1/* crypto/cms/cms_pwri.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2009 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 */ 54 55#include "cryptlib.h" 56#include <openssl/asn1t.h> 57#include <openssl/pem.h> 58#include <openssl/x509v3.h> 59#include <openssl/err.h> 60#include <openssl/cms.h> 61#include <openssl/rand.h> 62#include <openssl/aes.h> 63#include "cms_lcl.h" 64#include "asn1_locl.h" 65 66int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, 67 unsigned char *pass, ossl_ssize_t passlen) 68{ 69 CMS_PasswordRecipientInfo *pwri; 70 if (ri->type != CMS_RECIPINFO_PASS) { 71 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD, CMS_R_NOT_PWRI); 72 return 0; 73 } 74 75 pwri = ri->d.pwri; 76 pwri->pass = pass; 77 if (pass && passlen < 0) 78 passlen = strlen((char *)pass); 79 pwri->passlen = passlen; 80 return 1; 81} 82 83CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, 84 int iter, int wrap_nid, 85 int pbe_nid, 86 unsigned char *pass, 87 ossl_ssize_t passlen, 88 const EVP_CIPHER *kekciph) 89{ 90 CMS_RecipientInfo *ri = NULL; 91 CMS_EnvelopedData *env; 92 CMS_PasswordRecipientInfo *pwri; 93 EVP_CIPHER_CTX ctx; 94 X509_ALGOR *encalg = NULL; 95 unsigned char iv[EVP_MAX_IV_LENGTH]; 96 int ivlen; 97 98 env = cms_get0_enveloped(cms); 99 if (!env) 100 return NULL; 101 102 if (wrap_nid <= 0) 103 wrap_nid = NID_id_alg_PWRI_KEK; 104 105 if (pbe_nid <= 0) 106 pbe_nid = NID_id_pbkdf2; 107 108 /* Get from enveloped data */ 109 if (kekciph == NULL) 110 kekciph = env->encryptedContentInfo->cipher; 111 112 if (kekciph == NULL) { 113 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, CMS_R_NO_CIPHER); 114 return NULL; 115 } 116 if (wrap_nid != NID_id_alg_PWRI_KEK) { 117 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, 118 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); 119 return NULL; 120 } 121 122 /* Setup algorithm identifier for cipher */ 123 encalg = X509_ALGOR_new(); 124 EVP_CIPHER_CTX_init(&ctx); 125 126 if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0) { 127 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); 128 goto err; 129 } 130 131 ivlen = EVP_CIPHER_CTX_iv_length(&ctx); 132 133 if (ivlen > 0) { 134 if (RAND_pseudo_bytes(iv, ivlen) <= 0) 135 goto err; 136 if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) { 137 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); 138 goto err; 139 } 140 encalg->parameter = ASN1_TYPE_new(); 141 if (!encalg->parameter) { 142 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE); 143 goto err; 144 } 145 if (EVP_CIPHER_param_to_asn1(&ctx, encalg->parameter) <= 0) { 146 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, 147 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); 148 goto err; 149 } 150 } 151 152 encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(&ctx)); 153 154 EVP_CIPHER_CTX_cleanup(&ctx); 155 156 /* Initialize recipient info */ 157 ri = M_ASN1_new_of(CMS_RecipientInfo); 158 if (!ri) 159 goto merr; 160 161 ri->d.pwri = M_ASN1_new_of(CMS_PasswordRecipientInfo); 162 if (!ri->d.pwri) 163 goto merr; 164 ri->type = CMS_RECIPINFO_PASS; 165 166 pwri = ri->d.pwri; 167 /* Since this is overwritten, free up empty structure already there */ 168 X509_ALGOR_free(pwri->keyEncryptionAlgorithm); 169 pwri->keyEncryptionAlgorithm = X509_ALGOR_new(); 170 if (!pwri->keyEncryptionAlgorithm) 171 goto merr; 172 pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid); 173 pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new(); 