1 files changed, 414 insertions, 0 deletions
diff --git a/src/lib/libcrypto/cms/cms_kari.c b/src/lib/libcrypto/cms/cms_kari.c
new file mode 100644
index 0000000000..5e83814d0f
--- /dev/null
+++ b/src/lib/libcrypto/cms/cms_kari.c
@@ -0,0 +1,414 @@
+/*
+ * Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include "internal/cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/err.h>
+#include <openssl/cms.h>
+#include <openssl/aes.h>
+#include "cms_lcl.h"
+#include "internal/asn1_int.h"
+/* Key Agreement Recipient Info (KARI) routines */
+int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
+                                    X509_ALGOR **palg,
+                                    ASN1_OCTET_STRING **pukm)
+{
+    if (ri->type != CMS_RECIPINFO_AGREE) {
+        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
+               CMS_R_NOT_KEY_AGREEMENT);
+        return 0;
+    }
+    if (palg)
+        *palg = ri->d.kari->keyEncryptionAlgorithm;
+    if (pukm)
+        *pukm = ri->d.kari->ukm;
+    return 1;
+}
+/* Retrieve recipient encrypted keys from a kari */
+STACK_OF(CMS_RecipientEncryptedKey)
+*CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri)
+{
+    if (ri->type != CMS_RECIPINFO_AGREE) {
+        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
+               CMS_R_NOT_KEY_AGREEMENT);
+        return NULL;
+    }
+    return ri->d.kari->recipientEncryptedKeys;
+}
+int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
+                                        X509_ALGOR **pubalg,
+                                        ASN1_BIT_STRING **pubkey,
+                                        ASN1_OCTET_STRING **keyid,
+                                        X509_NAME **issuer,
+                                        ASN1_INTEGER **sno)
+{
+    CMS_OriginatorIdentifierOrKey *oik;
+    if (ri->type != CMS_RECIPINFO_AGREE) {
+        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
+               CMS_R_NOT_KEY_AGREEMENT);
+        return 0;
+    }
+    oik = ri->d.kari->originator;
+    if (issuer)
+        *issuer = NULL;
+    if (sno)
+        *sno = NULL;
+    if (keyid)
+        *keyid = NULL;
+    if (pubalg)
+        *pubalg = NULL;
+    if (pubkey)
+        *pubkey = NULL;
+    if (oik->type == CMS_OIK_ISSUER_SERIAL) {
+        if (issuer)
+            *issuer = oik->d.issuerAndSerialNumber->issuer;
+        if (sno)
+            *sno = oik->d.issuerAndSerialNumber->serialNumber;
+    } else if (oik->type == CMS_OIK_KEYIDENTIFIER) {
+        if (keyid)
+            *keyid = oik->d.subjectKeyIdentifier;
+    } else if (oik->type == CMS_OIK_PUBKEY) {
+        if (pubalg)
+            *pubalg = oik->d.originatorKey->algorithm;
+        if (pubkey)
+            *pubkey = oik->d.originatorKey->publicKey;
+    } else
+        return 0;
+    return 1;
+}
+int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert)
+{
+    CMS_OriginatorIdentifierOrKey *oik;
+    if (ri->type != CMS_RECIPINFO_AGREE) {
+        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
+               CMS_R_NOT_KEY_AGREEMENT);
+        return -2;
+    }
+    oik = ri->d.kari->originator;
+    if (oik->type == CMS_OIK_ISSUER_SERIAL)
+        return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
+    else if (oik->type == CMS_OIK_KEYIDENTIFIER)
+        return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
+    return -1;
+}
+int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
+                                      ASN1_OCTET_STRING **keyid,
+                                      ASN1_GENERALIZEDTIME **tm,
+                                      CMS_OtherKeyAttribute **other,
+                                      X509_NAME **issuer, ASN1_INTEGER **sno)
+{
+    CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
+    if (rid->type == CMS_REK_ISSUER_SERIAL) {
+        if (issuer)
+            *issuer = rid->d.issuerAndSerialNumber->issuer;
+        if (sno)
