524 goto err; 500 goto err;
525 } 501 }
526 502
527 if (keylen != exp_keylen) 503 if (keylen != exp_keylen) {
528 {
529 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, 504 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
530 CMS_R_INVALID_KEY_LENGTH); 505 CMS_R_INVALID_KEY_LENGTH);
531 goto err; 506 goto err;
532 }
533
534 } 507 }
535 508
509 }
510
536 /* Initialize recipient info */ 511 /* Initialize recipient info */
537 ri = M_ASN1_new_of(CMS_RecipientInfo); 512 ri = M_ASN1_new_of(CMS_RecipientInfo);
538 if (!ri) 513 if (!ri)
@@ -545,17 +520,15 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
545 520
546 kekri = ri->d.kekri; 521 kekri = ri->d.kekri;
547 522
548 if (otherTypeId) 523 if (otherTypeId) {
549 {
550 kekri->kekid->other = M_ASN1_new_of(CMS_OtherKeyAttribute); 524 kekri->kekid->other = M_ASN1_new_of(CMS_OtherKeyAttribute);
551 if (kekri->kekid->other == NULL) 525 if (kekri->kekid->other == NULL)
552 goto merr; 526 goto merr;
553 } 527 }
554 528
555 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) 529 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
556 goto merr; 530 goto merr;
557 531
558
559 /* After this point no calls can fail */ 532 /* After this point no calls can fail */
560 533
561 kekri->version = 4; 534 kekri->version = 4;
@@ -567,85 +540,79 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
567 540
568 kekri->kekid->date = date; 541 kekri->kekid->date = date;
569 542
570 if (kekri->kekid->other) 543 if (kekri->kekid->other) {
571 {
572 kekri->kekid->other->keyAttrId = otherTypeId; 544 kekri->kekid->other->keyAttrId = otherTypeId;
573 kekri->kekid->other->keyAttr = otherType; 545 kekri->kekid->other->keyAttr = otherType;
574 } 546 }
575 547
576 X509_ALGOR_set0(kekri->keyEncryptionAlgorithm, 548 X509_ALGOR_set0(kekri->keyEncryptionAlgorithm,
577 OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL); 549 OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL);
578 550
579 return ri; 551 return ri;
580 552
581 merr: 553merr:
582 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE); 554 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE);
583 err: 555err:
584 if (ri) 556 if (ri)
585 M_ASN1_free_of(ri, CMS_RecipientInfo); 557 M_ASN1_free_of(ri, CMS_RecipientInfo);
586 return NULL; 558 return NULL;
559}
587 560
588 } 561int
589 562CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
590int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, 563 ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate,
591 X509_ALGOR **palg, 564 ASN1_OBJECT **potherid, ASN1_TYPE **pothertype)
592 ASN1_OCTET_STRING **pid, 565{
593 ASN1_GENERALIZEDTIME **pdate,
594 ASN1_OBJECT **potherid,
595 ASN1_TYPE **pothertype)
596 {
597 CMS_KEKIdentifier *rkid; 566 CMS_KEKIdentifier *rkid;
598 if (ri->type != CMS_RECIPINFO_KEK) 567
599 { 568 if (ri->type != CMS_RECIPINFO_KEK) {
600 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID, CMS_R_NOT_KEK); 569 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID, CMS_R_NOT_KEK);
601 return 0; 570 return 0;
602 } 571 }
603 rkid = ri->d.kekri->kekid; 572 rkid = ri->d.kekri->kekid;
604 if (palg) 573 if (palg)
605 *palg = ri->d.kekri->keyEncryptionAlgorithm; 574 *palg = ri->d.kekri->keyEncryptionAlgorithm;
606 if (pid) 575 if (pid)
607 *pid = rkid->keyIdentifier; 576 *pid = rkid->keyIdentifier;
608 if (pdate) 577 if (pdate)
609 *pdate = rkid->date; 578 *pdate = rkid->date;
610 if (potherid) 579 if (potherid) {
611 {
612 if (rkid->other) 580 if (rkid->other)
