2 * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/cms.h>
12 #include <openssl/dh.h>
13 #include <openssl/err.h>
14 #include <openssl/core_names.h>
15 #include "internal/sizes.h"
16 #include "crypto/asn1.h"
17 #include "crypto/evp.h"
18 #include "cms_local.h"
20 static int dh_cms_set_peerkey(EVP_PKEY_CTX
*pctx
,
21 X509_ALGOR
*alg
, ASN1_BIT_STRING
*pubkey
)
23 const ASN1_OBJECT
*aoid
;
26 ASN1_INTEGER
*public_key
= NULL
;
28 EVP_PKEY
*pkpeer
= NULL
, *pk
= NULL
;
30 const unsigned char *p
;
31 unsigned char *buf
= NULL
;
34 X509_ALGOR_get0(&aoid
, &atype
, &aval
, alg
);
35 if (OBJ_obj2nid(aoid
) != NID_dhpublicnumber
)
37 /* Only absent parameters allowed in RFC XXXX */
38 if (atype
!= V_ASN1_UNDEF
&& atype
== V_ASN1_NULL
)
41 pk
= EVP_PKEY_CTX_get0_pkey(pctx
);
42 if (pk
== NULL
|| !EVP_PKEY_is_a(pk
, "DHX"))
46 plen
= ASN1_STRING_length(pubkey
);
47 p
= ASN1_STRING_get0_data(pubkey
);
48 if (p
== NULL
|| plen
== 0)
51 if ((public_key
= d2i_ASN1_INTEGER(NULL
, &p
, plen
)) == NULL
)
54 * Pad to full p parameter size as that is checked by
55 * EVP_PKEY_set1_encoded_public_key()
57 plen
= EVP_PKEY_get_size(pk
);
58 if ((bnpub
= ASN1_INTEGER_to_BN(public_key
, NULL
)) == NULL
)
60 if ((buf
= OPENSSL_malloc(plen
)) == NULL
)
62 if (BN_bn2binpad(bnpub
, buf
, plen
) < 0)
65 pkpeer
= EVP_PKEY_new();
67 || !EVP_PKEY_copy_parameters(pkpeer
, pk
)
68 || !EVP_PKEY_set1_encoded_public_key(pkpeer
, buf
, plen
))
71 if (EVP_PKEY_derive_set_peer(pctx
, pkpeer
) > 0)
74 ASN1_INTEGER_free(public_key
);
77 EVP_PKEY_free(pkpeer
);
81 static int dh_cms_set_shared_info(EVP_PKEY_CTX
*pctx
, CMS_RecipientInfo
*ri
)
84 X509_ALGOR
*alg
, *kekalg
= NULL
;
85 ASN1_OCTET_STRING
*ukm
;
86 const unsigned char *p
;
87 unsigned char *dukm
= NULL
;
90 EVP_CIPHER
*kekcipher
= NULL
;
91 EVP_CIPHER_CTX
*kekctx
;
92 char name
[OSSL_MAX_NAME_SIZE
];
94 if (!CMS_RecipientInfo_kari_get0_alg(ri
, &alg
, &ukm
))
98 * For DH we only have one OID permissible. If ever any more get defined
99 * we will need something cleverer.