+            *sno = rid->d.issuerAndSerialNumber->serialNumber;
+        if (keyid)
+            *keyid = NULL;
+        if (tm)
+            *tm = NULL;
+        if (other)
+            *other = NULL;
+    } else if (rid->type == CMS_REK_KEYIDENTIFIER) {
+        if (keyid)
+            *keyid = rid->d.rKeyId->subjectKeyIdentifier;
+        if (tm)
+            *tm = rid->d.rKeyId->date;
+        if (other)
+            *other = rid->d.rKeyId->other;
+        if (issuer)
+            *issuer = NULL;
+        if (sno)
+            *sno = NULL;
+    } else
+        return 0;
+    return 1;
+}
+int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
+                                       X509 *cert)
+{
+    CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
+    if (rid->type == CMS_REK_ISSUER_SERIAL)
+        return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
+    else if (rid->type == CMS_REK_KEYIDENTIFIER)
+        return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
+    else
+        return -1;
+}
+int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
+{
+    EVP_PKEY_CTX *pctx;
+    CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
+    EVP_PKEY_CTX_free(kari->pctx);
+    kari->pctx = NULL;
+    if (!pk)
+        return 1;
+    pctx = EVP_PKEY_CTX_new(pk, NULL);
+    if (!pctx || !EVP_PKEY_derive_init(pctx))
+        goto err;
+    kari->pctx = pctx;
+    return 1;
+ err:
+    EVP_PKEY_CTX_free(pctx);
+    return 0;
+}
+EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_AGREE)
+        return ri->d.kari->ctx;
+    return NULL;
+}
+/*
+ * Derive KEK and decrypt/encrypt with it to produce either the original CEK
+ * or the encrypted CEK.
+ */
+static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
+                          const unsigned char *in, size_t inlen,
+                          CMS_KeyAgreeRecipientInfo *kari, int enc)
+{
+    /* Key encryption key */
+    unsigned char kek[EVP_MAX_KEY_LENGTH];
+    size_t keklen;
+    int rv = 0;
+    unsigned char *out = NULL;
+    int outlen;
+    keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
+    if (keklen > EVP_MAX_KEY_LENGTH)
+        return 0;
+    /* Derive KEK */
+    if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
+        goto err;
+    /* Set KEK in context */
+    if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc))
+        goto err;
+    /* obtain output length of ciphered key */
+    if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen))
+        goto err;
+    out = OPENSSL_malloc(outlen);
+    if (out == NULL)
+        goto err;
+    if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen))
+        goto err;
+    *pout = out;
+    *poutlen = (size_t)outlen;
+    rv = 1;
+ err:
+    OPENSSL_cleanse(kek, keklen);
+    if (!rv)
+        OPENSSL_free(out);
+    EVP_CIPHER_CTX_reset(kari->ctx);
+    /* FIXME: WHY IS kari->pctx freed here?  /RL */
+    EVP_PKEY_CTX_free(kari->pctx);
+    kari->pctx = NULL;
+    return rv;
+}
+int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
+                                   CMS_RecipientInfo *ri,
+                                   CMS_RecipientEncryptedKey *rek)
+{
+    int rv = 0;
+    unsigned char *enckey = NULL, *cek = NULL;
+    size_t enckeylen;
+    size_t ceklen;
+    CMS_EncryptedContentInfo *ec;
+    enckeylen = rek->encryptedKey->length;
+    enckey = rek->encryptedKey->data;
+    /* Setup all parameters to derive KEK */
+    if (!cms_env_asn1_ctrl(ri, 1))
+        goto err;
+    /* Attempt to decrypt CEK */
+    if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
+        goto err;
+    ec = cms->d.envelopedData->encryptedContentInfo;
+    OPENSSL_clear_free(ec->key, ec->keylen);
+    ec->key = cek;
+    ec->keylen = ceklen;
+    cek = NULL;
+    rv = 1;
+ err:
+    OPENSSL_free(cek);
+    return rv;
+}
+/* Create ephemeral key and initialise context based on it */