613 *potherid = rkid->other->keyAttrId; 581 *potherid = rkid->other->keyAttrId;
614 else 582 else
615 *potherid = NULL; 583 *potherid = NULL;
616 } 584 }
617 if (pothertype) 585 if (pothertype) {
618 {
619 if (rkid->other) 586 if (rkid->other)
620 *pothertype = rkid->other->keyAttr; 587 *pothertype = rkid->other->keyAttr;
621 else 588 else
622 *pothertype = NULL; 589 *pothertype = NULL;
623 }
624 return 1;
625 } 590 }
591 return 1;
592}
626 593
627int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, 594int
628 unsigned char *key, size_t keylen) 595CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key,
629 { 596 size_t keylen)
597{
630 CMS_KEKRecipientInfo *kekri; 598 CMS_KEKRecipientInfo *kekri;
631 if (ri->type != CMS_RECIPINFO_KEK) 599
632 { 600 if (ri->type != CMS_RECIPINFO_KEK) {
633 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, CMS_R_NOT_KEK); 601 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, CMS_R_NOT_KEK);
634 return 0; 602 return 0;
635 } 603 }
636 604
637 kekri = ri->d.kekri; 605 kekri = ri->d.kekri;
638 kekri->key = key; 606 kekri->key = key;
639 kekri->keylen = keylen; 607 kekri->keylen = keylen;
640 return 1; 608 return 1;
641 } 609}
642
643 610
644/* Encrypt content key in KEK recipient info */ 611/* Encrypt content key in KEK recipient info */
645 612
646static int cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, 613static int
647 CMS_RecipientInfo *ri) 614cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
648 { 615{
649 CMS_EncryptedContentInfo *ec; 616 CMS_EncryptedContentInfo *ec;
650 CMS_KEKRecipientInfo *kekri; 617 CMS_KEKRecipientInfo *kekri;
651 AES_KEY actx; 618 AES_KEY actx;
@@ -657,55 +624,49 @@ static int cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms,
657 624
658 kekri = ri->d.kekri; 625 kekri = ri->d.kekri;
659 626
660 if (!kekri->key) 627 if (!kekri->key) {
661 {
662 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_NO_KEY); 628 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_NO_KEY);
663 return 0; 629 return 0;
664 } 630 }
665 631
666 if (AES_set_encrypt_key(kekri->key, kekri->keylen << 3, &actx)) 632 if (AES_set_encrypt_key(kekri->key, kekri->keylen << 3, &actx)) {
667 {
668 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, 633 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT,
669 CMS_R_ERROR_SETTING_KEY); 634 CMS_R_ERROR_SETTING_KEY);
670 goto err; 635 goto err;
671 } 636 }
672 637
673 wkey = malloc(ec->keylen + 8); 638 wkey = malloc(ec->keylen + 8);
674 639
675 if (!wkey) 640 if (!wkey) {
676 {
677 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, 641 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT,
678 ERR_R_MALLOC_FAILURE); 642 ERR_R_MALLOC_FAILURE);
679 goto err; 643 goto err;
680 } 644 }
681 645
682 wkeylen = AES_wrap_key(&actx, NULL, wkey, ec->key, ec->keylen); 646 wkeylen = AES_wrap_key(&actx, NULL, wkey, ec->key, ec->keylen);
683 647
684 if (wkeylen <= 0) 648 if (wkeylen <= 0) {
685 {
686 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_WRAP_ERROR); 649 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_WRAP_ERROR);
687 goto err; 650 goto err;
688 } 651 }
689 652
690 ASN1_STRING_set0(kekri->encryptedKey, wkey, wkeylen); 653 ASN1_STRING_set0(kekri->encryptedKey, wkey, wkeylen);
691 654
692 r = 1; 655 r = 1;
693 656
694 err: 657err:
695
696 if (!r && wkey) 658 if (!r && wkey)
697 free(wkey); 659 free(wkey);
698 OPENSSL_cleanse(&actx, sizeof(actx)); 660 OPENSSL_cleanse(&actx, sizeof(actx));