174 if (!pwri->keyEncryptionAlgorithm->parameter) 175 goto merr; 176 177 if (!ASN1_item_pack(encalg, ASN1_ITEM_rptr(X509_ALGOR), 178 &pwri->keyEncryptionAlgorithm->parameter-> 179 value.sequence)) 180 goto merr; 181 pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE; 182 183 X509_ALGOR_free(encalg); 184 encalg = NULL; 185 186 /* Setup PBE algorithm */ 187 188 pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1); 189 190 if (!pwri->keyDerivationAlgorithm) 191 goto err; 192 193 CMS_RecipientInfo_set0_password(ri, pass, passlen); 194 pwri->version = 0; 195 196 if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) 197 goto merr; 198 199 return ri; 200 201 merr: 202 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE); 203 err: 204 EVP_CIPHER_CTX_cleanup(&ctx); 205 if (ri) 206 M_ASN1_free_of(ri, CMS_RecipientInfo); 207 if (encalg) 208 X509_ALGOR_free(encalg); 209 return NULL; 210 211} 212 213/* 214 * This is an implementation of the key wrapping mechanism in RFC3211, at 215 * some point this should go into EVP. 216 */ 217 218static int kek_unwrap_key(unsigned char *out, size_t *outlen, 219 const unsigned char *in, size_t inlen, 220 EVP_CIPHER_CTX *ctx) 221{ 222 size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); 223 unsigned char *tmp; 224 int outl, rv = 0; 225 if (inlen < 2 * blocklen) { 226 /* too small */ 227 return 0; 228 } 229 if (inlen % blocklen) { 230 /* Invalid size */ 231 return 0; 232 } 233 tmp = OPENSSL_malloc(inlen); 234 if (!tmp) 235 return 0; 236 /* setup IV by decrypting last two blocks */ 237 EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, 238 in + inlen - 2 * blocklen, blocklen * 2); 239 /* 240 * Do a decrypt of last decrypted block to set IV to correct value output 241 * it to start of buffer so we don't corrupt decrypted block this works 242 * because buffer is at least two block lengths long. 243 */ 244 EVP_DecryptUpdate(ctx, tmp, &outl, tmp + inlen - blocklen, blocklen); 245 /* Can now decrypt first n - 1 blocks */ 246 EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen); 247 248 /* Reset IV to original value */ 249 EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL); 250 /* Decrypt again */ 251 EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen); 252 /* Check check bytes */ 253 if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff) { 254 /* Check byte failure */ 255 goto err; 256 } 257 if (inlen < (size_t)(tmp[0] - 4)) { 258 /* Invalid length value */ 259 goto err; 260 } 261 *outlen = (size_t)tmp[0]; 262 memcpy(out, tmp + 4, *outlen); 263 rv = 1; 264 err: 265 OPENSSL_cleanse(tmp, inlen); 266 OPENSSL_free(tmp); 267 return rv; 268 269} 270 271static int kek_wrap_key(unsigned char *out, size_t *outlen, 272 const unsigned char *in, size_t inlen, 273 EVP_CIPHER_CTX *ctx) 274{ 275 size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); 276 size_t olen; 277 int dummy; 278 /* 279 * First decide length of output buffer: need header and round up to 280 * multiple of block length. 