+static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
+                                         EVP_PKEY *pk)
+{
+    EVP_PKEY_CTX *pctx = NULL;
+    EVP_PKEY *ekey = NULL;
+    int rv = 0;
+    pctx = EVP_PKEY_CTX_new(pk, NULL);
+    if (!pctx)
+        goto err;
+    if (EVP_PKEY_keygen_init(pctx) <= 0)
+        goto err;
+    if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
+        goto err;
+    EVP_PKEY_CTX_free(pctx);
+    pctx = EVP_PKEY_CTX_new(ekey, NULL);
+    if (!pctx)
+        goto err;
+    if (EVP_PKEY_derive_init(pctx) <= 0)
+        goto err;
+    kari->pctx = pctx;
+    rv = 1;
+ err:
+    if (!rv)
+        EVP_PKEY_CTX_free(pctx);
+    EVP_PKEY_free(ekey);
+    return rv;
+}
+/* Initialise a kari based on passed certificate and key */
+int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
+                                EVP_PKEY *pk, unsigned int flags)
+{
+    CMS_KeyAgreeRecipientInfo *kari;
+    CMS_RecipientEncryptedKey *rek = NULL;
+    ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
+    if (!ri->d.kari)
+        return 0;
+    ri->type = CMS_RECIPINFO_AGREE;
+    kari = ri->d.kari;
+    kari->version = 3;
+    rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
+    if (rek == NULL)
+        return 0;
+    if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
+        M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
+        return 0;
+    }
+    if (flags & CMS_USE_KEYID) {
+        rek->rid->type = CMS_REK_KEYIDENTIFIER;
+        rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier);
+        if (rek->rid->d.rKeyId == NULL)
+            return 0;
+        if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
+            return 0;
+    } else {
+        rek->rid->type = CMS_REK_ISSUER_SERIAL;
+        if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
+            return 0;
+    }
+    /* Create ephemeral key */
+    if (!cms_kari_create_ephemeral_key(kari, pk))
+        return 0;
+    EVP_PKEY_up_ref(pk);
+    rek->pkey = pk;
+    return 1;
+}
+static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
+                         const EVP_CIPHER *cipher)
+{
+    EVP_CIPHER_CTX *ctx = kari->ctx;
+    const EVP_CIPHER *kekcipher;
+    int keylen = EVP_CIPHER_key_length(cipher);
+    /* If a suitable wrap algorithm is already set nothing to do */
+    kekcipher = EVP_CIPHER_CTX_cipher(ctx);
+    if (kekcipher) {
+        if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
+            return 0;
+        return 1;
+    }
+    /*
+     * Pick a cipher based on content encryption cipher. If it is DES3 use
+     * DES3 wrap otherwise use AES wrap similar to key size.
+     */
+#ifndef OPENSSL_NO_DES
+    if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
+        kekcipher = EVP_des_ede3_wrap();
+    else
+#endif
+    if (keylen <= 16)
+        kekcipher = EVP_aes_128_wrap();
+    else if (keylen <= 24)
+        kekcipher = EVP_aes_192_wrap();
+    else
+        kekcipher = EVP_aes_256_wrap();
+    return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
+}
+/* Encrypt content key in key agreement recipient info */
+int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
+                                   CMS_RecipientInfo *ri)
+{
+    CMS_KeyAgreeRecipientInfo *kari;
+    CMS_EncryptedContentInfo *ec;
+    CMS_RecipientEncryptedKey *rek;
+    STACK_OF(CMS_RecipientEncryptedKey) *reks;
+    int i;
+    if (ri->type != CMS_RECIPINFO_AGREE) {
+        CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
+        return 0;
+    }
+    kari = ri->d.kari;
+    reks = kari->recipientEncryptedKeys;
+    ec = cms->d.envelopedData->encryptedContentInfo;
+    /* Initialise wrap algorithm parameters */
+    if (!cms_wrap_init(kari, ec->cipher))
+        return 0;
+    /*
+     * If no originator key set up initialise for ephemeral key the public key
+     * ASN1 structure will set the actual public key value.