699 661
700 return r; 662 return r;
701 663}
702 }
703 664
704/* Decrypt content key in KEK recipient info */ 665/* Decrypt content key in KEK recipient info */
705 666
706static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, 667static int
707 CMS_RecipientInfo *ri) 668cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
708 { 669{
709 CMS_EncryptedContentInfo *ec; 670 CMS_EncryptedContentInfo *ec;
710 CMS_KEKRecipientInfo *kekri; 671 CMS_KEKRecipientInfo *kekri;
711 AES_KEY actx; 672 AES_KEY actx;
@@ -717,93 +678,83 @@ static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms,
717 678
718 kekri = ri->d.kekri; 679 kekri = ri->d.kekri;
719 680
720 if (!kekri->key) 681 if (!kekri->key) {
721 {
722 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_NO_KEY); 682 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_NO_KEY);
723 return 0; 683 return 0;
724 } 684 }
725 685
726 wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm); 686 wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm);
727 if (aes_wrap_keylen(wrap_nid) != kekri->keylen) 687 if (aes_wrap_keylen(wrap_nid) != kekri->keylen) {
728 {
729 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, 688 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
730 CMS_R_INVALID_KEY_LENGTH); 689 CMS_R_INVALID_KEY_LENGTH);
731 return 0; 690 return 0;
732 } 691 }
733 692
734 /* If encrypted key length is invalid don't bother */ 693 /* If encrypted key length is invalid don't bother */
735 694
736 if (kekri->encryptedKey->length < 16) 695 if (kekri->encryptedKey->length < 16) {
737 {
738 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, 696 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
739 CMS_R_INVALID_ENCRYPTED_KEY_LENGTH); 697 CMS_R_INVALID_ENCRYPTED_KEY_LENGTH);
740 goto err; 698 goto err;
741 } 699 }
742 700
743 if (AES_set_decrypt_key(kekri->key, kekri->keylen << 3, &actx)) 701 if (AES_set_decrypt_key(kekri->key, kekri->keylen << 3, &actx)) {
744 {
745 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, 702 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
746 CMS_R_ERROR_SETTING_KEY); 703 CMS_R_ERROR_SETTING_KEY);
747 goto err; 704 goto err;
748 } 705 }
749 706
750 ukey = malloc(kekri->encryptedKey->length - 8); 707 ukey = malloc(kekri->encryptedKey->length - 8);
751 708
752 if (!ukey) 709 if (!ukey) {
753 {
754 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, 710 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
755 ERR_R_MALLOC_FAILURE); 711 ERR_R_MALLOC_FAILURE);
756 goto err; 712 goto err;
757 } 713 }
758 714
759 ukeylen = AES_unwrap_key(&actx, NULL, ukey, 715 ukeylen = AES_unwrap_key(&actx, NULL, ukey,
760 kekri->encryptedKey->data, 716 kekri->encryptedKey->data,
761 kekri->encryptedKey->length); 717 kekri->encryptedKey->length);
762 718
763 if (ukeylen <= 0) 719 if (ukeylen <= 0) {
764 {
765 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, 720 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
766 CMS_R_UNWRAP_ERROR); 721 CMS_R_UNWRAP_ERROR);
767 goto err; 722 goto err;
768 } 723 }
769 724
770 ec->key = ukey; 725 ec->key = ukey;
771 ec->keylen = ukeylen; 726 ec->keylen = ukeylen;
772 727
773 r = 1; 728 r = 1;
774 729
775 err: 730err:
776
777 if (!r && ukey) 731 if (!r && ukey)
778 free(ukey); 732 free(ukey);
779 OPENSSL_cleanse(&actx, sizeof(actx)); 733 OPENSSL_cleanse(&actx, sizeof(actx));
780 734
781 return r; 735 return r;
736}
782 737
783 } 738int
784 739CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
