1 /*
2 * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/cryptlib.h"
11 #include <openssl/asn1t.h>
12 #include <openssl/pem.h>
13 #include <openssl/x509v3.h>
14 #include <openssl/err.h>
15 #include <openssl/cms.h>
16 #include <openssl/rand.h>
17 #include <openssl/aes.h>
18 #include "internal/sizes.h"
19 #include "crypto/asn1.h"
20 #include "cms_local.h"
21
CMS_RecipientInfo_set0_password(CMS_RecipientInfo * ri,unsigned char * pass,ossl_ssize_t passlen)22 int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri,
23 unsigned char *pass, ossl_ssize_t passlen)
24 {
25 CMS_PasswordRecipientInfo *pwri;
26 if (ri->type != CMS_RECIPINFO_PASS) {
27 ERR_raise(ERR_LIB_CMS, CMS_R_NOT_PWRI);
28 return 0;
29 }
30
31 pwri = ri->d.pwri;
32 pwri->pass = pass;
33 if (pass && passlen < 0)
34 passlen = strlen((char *)pass);
35 pwri->passlen = passlen;
36 return 1;
37 }
38
CMS_add0_recipient_password(CMS_ContentInfo * cms,int iter,int wrap_nid,int pbe_nid,unsigned char * pass,ossl_ssize_t passlen,const EVP_CIPHER * kekciph)39 CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
40 int iter, int wrap_nid,
41 int pbe_nid,
42 unsigned char *pass,
43 ossl_ssize_t passlen,
44 const EVP_CIPHER *kekciph)
45 {
46 STACK_OF(CMS_RecipientInfo) *ris;
47 CMS_RecipientInfo *ri = NULL;
48 CMS_EncryptedContentInfo *ec;
49 CMS_PasswordRecipientInfo *pwri;
50 EVP_CIPHER_CTX *ctx = NULL;
51 X509_ALGOR *encalg = NULL;
52 unsigned char iv[EVP_MAX_IV_LENGTH];
53 int ivlen;
54 const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms);
55
56 ec = ossl_cms_get0_env_enc_content(cms);
57 if (ec == NULL)
58 return NULL;
59 ris = CMS_get0_RecipientInfos(cms);
60 if (ris == NULL)
61 return NULL;
62
63 if (wrap_nid <= 0)
64 wrap_nid = NID_id_alg_PWRI_KEK;
65
66 if (pbe_nid <= 0)
67 pbe_nid = NID_id_pbkdf2;
68
69 /* Get from enveloped data */
70 if (kekciph == NULL)
71 kekciph = ec->cipher;
72
73 if (kekciph == NULL) {
74 ERR_raise(ERR_LIB_CMS, CMS_R_NO_CIPHER);
75 return NULL;
76 }
77 if (wrap_nid != NID_id_alg_PWRI_KEK) {
78 ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
79 return NULL;
80 }
81
82 /* Setup algorithm identifier for cipher */
83 encalg = X509_ALGOR_new();
84 if (encalg == NULL) {
85 goto merr;
86 }
87 ctx = EVP_CIPHER_CTX_new();
88 if (ctx == NULL) {
89 ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
90 goto err;
91 }
92
93 if (EVP_EncryptInit_ex(ctx, kekciph, NULL, NULL, NULL) <= 0) {
94 ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
95 goto err;
96 }
97
98 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
99
100 if (ivlen > 0) {
101 if (RAND_bytes_ex(ossl_cms_ctx_get0_libctx(cms_ctx), iv, ivlen, 0) <= 0)
102 goto err;
103 if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) {
104 ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
105 goto err;
106 }
107 encalg->parameter = ASN1_TYPE_new();
108 if (!encalg->parameter) {
109 ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
110 goto err;
111 }
112 if (EVP_CIPHER_param_to_asn1(ctx, encalg->parameter) <= 0) {
113 ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
114 goto err;
115 }
116 }
117
118 encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_get_type(ctx));
119
120 EVP_CIPHER_CTX_free(ctx);
121 ctx = NULL;
122
123 /* Initialize recipient info */
124 ri = M_ASN1_new_of(CMS_RecipientInfo);
125 if (ri == NULL)
126 goto merr;
127
128 ri->d.pwri = M_ASN1_new_of(CMS_PasswordRecipientInfo);
129 if (ri->d.pwri == NULL)
130 goto merr;
131 ri->type = CMS_RECIPINFO_PASS;
132
133 pwri = ri->d.pwri;
134 pwri->cms_ctx = cms_ctx;
135 /* Since this is overwritten, free up empty structure already there */