+     */
+    if (kari->originator->type == -1) {
+        CMS_OriginatorIdentifierOrKey *oik = kari->originator;
+        oik->type = CMS_OIK_PUBKEY;
+        oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
+        if (!oik->d.originatorKey)
+            return 0;
+    }
+    /* Initialise KDF algorithm */
+    if (!cms_env_asn1_ctrl(ri, 0))
+        return 0;
+    /* For each rek, derive KEK, encrypt CEK */
+    for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
+        unsigned char *enckey;
+        size_t enckeylen;
+        rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
+        if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
+            return 0;
+        if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
+                            kari, 1))
+            return 0;
+        ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
+    }
+    return 1;
+}

diff --git a/src/lib/libcrypto/cms/cms_kari.c b/src/lib/libcrypto/cms/cms_kari.c new file mode 100644 index 0000000000..5e83814d0f --- /dev/null +++ b/src/lib/libcrypto/cms/cms_kari.c
@@ -0,0 +1,414 @@
	1	/*
	2	* Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include "internal/cryptlib.h"
	11	#include <openssl/asn1t.h>
	12	#include <openssl/pem.h>
	13	#include <openssl/x509v3.h>
	14	#include <openssl/err.h>
	15	#include <openssl/cms.h>
	16	#include <openssl/aes.h>
	17	#include "cms_lcl.h"
	18	#include "internal/asn1_int.h"
	19
	20	/* Key Agreement Recipient Info (KARI) routines */
	21
	22	int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
	23	X509_ALGOR **palg,
	24	ASN1_OCTET_STRING **pukm)
	25	{
	26	if (ri->type != CMS_RECIPINFO_AGREE) {
	27	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
	28	CMS_R_NOT_KEY_AGREEMENT);
	29	return 0;
	30	}
	31	if (palg)
	32	*palg = ri->d.kari->keyEncryptionAlgorithm;
	33	if (pukm)
	34	*pukm = ri->d.kari->ukm;
	35	return 1;
	36	}
	37
	38	/* Retrieve recipient encrypted keys from a kari */
	39
	40	STACK_OF(CMS_RecipientEncryptedKey)
	41	CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo ri)
	42	{
	43	if (ri->type != CMS_RECIPINFO_AGREE) {
	44	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
	45	CMS_R_NOT_KEY_AGREEMENT);
	46	return NULL;
	47	}
	48	return ri->d.kari->recipientEncryptedKeys;
	49	}
	50
	51	int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
	52	X509_ALGOR **pubalg,
	53	ASN1_BIT_STRING **pubkey,
	54	ASN1_OCTET_STRING **keyid,
	55	X509_NAME **issuer,
	56	ASN1_INTEGER **sno)
	57	{
	58	CMS_OriginatorIdentifierOrKey *oik;
	59	if (ri->type != CMS_RECIPINFO_AGREE) {
	60	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
	61	CMS_R_NOT_KEY_AGREEMENT);
	62	return 0;
	63	}
	64	oik = ri->d.kari->originator;
	65	if (issuer)
	66	*issuer = NULL;
	67	if (sno)
	68	*sno = NULL;
	69	if (keyid)
	70	*keyid = NULL;
	71	if (pubalg)
	72	*pubalg = NULL;
	73	if (pubkey)
	74	*pubkey = NULL;
	75	if (oik->type == CMS_OIK_ISSUER_SERIAL) {
	76	if (issuer)
	77	*issuer = oik->d.issuerAndSerialNumber->issuer;
	78	if (sno)