281 */ 282 olen = (inlen + 4 + blocklen - 1) / blocklen; 283 olen *= blocklen; 284 if (olen < 2 * blocklen) { 285 /* Key too small */ 286 return 0; 287 } 288 if (inlen > 0xFF) { 289 /* Key too large */ 290 return 0; 291 } 292 if (out) { 293 /* Set header */ 294 out[0] = (unsigned char)inlen; 295 out[1] = in[0] ^ 0xFF; 296 out[2] = in[1] ^ 0xFF; 297 out[3] = in[2] ^ 0xFF; 298 memcpy(out + 4, in, inlen); 299 /* Add random padding to end */ 300 if (olen > inlen + 4 301 && RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen) < 0) 302 return 0; 303 /* Encrypt twice */ 304 EVP_EncryptUpdate(ctx, out, &dummy, out, olen); 305 EVP_EncryptUpdate(ctx, out, &dummy, out, olen); 306 } 307 308 *outlen = olen; 309 310 return 1; 311} 312 313/* Encrypt/Decrypt content key in PWRI recipient info */ 314 315int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, 316 int en_de) 317{ 318 CMS_EncryptedContentInfo *ec; 319 CMS_PasswordRecipientInfo *pwri; 320 const unsigned char *p = NULL; 321 int plen; 322 int r = 0; 323 X509_ALGOR *algtmp, *kekalg = NULL; 324 EVP_CIPHER_CTX kekctx; 325 const EVP_CIPHER *kekcipher; 326 unsigned char *key = NULL; 327 size_t keylen; 328 329 ec = cms->d.envelopedData->encryptedContentInfo; 330 331 pwri = ri->d.pwri; 332 EVP_CIPHER_CTX_init(&kekctx); 333 334 if (!pwri->pass) { 335 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_NO_PASSWORD); 336 return 0; 337 } 338 algtmp = pwri->keyEncryptionAlgorithm; 339 340 if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK) { 341 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, 342 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); 343 return 0; 344 } 345 346 if (algtmp->parameter->type == V_ASN1_SEQUENCE) { 347 p = algtmp->parameter->value.sequence->data; 348 plen = algtmp->parameter->value.sequence->length; 349 kekalg = d2i_X509_ALGOR(NULL, &p, plen); 350 } 351 if (kekalg == NULL) { 352 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, 353 CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER); 354 return 0; 355 } 356 357 kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); 358 359 if (!kekcipher) { 360 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_UNKNOWN_CIPHER); 361 goto err; 362 } 363 364 /* Fixup cipher based on AlgorithmIdentifier to set IV etc */ 365 if (!EVP_CipherInit_ex(&kekctx, kekcipher, NULL, NULL, NULL, en_de)) 366 goto err; 367 EVP_CIPHER_CTX_set_padding(&kekctx, 0); 368 if (EVP_CIPHER_asn1_to_param(&kekctx, kekalg->parameter) < 0) { 369 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, 370 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); 371 goto err; 372 } 373 374 algtmp = pwri->keyDerivationAlgorithm; 375 376 /* Finish password based key derivation to setup key in "ctx" */ 377 378 if (EVP_PBE_CipherInit(algtmp->algorithm, 379 (char *)pwri->pass, pwri->passlen, 380 algtmp->parameter, &kekctx, en_de) < 0) { 381 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_EVP_LIB); 382 goto err; 383 } 384 385 /* Finally wrap/unwrap the key */ 386 387 if (en_de) { 388 389 if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, &kekctx)) 390 goto err; 391 392 key = OPENSSL_malloc(keylen); 393 394 if (!key) 395 goto err; 396 397 if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, &kekctx)) 398 goto err; 399 pwri->encryptedKey->data = key; 400 pwri->encryptedKey->length = keylen; 401 } else { 402 key = OPENSSL_malloc(pwri->encryptedKey->length); 403 404 if (!key) { 405 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_MALLOC_FAILURE); 406 goto err; 407 } 408 if (!kek_unwrap_key(key, &keylen, 409 pwri->encryptedKey->data, 410 pwri->encryptedKey->length, &kekctx)) { 411 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_UNWRAP_FAILURE); 412 goto err; 413 } 414 415 ec->key = key; 416 ec->keylen = keylen; 417 418 } 419 420 r = 1; 421 422 err: 423 424 EVP_CIPHER_CTX_cleanup(&kekctx); 425 426 if (!r && key) 427 OPENSSL_free(key); 428 X509_ALGOR_free(kekalg); 429 430 return r; 431 432} 433