136 X509_ALGOR_free(pwri->keyEncryptionAlgorithm);
137 pwri->keyEncryptionAlgorithm = X509_ALGOR_new();
138 if (pwri->keyEncryptionAlgorithm == NULL)
139 goto merr;
140 pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid);
141 pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new();
142 if (pwri->keyEncryptionAlgorithm->parameter == NULL)
143 goto merr;
144
145 if (!ASN1_item_pack(encalg, ASN1_ITEM_rptr(X509_ALGOR),
146 &pwri->keyEncryptionAlgorithm->parameter->
147 value.sequence))
148 goto merr;
149 pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE;
150
151 X509_ALGOR_free(encalg);
152 encalg = NULL;
153
154 /* Setup PBE algorithm */
155
156 pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1);
157
158 if (pwri->keyDerivationAlgorithm == NULL)
159 goto err;
160
161 CMS_RecipientInfo_set0_password(ri, pass, passlen);
162 pwri->version = 0;
163
164 if (!sk_CMS_RecipientInfo_push(ris, ri))
165 goto merr;
166
167 return ri;
168
169 merr:
170 ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
171 err:
172 EVP_CIPHER_CTX_free(ctx);
173 if (ri)
174 M_ASN1_free_of(ri, CMS_RecipientInfo);
175 X509_ALGOR_free(encalg);
176 return NULL;
177
178 }
179
180 /*
181 * This is an implementation of the key wrapping mechanism in RFC3211, at
182 * some point this should go into EVP.
183 */
184
kek_unwrap_key(unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen,EVP_CIPHER_CTX * ctx)185 static int kek_unwrap_key(unsigned char *out, size_t *outlen,
186 const unsigned char *in, size_t inlen,
187 EVP_CIPHER_CTX *ctx)
188 {
189 size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx);
190 unsigned char *tmp;
191 int outl, rv = 0;
192 if (inlen < 2 * blocklen) {
193 /* too small */
194 return 0;
195 }
196 if (inlen % blocklen) {
197 /* Invalid size */
198 return 0;
199 }
200 if ((tmp = OPENSSL_malloc(inlen)) == NULL) {
201 ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
202 return 0;
203 }
204 /* setup IV by decrypting last two blocks */
205 if (!EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
206 in + inlen - 2 * blocklen, blocklen * 2)
207 /*
208 * Do a decrypt of last decrypted block to set IV to correct value
209 * output it to start of buffer so we don't corrupt decrypted block
210 * this works because buffer is at least two block lengths long.
211 */
212 || !EVP_DecryptUpdate(ctx, tmp, &outl,
213 tmp + inlen - blocklen, blocklen)
214 /* Can now decrypt first n - 1 blocks */
215 || !EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen)
216
217 /* Reset IV to original value */
218 || !EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL)
219 /* Decrypt again */
220 || !EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen))
221 goto err;
222 /* Check check bytes */
223 if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff) {
224 /* Check byte failure */
225 goto err;
226 }
227 if (inlen < (size_t)(tmp[0] - 4)) {
228 /* Invalid length value */
229 goto err;
230 }
231 *outlen = (size_t)tmp[0];
232 memcpy(out, tmp + 4, *outlen);
233 rv = 1;
234 err:
235 OPENSSL_clear_free(tmp, inlen);
236 return rv;
237
238 }
239
kek_wrap_key(unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen,EVP_CIPHER_CTX * ctx,const CMS_CTX * cms_ctx)240 static int kek_wrap_key(unsigned char *out, size_t *outlen,
241 const unsigned char *in, size_t inlen,
242 EVP_CIPHER_CTX *ctx, const CMS_CTX *cms_ctx)
243 {
244 size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx);
245 size_t olen;
246 int dummy;
247 /*
248 * First decide length of output buffer: need header and round up to
249 * multiple of block length.