785int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) 740{
786 { 741 switch (ri->type) {
787 switch(ri->type) 742 case CMS_RECIPINFO_TRANS:
788 {
789 case CMS_RECIPINFO_TRANS:
790 return cms_RecipientInfo_ktri_decrypt(cms, ri); 743 return cms_RecipientInfo_ktri_decrypt(cms, ri);
791 744 case CMS_RECIPINFO_KEK:
792 case CMS_RECIPINFO_KEK:
793 return cms_RecipientInfo_kekri_decrypt(cms, ri); 745 return cms_RecipientInfo_kekri_decrypt(cms, ri);
794 746 case CMS_RECIPINFO_PASS:
795 case CMS_RECIPINFO_PASS:
796 return cms_RecipientInfo_pwri_crypt(cms, ri, 0); 747 return cms_RecipientInfo_pwri_crypt(cms, ri, 0);
797 748 default:
798 default:
799 CMSerr(CMS_F_CMS_RECIPIENTINFO_DECRYPT, 749 CMSerr(CMS_F_CMS_RECIPIENTINFO_DECRYPT,
800 CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE); 750 CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE);
801 return 0; 751 return 0;
802 }
803 } 752 }
753}
804 754
805BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) 755BIO *
806 { 756cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
757{
807 CMS_EncryptedContentInfo *ec; 758 CMS_EncryptedContentInfo *ec;
808 STACK_OF(CMS_RecipientInfo) *rinfos; 759 STACK_OF(CMS_RecipientInfo) *rinfos;
809 CMS_RecipientInfo *ri; 760 CMS_RecipientInfo *ri;
@@ -824,52 +775,47 @@ BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
824 775
825 rinfos = cms->d.envelopedData->recipientInfos; 776 rinfos = cms->d.envelopedData->recipientInfos;
826 777
827 for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) 778 for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
828 {
829 ri = sk_CMS_RecipientInfo_value(rinfos, i); 779 ri = sk_CMS_RecipientInfo_value(rinfos, i);
830 780
831 switch (ri->type) 781 switch (ri->type) {
832 { 782 case CMS_RECIPINFO_TRANS:
833 case CMS_RECIPINFO_TRANS:
834 r = cms_RecipientInfo_ktri_encrypt(cms, ri); 783 r = cms_RecipientInfo_ktri_encrypt(cms, ri);
835 break; 784 break;
836 785
837 case CMS_RECIPINFO_KEK: 786 case CMS_RECIPINFO_KEK:
838 r = cms_RecipientInfo_kekri_encrypt(cms, ri); 787 r = cms_RecipientInfo_kekri_encrypt(cms, ri);
839 break; 788 break;
840 789
841 case CMS_RECIPINFO_PASS: 790 case CMS_RECIPINFO_PASS:
842 r = cms_RecipientInfo_pwri_crypt(cms, ri, 1); 791 r = cms_RecipientInfo_pwri_crypt(cms, ri, 1);
843 break; 792 break;
844 793
845 default: 794 default:
846 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO, 795 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
847 CMS_R_UNSUPPORTED_RECIPIENT_TYPE); 796 CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
848 goto err; 797 goto err;
849 } 798 }
850 799
851 if (r <= 0) 800 if (r <= 0) {
852 {
853 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO, 801 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
854 CMS_R_ERROR_SETTING_RECIPIENTINFO); 802 CMS_R_ERROR_SETTING_RECIPIENTINFO);
855 goto err; 803 goto err;
856 }
857 } 804 }
805 }
858 806
859 ok = 1; 807 ok = 1;
860 808
861 err: 809err:
862 ec->cipher = NULL; 810 ec->cipher = NULL;
863 if (ec->key) 811 if (ec->key) {
864 {
865 OPENSSL_cleanse(ec->key, ec->keylen); 812 OPENSSL_cleanse(ec->key, ec->keylen);
866 free(ec->key); 813 free(ec->key);
867 ec->key = NULL; 814 ec->key = NULL;
868 ec->keylen = 0; 815 ec->keylen = 0;
869 } 816 }
870 if (ok) 817 if (ok)
871 return ret; 818 return ret;
872 BIO_free(ret); 819 BIO_free(ret);
873 return NULL; 820 return NULL;
874 821}
875 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-03 12:30:33 +0000