	79	*sno = oik->d.issuerAndSerialNumber->serialNumber;
	80	} else if (oik->type == CMS_OIK_KEYIDENTIFIER) {
	81	if (keyid)
	82	*keyid = oik->d.subjectKeyIdentifier;
	83	} else if (oik->type == CMS_OIK_PUBKEY) {
	84	if (pubalg)
	85	*pubalg = oik->d.originatorKey->algorithm;
	86	if (pubkey)
	87	*pubkey = oik->d.originatorKey->publicKey;
	88	} else
	89	return 0;
	90	return 1;
	91	}
	92
	93	int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo ri, X509 cert)
	94	{
	95	CMS_OriginatorIdentifierOrKey *oik;
	96	if (ri->type != CMS_RECIPINFO_AGREE) {
	97	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
	98	CMS_R_NOT_KEY_AGREEMENT);
	99	return -2;
	100	}
	101	oik = ri->d.kari->originator;
	102	if (oik->type == CMS_OIK_ISSUER_SERIAL)
	103	return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
	104	else if (oik->type == CMS_OIK_KEYIDENTIFIER)
	105	return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
	106	return -1;
	107	}
	108
	109	int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
	110	ASN1_OCTET_STRING **keyid,
	111	ASN1_GENERALIZEDTIME **tm,
	112	CMS_OtherKeyAttribute **other,
	113	X509_NAME issuer, ASN1_INTEGER sno)
	114	{
	115	CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
	116	if (rid->type == CMS_REK_ISSUER_SERIAL) {
	117	if (issuer)
	118	*issuer = rid->d.issuerAndSerialNumber->issuer;
	119	if (sno)
	120	*sno = rid->d.issuerAndSerialNumber->serialNumber;
	121	if (keyid)
	122	*keyid = NULL;
	123	if (tm)
	124	*tm = NULL;
	125	if (other)
	126	*other = NULL;
	127	} else if (rid->type == CMS_REK_KEYIDENTIFIER) {
	128	if (keyid)
	129	*keyid = rid->d.rKeyId->subjectKeyIdentifier;
	130	if (tm)
	131	*tm = rid->d.rKeyId->date;
	132	if (other)
	133	*other = rid->d.rKeyId->other;
	134	if (issuer)
	135	*issuer = NULL;
	136	if (sno)
	137	*sno = NULL;
	138	} else
	139	return 0;
	140	return 1;
	141	}
	142
	143	int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
	144	X509 *cert)
	145	{
	146	CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
	147	if (rid->type == CMS_REK_ISSUER_SERIAL)
	148	return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
	149	else if (rid->type == CMS_REK_KEYIDENTIFIER)
	150	return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
	151	else
	152	return -1;
	153	}
	154
	155	int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo ri, EVP_PKEY pk)
	156	{
	157	EVP_PKEY_CTX *pctx;
	158	CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
	159
	160	EVP_PKEY_CTX_free(kari->pctx);
	161	kari->pctx = NULL;
	162	if (!pk)
	163	return 1;
	164	pctx = EVP_PKEY_CTX_new(pk, NULL);
	165	if (!pctx \|\| !EVP_PKEY_derive_init(pctx))
	166	goto err;
	167	kari->pctx = pctx;
	168	return 1;
	169	err:
	170	EVP_PKEY_CTX_free(pctx);
	171	return 0;
	172	}
	173
	174	EVP_CIPHER_CTX CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo ri)
	175	{
	176	if (ri->type == CMS_RECIPINFO_AGREE)
	177	return ri->d.kari->ctx;
	178	return NULL;
	179	}
	180
	181	/*
	182	* Derive KEK and decrypt/encrypt with it to produce either the original CEK
	183	* or the encrypted CEK.
