1/* crypto/cms/cms_pwri.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2009 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 */ 54 55#include "cryptlib.h" 56#include <openssl/asn1t.h> 57#include <openssl/pem.h> 58#include <openssl/x509v3.h> 59#include <openssl/err.h> 60#include <openssl/cms.h> 61#include <openssl/rand.h> 62#include <openssl/aes.h> 63#include "cms_lcl.h" 64#include "asn1_locl.h" 65 66int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, 67 unsigned char *pass, ossl_ssize_t passlen) 68{ 69 CMS_PasswordRecipientInfo *pwri; 70 if (ri->type != CMS_RECIPINFO_PASS) { 71 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD, CMS_R_NOT_PWRI); 72 return 0; 73 } 74 75 pwri = ri->d.pwri; 76 pwri->pass = pass; 77 if (pass && passlen < 0) 78 passlen = strlen((char *)pass); 79 pwri->passlen = passlen; 80 return 1; 81} 82 83CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, 84 int iter, int wrap_nid, 85 int pbe_nid, 86 unsigned char *pass, 87 ossl_ssize_t passlen, 88 const EVP_CIPHER *kekciph) 89{ 90 CMS_RecipientInfo *ri = NULL; 91 CMS_EnvelopedData *env; 92 CMS_PasswordRecipientInfo *pwri; 93 EVP_CIPHER_CTX ctx; 94 X509_ALGOR *encalg = NULL; 95 unsigned char iv[EVP_MAX_IV_LENGTH]; 96 int ivlen; 97 98 env = cms_get0_enveloped(cms); 99 if (!env) 100 return NULL; 101 102 if (wrap_nid <= 0) 103 wrap_nid = NID_id_alg_PWRI_KEK; 104 105 if (pbe_nid <= 0) 106 pbe_nid = NID_id_pbkdf2; 107 108 /* Get from enveloped data */ 109 if (kekciph == NULL) 110 kekciph = env->encryptedContentInfo->cipher; 111 112 if (kekciph == NULL) { 113 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, CMS_R_NO_CIPHER); 114 return NULL; 115 } 116 if (wrap_nid != NID_id_alg_PWRI_KEK) { 117 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, 118 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); 119 return NULL; 120 } 121 122 /* Setup algorithm identifier for cipher */ 123 encalg = X509_ALGOR_new(); 124 if (encalg == NULL) { 125 goto merr; 126 } 127 EVP_CIPHER_CTX_init(&ctx); 128 129 if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0) { 130 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); 131 goto err; 132 } 133 134 ivlen = EVP_CIPHER_CTX_iv_length(&ctx); 135 136 if (ivlen > 0) { 137 if (RAND_bytes(iv, ivlen) <= 0) 138 goto err; 139 if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) { 140 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); 141 goto err; 142 } 143 encalg->parameter = ASN1_TYPE_new(); 144 if (!encalg->parameter) { 145 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE); 146 goto err; 147 } 148 if (EVP_CIPHER_param_to_asn1(&ctx, encalg->parameter) <= 0) { 149 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, 150 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); 151 goto err; 152 } 153 } 154 155 encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(&ctx)); 156 157 EVP_CIPHER_CTX_cleanup(&ctx); 158 159 /* Initialize recipient info */ 160 ri = M_ASN1_new_of(CMS_RecipientInfo); 161 if (!ri) 162 goto merr; 163 164 ri->d.pwri = M_ASN1_new_of(CMS_PasswordRecipientInfo); 165 if (!ri->d.pwri) 166 goto merr; 167 ri->type = CMS_RECIPINFO_PASS; 168 169 pwri = ri->d.pwri; 170 /* Since this is overwritten, free up empty structure already there */ 171 X509_ALGOR_free(pwri->keyEncryptionAlgorithm); 172 pwri->keyEncryptionAlgorithm = X509_ALGOR_new(); 173 if (!pwri->keyEncryptionAlgorithm) 174 goto merr; 175 pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid); 176 pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new(); 177 if (!pwri->keyEncryptionAlgorithm->parameter) 178 goto merr; 179 180 if (!ASN1_item_pack(encalg, ASN1_ITEM_rptr(X509_ALGOR), 181 &pwri->keyEncryptionAlgorithm->parameter-> 182 value.sequence)) 183 goto merr; 184 pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE; 185 186 X509_ALGOR_free(encalg); 187 encalg = NULL; 188 189 /* Setup PBE algorithm */ 190 191 pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1); 192 193 if (!pwri->keyDerivationAlgorithm) 194 goto err; 195 196 CMS_RecipientInfo_set0_password(ri, pass, passlen); 197 pwri->version = 0; 198 199 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) 200 goto merr; 201 202 return ri; 203 204 merr: 205 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE); 206 err: 207 EVP_CIPHER_CTX_cleanup(&ctx); 208 if (ri) 209 M_ASN1_free_of(ri, CMS_RecipientInfo); 210 if (encalg) 211 X509_ALGOR_free(encalg); 212 return NULL; 213 214} 215 216/* 217 * This is an implementation of the key wrapping mechanism in RFC3211, at 218 * some point this should go into EVP. 219 */ 220 221static int kek_unwrap_key(unsigned char *out, size_t *outlen, 222 const unsigned char *in, size_t inlen, 223 EVP_CIPHER_CTX *ctx) 224{ 225 size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); 226 unsigned char *tmp; 227 int outl, rv = 0; 228 if (inlen < 2 * blocklen) { 229 /* too small */ 230 return 0; 231 } 232 if (inlen % blocklen) { 233 /* Invalid size */ 234 return 0; 235 } 236 tmp = OPENSSL_malloc(inlen); 237 if (!tmp) 238 return 0; 239 /* setup IV by decrypting last two blocks */ 240 EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, 241 in + inlen - 2 * blocklen, blocklen * 2); 242 /* 243 * Do a decrypt of last decrypted block to set IV to correct value output 244 * it to start of buffer so we don't corrupt decrypted block this works 245 * because buffer is at least two block lengths long. 246 */ 247 EVP_DecryptUpdate(ctx, tmp, &outl, tmp + inlen - blocklen, blocklen); 248 /* Can now decrypt first n - 1 blocks */ 249 EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen); 250 251 /* Reset IV to original value */ 252 EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL); 253 /* Decrypt again */ 254 EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen); 255 /* Check check bytes */ 256 if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff) { 257 /* Check byte failure */ 258 goto err; 259 } 260 if (inlen < (size_t)(tmp[0] - 4)) { 261 /* Invalid length value */ 262 goto err; 263 } 264 *outlen = (size_t)tmp[0]; 265 memcpy(out, tmp + 4, *outlen); 266 rv = 1; 267 err: 268 OPENSSL_cleanse(tmp, inlen); 269 OPENSSL_free(tmp); 270 return rv; 271 272} 273 274static int kek_wrap_key(unsigned char *out, size_t *outlen, 275 const unsigned char *in, size_t inlen, 276 EVP_CIPHER_CTX *ctx) 277{ 278 size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); 279 size_t olen; 280 int dummy; 281 /* 282 * First decide length of output buffer: need header and round up to 283 * multiple of block length. 