250 */
251 olen = (inlen + 4 + blocklen - 1) / blocklen;
252 olen *= blocklen;
253 if (olen < 2 * blocklen) {
254 /* Key too small */
255 return 0;
256 }
257 if (inlen > 0xFF) {
258 /* Key too large */
259 return 0;
260 }
261 if (out) {
262 /* Set header */
263 out[0] = (unsigned char)inlen;
264 out[1] = in[0] ^ 0xFF;
265 out[2] = in[1] ^ 0xFF;
266 out[3] = in[2] ^ 0xFF;
267 memcpy(out + 4, in, inlen);
268 /* Add random padding to end */
269 if (olen > inlen + 4
270 && RAND_bytes_ex(ossl_cms_ctx_get0_libctx(cms_ctx), out + 4 + inlen,
271 olen - 4 - inlen, 0) <= 0)
272 return 0;
273 /* Encrypt twice */
274 if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen)
275 || !EVP_EncryptUpdate(ctx, out, &dummy, out, olen))
276 return 0;
277 }
278
279 *outlen = olen;
280
281 return 1;
282 }
283
284 /* Encrypt/Decrypt content key in PWRI recipient info */
285
ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo * cms,CMS_RecipientInfo * ri,int en_de)286 int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
287 CMS_RecipientInfo *ri, int en_de)
288 {
289 CMS_EncryptedContentInfo *ec;
290 CMS_PasswordRecipientInfo *pwri;
291 int r = 0;
292 X509_ALGOR *algtmp, *kekalg = NULL;
293 EVP_CIPHER_CTX *kekctx = NULL;
294 char name[OSSL_MAX_NAME_SIZE];
295 EVP_CIPHER *kekcipher;
296 unsigned char *key = NULL;
297 size_t keylen;
298 const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms);
299
300 ec = ossl_cms_get0_env_enc_content(cms);
301
302 pwri = ri->d.pwri;
303
304 if (pwri->pass == NULL) {
305 ERR_raise(ERR_LIB_CMS, CMS_R_NO_PASSWORD);
306 return 0;
307 }
308 algtmp = pwri->keyEncryptionAlgorithm;
309
310 if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK) {
311 ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
312 return 0;
313 }
314
315 kekalg = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR),
316 algtmp->parameter);
317
318 if (kekalg == NULL) {
319 ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER);
320 return 0;
321 }
322
323 OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0);
324 kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx), name,
325 ossl_cms_ctx_get0_propq(cms_ctx));
326
327 if (kekcipher == NULL) {
328 ERR_raise(ERR_LIB_CMS, CMS_R_UNKNOWN_CIPHER);
329 goto err;
330 }
331
332 kekctx = EVP_CIPHER_CTX_new();
333 if (kekctx == NULL) {
334 ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
335 goto err;
336 }
337 /* Fixup cipher based on AlgorithmIdentifier to set IV etc */
338 if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
339 goto err;
340 EVP_CIPHER_CTX_set_padding(kekctx, 0);
341 if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) {
342 ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
343 goto err;
344 }
345
346 algtmp = pwri->keyDerivationAlgorithm;
347
348 /* Finish password based key derivation to setup key in "ctx" */
349
350 if (EVP_PBE_CipherInit(algtmp->algorithm,
351 (char *)pwri->pass, pwri->passlen,
352 algtmp->parameter, kekctx, en_de) < 0) {
353 ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
354 goto err;
355 }
356
357 /* Finally wrap/unwrap the key */
358
359 if (en_de) {
360
361 if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, kekctx, cms_ctx))
362 goto err;
363
364 key = OPENSSL_malloc(keylen);
365
366 if (key == NULL)
367 goto err;
368
369 if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, kekctx, cms_ctx))
370 goto err;
371 pwri->encryptedKey->data = key;
372 pwri->encryptedKey->length = keylen;
373 } else {
374 key = OPENSSL_malloc(pwri->encryptedKey->length);
375
376 if (key == NULL) {
377 ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
378 goto err;
379 }
380 if (!kek_unwrap_key(key, &keylen,
381 pwri->encryptedKey->data,
382 pwri->encryptedKey->length, kekctx)) {
383 ERR_raise(ERR_LIB_CMS, CMS_R_UNWRAP_FAILURE);
384 goto err;
385 }
386
387 OPENSSL_clear_free(ec->key, ec->keylen);
388 ec->key = key;
389 ec->keylen = keylen;
390
391 }
392
393 r = 1;
394
395 err:
396 EVP_CIPHER_free(kekcipher);
397 EVP_CIPHER_CTX_free(kekctx);
398
399 if (!r)
400 OPENSSL_free(key);
401 X509_ALGOR_free(kekalg);
402
403 return r;
404
405 }
406