	184	*/
	185
	186	static int cms_kek_cipher(unsigned char *pout, size_t poutlen,
	187	const unsigned char *in, size_t inlen,
	188	CMS_KeyAgreeRecipientInfo *kari, int enc)
	189	{
	190	/* Key encryption key */
	191	unsigned char kek[EVP_MAX_KEY_LENGTH];
	192	size_t keklen;
	193	int rv = 0;
	194	unsigned char *out = NULL;
	195	int outlen;
	196	keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
	197	if (keklen > EVP_MAX_KEY_LENGTH)
	198	return 0;
	199	/* Derive KEK */
	200	if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
	201	goto err;
	202	/* Set KEK in context */
	203	if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc))
	204	goto err;
	205	/* obtain output length of ciphered key */
	206	if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen))
	207	goto err;
	208	out = OPENSSL_malloc(outlen);
	209	if (out == NULL)
	210	goto err;
	211	if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen))
	212	goto err;
	213	*pout = out;
	214	*poutlen = (size_t)outlen;
	215	rv = 1;
	216
	217	err:
	218	OPENSSL_cleanse(kek, keklen);
	219	if (!rv)
	220	OPENSSL_free(out);
	221	EVP_CIPHER_CTX_reset(kari->ctx);
	222	/* FIXME: WHY IS kari->pctx freed here? /RL */
	223	EVP_PKEY_CTX_free(kari->pctx);
	224	kari->pctx = NULL;
	225	return rv;
	226	}
	227
	228	int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
	229	CMS_RecipientInfo *ri,
	230	CMS_RecipientEncryptedKey *rek)
	231	{
	232	int rv = 0;
	233	unsigned char enckey = NULL, cek = NULL;
	234	size_t enckeylen;
	235	size_t ceklen;
	236	CMS_EncryptedContentInfo *ec;
	237	enckeylen = rek->encryptedKey->length;
	238	enckey = rek->encryptedKey->data;
	239	/* Setup all parameters to derive KEK */
	240	if (!cms_env_asn1_ctrl(ri, 1))
	241	goto err;
	242	/* Attempt to decrypt CEK */
	243	if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
	244	goto err;
	245	ec = cms->d.envelopedData->encryptedContentInfo;
	246	OPENSSL_clear_free(ec->key, ec->keylen);
	247	ec->key = cek;
	248	ec->keylen = ceklen;
	249	cek = NULL;
	250	rv = 1;
	251	err:
	252	OPENSSL_free(cek);
	253	return rv;
	254	}
	255
	256	/* Create ephemeral key and initialise context based on it */
	257	static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
	258	EVP_PKEY *pk)
	259	{
	260	EVP_PKEY_CTX *pctx = NULL;
	261	EVP_PKEY *ekey = NULL;
	262	int rv = 0;
	263	pctx = EVP_PKEY_CTX_new(pk, NULL);
	264	if (!pctx)
	265	goto err;
	266	if (EVP_PKEY_keygen_init(pctx) <= 0)
	267	goto err;
	268	if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
	269	goto err;
	270	EVP_PKEY_CTX_free(pctx);
	271	pctx = EVP_PKEY_CTX_new(ekey, NULL);
	272	if (!pctx)
	273	goto err;
	274	if (EVP_PKEY_derive_init(pctx) <= 0)
	275	goto err;
	276	kari->pctx = pctx;
	277	rv = 1;
	278	err:
	279	if (!rv)
	280	EVP_PKEY_CTX_free(pctx);
	281	EVP_PKEY_free(ekey);
	282	return rv;
	283	}
	284
	285	/* Initialise a kari based on passed certificate and key */
	286
	287	int cms_RecipientInfo_kari_init(CMS_RecipientInfo ri, X509 recip,
	288	EVP_PKEY *pk, unsigned int flags)
	289	{
	290	CMS_KeyAgreeRecipientInfo *kari;
	291	CMS_RecipientEncryptedKey *rek = NULL;
	292
	293	ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
	294	if (!ri->d.kari)
	295	return 0;
	296	ri->type = CMS_RECIPINFO_AGREE;
	297
	298	kari = ri->d.kari;
	299	kari->version = 3;
	300
	301	rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
	302	if (rek == NULL)
	303	return 0;
	304