101 if (OBJ_obj2nid(alg
->algorithm
) != NID_id_smime_alg_ESDH
) {
102 ERR_raise(ERR_LIB_CMS
, CMS_R_KDF_PARAMETER_ERROR
);
106 if (EVP_PKEY_CTX_set_dh_kdf_type(pctx
, EVP_PKEY_DH_KDF_X9_42
) <= 0
107 || EVP_PKEY_CTX_set_dh_kdf_md(pctx
, EVP_sha1()) <= 0)
110 if (alg
->parameter
->type
!= V_ASN1_SEQUENCE
)
113 p
= alg
->parameter
->value
.sequence
->data
;
114 plen
= alg
->parameter
->value
.sequence
->length
;
115 kekalg
= d2i_X509_ALGOR(NULL
, &p
, plen
);
118 kekctx
= CMS_RecipientInfo_kari_get0_ctx(ri
);
122 if (OBJ_obj2txt(name
, sizeof(name
), kekalg
->algorithm
, 0) <= 0)
125 kekcipher
= EVP_CIPHER_fetch(pctx
->libctx
, name
, pctx
->propquery
);
126 if (kekcipher
== NULL
127 || EVP_CIPHER_get_mode(kekcipher
) != EVP_CIPH_WRAP_MODE
)
129 if (!EVP_EncryptInit_ex(kekctx
, kekcipher
, NULL
, NULL
, NULL
))
131 if (EVP_CIPHER_asn1_to_param(kekctx
, kekalg
->parameter
) <= 0)
134 keylen
= EVP_CIPHER_CTX_get_key_length(kekctx
);
135 if (EVP_PKEY_CTX_set_dh_kdf_outlen(pctx
, keylen
) <= 0)
137 /* Use OBJ_nid2obj to ensure we use built in OID that isn't freed */
138 if (EVP_PKEY_CTX_set0_dh_kdf_oid(pctx
,
139 OBJ_nid2obj(EVP_CIPHER_get_type(kekcipher
)))
144 dukmlen
= ASN1_STRING_length(ukm
);
145 dukm
= OPENSSL_memdup(ASN1_STRING_get0_data(ukm
), dukmlen
);
150 if (EVP_PKEY_CTX_set0_dh_kdf_ukm(pctx
, dukm
, dukmlen
) <= 0)
156 X509_ALGOR_free(kekalg
);
157 EVP_CIPHER_free(kekcipher
);
162 static int dh_cms_decrypt(CMS_RecipientInfo
*ri
)
164 EVP_PKEY_CTX
*pctx
= CMS_RecipientInfo_get0_pkey_ctx(ri
);
168 /* See if we need to set peer key */
169 if (!EVP_PKEY_CTX_get0_peerkey(pctx
)) {
171 ASN1_BIT_STRING
*pubkey
;
173 if (!CMS_RecipientInfo_kari_get0_orig_id(ri
, &alg
, &pubkey
,
176 if (alg
== NULL
|| pubkey
== NULL
)
178 if (!dh_cms_set_peerkey(pctx
, alg
, pubkey
)) {
179 ERR_raise(ERR_LIB_CMS
, CMS_R_PEER_KEY_ERROR
);
183 /* Set DH derivation parameters and initialise unwrap context */
184 if (!dh_cms_set_shared_info(pctx
, ri
)) {
185 ERR_raise(ERR_LIB_CMS
, CMS_R_SHARED_INFO_ERROR
);
191 static int dh_cms_encrypt(CMS_RecipientInfo
*ri
)
197 X509_ALGOR
*talg
, *wrap_alg
= NULL
;
198 const ASN1_OBJECT
*aoid
;
199 ASN1_BIT_STRING
*pubkey
;
200 ASN1_STRING
*wrap_str
;
201 ASN1_OCTET_STRING
*ukm
;
202 unsigned char *penc
= NULL
, *dukm
= NULL
;
206 int kdf_type
, wrap_nid
;
207 const EVP_MD
*kdf_md
;
209 pctx
= CMS_RecipientInfo_get0_pkey_ctx(ri
);
212 /* Get ephemeral key */
213 pkey
= EVP_PKEY_CTX_get0_pkey(pctx
);
214 if (!CMS_RecipientInfo_kari_get0_orig_id(ri
, &talg
, &pubkey
,
218 /* Is everything uninitialised? */
219 X509_ALGOR_get0(&aoid
, NULL
, NULL
, talg
);
220 if (aoid
== OBJ_nid2obj(NID_undef
)) {
221 BIGNUM
