From aec8de1a5f0b3f6e6279266b45836d6c9f6878df Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Wed, 8 Apr 2020 15:41:05 +0200
Subject: [PATCH] CMS KARI: Temporarly downgrade newly generated EVP_PKEYs to
 legacy

The EVP_PKEY_ASN1_METHOD code used by CMS_RecipientInfo_kari_decrypt()
and cms_RecipientInfo_kari_encrypt() is quite complex and needs more
careful thought to work with provider side keys.  Unfortunately, we
need to get key generation in place, among others for ECC keys, so we
add a temporary hack, similar to what's already done in TLS code, that
downgrades a provider side EVP_PKEY to become EVP_PKEY_ASN1_METHOD /
EVP_PKEY_METHOD based.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11501)
---
 crypto/cms/cms_err.c     |  2 +-
 crypto/cms/cms_kari.c    | 47 ++++++++++++++++++++++++++++++++++++++++
 crypto/err/openssl.txt   |  1 +
 include/openssl/cmserr.h |  1 +
 4 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c
index 98500d7cba..526d77357e 100644
--- a/crypto/cms/cms_err.c
+++ b/crypto/cms/cms_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 3299e9b5f5..a44aca6535 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -248,6 +248,27 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
     size_t enckeylen;
     size_t ceklen;
     CMS_EncryptedContentInfo *ec;
+
+    {
+        /*
+         * TODO(3.0) Remove this when we have functionality to deserialize
+         * parameters in EVP_PKEY form from an X509_ALGOR.
+         * This is needed to be able to replace the EC_KEY specific decoding
+         * that happens in ecdh_cms_set_peerkey() (crypto/ec/ec_ameth.c)
+         *
+         * THIS IS TEMPORARY
+         */
+        EVP_PKEY_CTX *pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+        EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+
+        EVP_PKEY_get0(pkey);
+        if (EVP_PKEY_id(pkey) == EVP_PKEY_NONE) {
+            CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT,
+                   CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+            goto err;
+        }
+    }
+
     enckeylen = rek->encryptedKey->length;
     enckey = rek->encryptedKey->data;
     /* Setup all parameters to derive KEK */
@@ -446,6 +467,32 @@ int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
     STACK_OF(CMS_RecipientEncryptedKey) *reks;
     int i;
 
+    {
+        /*
+         * TODO(3.0) Remove this when we have figured out all the details
+         * need to set up encryption right.  With legacy keys, a *lot* is
+         * happening in the CMS specific EVP_PKEY_ASN1_METHOD functions,
+         * such as automatically setting a default KDF type, KDF digest,
+         * all that kind of stuff.
+         * With EVP_SIGNATURE, setting a default digest is done by getting
+         * the default MD for the key, and then inject that back into the
+         * signature implementation...  we could do something similar with
+         * CMS, possibly using CMS specific OSSL_PARAM keys, just like we
+         * have for certain AlgorithmIdentifier retrievals.
+         *
+         * THIS IS TEMPORARY
+         */
+        EVP_PKEY_CTX *pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+        EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+
+        EVP_PKEY_get0(pkey);
+        if (EVP_PKEY_id(pkey) == EVP_PKEY_NONE) {
+            CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT,
+                   CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+            return 0;
+        }
+    }
+
     if (ri->type != CMS_RECIPINFO_AGREE) {
         CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
         return 0;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 80b92f8476..cf6b9cd893 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -291,6 +291,7 @@ CMS_F_CMS_RECEIPTREQUEST_CREATE0:159:CMS_ReceiptRequest_create0
 CMS_F_CMS_RECEIPT_VERIFY:160:cms_Receipt_verify
 CMS_F_CMS_RECIPIENTINFO_DECRYPT:134:CMS_RecipientInfo_decrypt
 CMS_F_CMS_RECIPIENTINFO_ENCRYPT:169:CMS_RecipientInfo_encrypt
+CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT:188:
 CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT:178:cms_RecipientInfo_kari_encrypt
 CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG:175:CMS_RecipientInfo_kari_get0_alg
 CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID:173:\
diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h
index 494ae6191a..d4d8134171 100644
--- a/include/openssl/cmserr.h
+++ b/include/openssl/cmserr.h
@@ -87,6 +87,7 @@ int ERR_load_CMS_strings(void);
 #   define CMS_F_CMS_RECEIPT_VERIFY                         0
 #   define CMS_F_CMS_RECIPIENTINFO_DECRYPT                  0
 #   define CMS_F_CMS_RECIPIENTINFO_ENCRYPT                  0
+#   define CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT             0
 #   define CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT             0
 #   define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG            0
 #   define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID        0
-- 
2.34.1