	305	if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
	306	M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
	307	return 0;
	308	}
	309
	310	if (flags & CMS_USE_KEYID) {
	311	rek->rid->type = CMS_REK_KEYIDENTIFIER;
	312	rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier);
	313	if (rek->rid->d.rKeyId == NULL)
	314	return 0;
	315	if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
	316	return 0;
	317	} else {
	318	rek->rid->type = CMS_REK_ISSUER_SERIAL;
	319	if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
	320	return 0;
	321	}
	322
	323	/* Create ephemeral key */
	324	if (!cms_kari_create_ephemeral_key(kari, pk))
	325	return 0;
	326
	327	EVP_PKEY_up_ref(pk);
	328	rek->pkey = pk;
	329	return 1;
	330	}
	331
	332	static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
	333	const EVP_CIPHER *cipher)
	334	{
	335	EVP_CIPHER_CTX *ctx = kari->ctx;
	336	const EVP_CIPHER *kekcipher;
	337	int keylen = EVP_CIPHER_key_length(cipher);
	338	/* If a suitable wrap algorithm is already set nothing to do */
	339	kekcipher = EVP_CIPHER_CTX_cipher(ctx);
	340
	341	if (kekcipher) {
	342	if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
	343	return 0;
	344	return 1;
	345	}
	346	/*
	347	* Pick a cipher based on content encryption cipher. If it is DES3 use
	348	* DES3 wrap otherwise use AES wrap similar to key size.
	349	*/
	350	#ifndef OPENSSL_NO_DES
	351	if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
	352	kekcipher = EVP_des_ede3_wrap();
	353	else
	354	#endif
	355	if (keylen <= 16)
	356	kekcipher = EVP_aes_128_wrap();
	357	else if (keylen <= 24)
	358	kekcipher = EVP_aes_192_wrap();
	359	else
	360	kekcipher = EVP_aes_256_wrap();
	361	return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
	362	}
	363
	364	/* Encrypt content key in key agreement recipient info */
	365
	366	int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
	367	CMS_RecipientInfo *ri)
	368	{
	369	CMS_KeyAgreeRecipientInfo *kari;
	370	CMS_EncryptedContentInfo *ec;
	371	CMS_RecipientEncryptedKey *rek;
	372	STACK_OF(CMS_RecipientEncryptedKey) *reks;
	373	int i;
	374
	375	if (ri->type != CMS_RECIPINFO_AGREE) {
	376	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
	377	return 0;
	378	}
	379	kari = ri->d.kari;
	380	reks = kari->recipientEncryptedKeys;
	381	ec = cms->d.envelopedData->encryptedContentInfo;
	382	/* Initialise wrap algorithm parameters */
	383	if (!cms_wrap_init(kari, ec->cipher))
	384	return 0;
	385	/*
	386	* If no originator key set up initialise for ephemeral key the public key
	387	* ASN1 structure will set the actual public key value.
	388	*/
	389	if (kari->originator->type == -1) {
	390	CMS_OriginatorIdentifierOrKey *oik = kari->originator;
	391	oik->type = CMS_OIK_PUBKEY;
	392	oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
	393	if (!oik->d.originatorKey)
	394	return 0;
	395	}
	396	/* Initialise KDF algorithm */
	397	if (!cms_env_asn1_ctrl(ri, 0))
	398	return 0;
	399	/* For each rek, derive KEK, encrypt CEK */
	400	for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
	401	unsigned char *enckey;
	402	size_t enckeylen;
	403	rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
	404	if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
	405	return 0;
	406	if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
	407	kari, 1))
	408	return 0;
	409	ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
	410	}
	411
	412	return 1;
	413
	414	}