*bn_pub_key
= NULL
;
224 if (!EVP_PKEY_get_bn_param(pkey
, OSSL_PKEY_PARAM_PUB_KEY
, &bn_pub_key
))
227 pubk
= BN_to_ASN1_INTEGER(bn_pub_key
, NULL
);
233 penclen
= i2d_ASN1_INTEGER(pubk
, &penc
);
234 ASN1_INTEGER_free(pubk
);
237 ASN1_STRING_set0(pubkey
, penc
, penclen
);
238 ossl_asn1_string_set_bits_left(pubkey
, 0);
241 (void)X509_ALGOR_set0(talg
, OBJ_nid2obj(NID_dhpublicnumber
),
242 V_ASN1_UNDEF
, NULL
); /* cannot fail */
245 /* See if custom parameters set */
246 kdf_type
= EVP_PKEY_CTX_get_dh_kdf_type(pctx
);
247 if (kdf_type
<= 0 || EVP_PKEY_CTX_get_dh_kdf_md(pctx
, &kdf_md
) <= 0)
250 if (kdf_type
== EVP_PKEY_DH_KDF_NONE
) {
251 kdf_type
= EVP_PKEY_DH_KDF_X9_42
;
252 if (EVP_PKEY_CTX_set_dh_kdf_type(pctx
, kdf_type
) <= 0)
254 } else if (kdf_type
!= EVP_PKEY_DH_KDF_X9_42
)
257 if (kdf_md
== NULL
) {
258 /* Only SHA1 supported */
260 if (EVP_PKEY_CTX_set_dh_kdf_md(pctx
, kdf_md
) <= 0)
262 } else if (EVP_MD_get_type(kdf_md
) != NID_sha1
)
263 /* Unsupported digest */
266 if (!CMS_RecipientInfo_kari_get0_alg(ri
, &talg
, &ukm
))
270 ctx
= CMS_RecipientInfo_kari_get0_ctx(ri
);
271 wrap_nid
= EVP_CIPHER_CTX_get_type(ctx
);
272 if (EVP_PKEY_CTX_set0_dh_kdf_oid(pctx
, OBJ_nid2obj(wrap_nid
)) <= 0)
274 keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
276 /* Package wrap algorithm in an AlgorithmIdentifier */
278 wrap_alg
= X509_ALGOR_new();
279 if (wrap_alg
== NULL
)
281 wrap_alg
->algorithm
= OBJ_nid2obj(wrap_nid
);
282 wrap_alg
->parameter
= ASN1_TYPE_new();
283 if (wrap_alg
->parameter
== NULL
)
285 if (EVP_CIPHER_param_to_asn1(ctx
, wrap_alg
->parameter
) <= 0)
287 if (ASN1_TYPE_get(wrap_alg
->parameter
) == NID_undef
) {
288 ASN1_TYPE_free(wrap_alg
->parameter
);
289 wrap_alg
->parameter
= NULL
;
292 if (EVP_PKEY_CTX_set_dh_kdf_outlen(pctx
, keylen
) <= 0)
296 dukmlen
= ASN1_STRING_length(ukm
);
297 dukm
= OPENSSL_memdup(ASN1_STRING_get0_data(ukm
), dukmlen
);
302 if (EVP_PKEY_CTX_set0_dh_kdf_ukm(pctx
, dukm
, dukmlen
) <= 0)
307 * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
308 * of another AlgorithmIdentifier.
311 penclen
= i2d_X509_ALGOR(wrap_alg
, &penc
);
312 if (penc
== NULL
|| penclen
== 0)
314 wrap_str
= ASN1_STRING_new();
315 if (wrap_str
== NULL
)
317 ASN1_STRING_set0(wrap_str
, penc
, penclen
);
319 rv
= X509_ALGOR_set0(talg
, OBJ_nid2obj(NID_id_smime_alg_ESDH
),
320 V_ASN1_SEQUENCE
, wrap_str
);
322 ASN1_STRING_free(wrap_str
);
326 X509_ALGOR_free(wrap_alg
);
331 int ossl_cms_dh_envelope(CMS_RecipientInfo
*ri
, int decrypt
)
333 assert(decrypt
== 0 || decrypt
== 1);
336 return dh_cms_decrypt(ri
);
339 return dh_cms_encrypt(ri
);
341 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE
);