284 */ 285 olen = (inlen + 4 + blocklen - 1) / blocklen; 286 olen *= blocklen; 287 if (olen < 2 * blocklen) { 288 /* Key too small */ 289 return 0; 290 } 291 if (inlen > 0xFF) { 292 /* Key too large */ 293 return 0; 294 } 295 if (out) { 296 /* Set header */ 297 out[0] = (unsigned char)inlen; 298 out[1] = in[0] ^ 0xFF; 299 out[2] = in[1] ^ 0xFF; 300 out[3] = in[2] ^ 0xFF; 301 memcpy(out + 4, in, inlen); 302 /* Add random padding to end */ 303 if (olen > inlen + 4 304 && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0) 305 return 0; 306 /* Encrypt twice */ 307 EVP_EncryptUpdate(ctx, out, &dummy, out, olen); 308 EVP_EncryptUpdate(ctx, out, &dummy, out, olen); 309 } 310 311 *outlen = olen; 312 313 return 1; 314} 315 316/* Encrypt/Decrypt content key in PWRI recipient info */ 317 318int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, 319 int en_de) 320{ 321 CMS_EncryptedContentInfo *ec; 322 CMS_PasswordRecipientInfo *pwri; 323 const unsigned char *p = NULL; 324 int plen; 325 int r = 0; 326 X509_ALGOR *algtmp, *kekalg = NULL; 327 EVP_CIPHER_CTX kekctx; 328 const EVP_CIPHER *kekcipher; 329 unsigned char *key = NULL; 330 size_t keylen; 331 332 ec = cms->d.envelopedData->encryptedContentInfo; 333 334 pwri = ri->d.pwri; 335 EVP_CIPHER_CTX_init(&kekctx); 336 337 if (!pwri->pass) { 338 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_NO_PASSWORD); 339 return 0; 340 } 341 algtmp = pwri->keyEncryptionAlgorithm; 342 343 if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK) { 344 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, 345 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); 346 return 0; 347 } 348 349 if (algtmp->parameter->type == V_ASN1_SEQUENCE) { 350 p = algtmp->parameter->value.sequence->data; 351 plen = algtmp->parameter->value.sequence->length; 352 kekalg = d2i_X509_ALGOR(NULL, &p, plen); 353 } 354 if (kekalg == NULL) { 355 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, 356 CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER); 357 return 0; 358 } 359 360 kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); 361 362 if (!kekcipher) { 363 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_UNKNOWN_CIPHER); 364 goto err; 365 } 366 367 /* Fixup cipher based on AlgorithmIdentifier to set IV etc */ 368 if (!EVP_CipherInit_ex(&kekctx, kekcipher, NULL, NULL, NULL, en_de)) 369 goto err; 370 EVP_CIPHER_CTX_set_padding(&kekctx, 0); 371 if (EVP_CIPHER_asn1_to_param(&kekctx, kekalg->parameter) < 0) { 372 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, 373 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); 374 goto err; 375 } 376 377 algtmp = pwri->keyDerivationAlgorithm; 378 379 /* Finish password based key derivation to setup key in "ctx" */ 380 381 if (EVP_PBE_CipherInit(algtmp->algorithm, 382 (char *)pwri->pass, pwri->passlen, 383 algtmp->parameter, &kekctx, en_de) < 0) { 384 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_EVP_LIB); 385 goto err; 386 } 387 388 /* Finally wrap/unwrap the key */ 389 390 if (en_de) { 391 392 if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, &kekctx)) 393 goto err; 394 395 key = OPENSSL_malloc(keylen); 396 397 if (!key) 398 goto err; 399 400 if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, &kekctx)) 401 goto err; 402 pwri->encryptedKey->data = key; 403 pwri->encryptedKey->length = keylen; 404 } else { 405 key = OPENSSL_malloc(pwri->encryptedKey->length); 406 407 if (!key) { 408 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_MALLOC_FAILURE); 409 goto err; 410 } 411 if (!kek_unwrap_key(key, &keylen, 412 pwri->encryptedKey->data, 413 pwri->encryptedKey->length, &kekctx)) { 414 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_UNWRAP_FAILURE); 415 goto err; 416 } 417 418 ec->key = key; 419 ec->keylen = keylen; 420 421 } 422 423 r = 1; 424 425 err: 426 427 EVP_CIPHER_CTX_cleanup(&kekctx); 428 429 if (!r && key) 430 OPENSSL_free(key); 431 X509_ALGOR_free(kekalg); 432 433 return r; 434 435} 436