crypto/cms/cms_pwri.c

   1 /* crypto/cms/cms_pwri.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2009 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  */
  53
  54 #include "cryptlib.h"
  55 #include <openssl/asn1t.h>
  56 #include <openssl/pem.h>
  57 #include <openssl/x509v3.h>
  58 #include <openssl/err.h>
  59 #include <openssl/cms.h>
  60 #include <openssl/rand.h>
  61 #include <openssl/aes.h>
  62 #include "cms_lcl.h"
  63 #include "asn1_locl.h"
  64
  65 int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri,
  66                                 unsigned char *pass, ossl_ssize_t passlen)
  67         {
  68         CMS_PasswordRecipientInfo *pwri;
  69         if (ri->type != CMS_RECIPINFO_PASS)
  70                 {
  71                 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD, CMS_R_NOT_PWRI);
  72                 return 0;
  73                 }
  74
  75         pwri = ri->d.pwri;
  76         pwri->pass = pass;
  77         if (pass && passlen < 0)
  78                 passlen = strlen((char *)pass);
  79         pwri->passlen = passlen;
  80         return 1;
  81         }
  82
  83 CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
  84                                         int iter, int wrap_nid, int pbe_nid,
  85                                         unsigned char *pass,
  86                                         ossl_ssize_t passlen,
  87                                         const EVP_CIPHER *kekciph)
  88         {
  89         CMS_RecipientInfo *ri = NULL;
  90         CMS_EnvelopedData *env;
  91         CMS_PasswordRecipientInfo *pwri;
  92         EVP_CIPHER_CTX ctx;
  93         X509_ALGOR *encalg = NULL;
  94         unsigned char iv[EVP_MAX_IV_LENGTH];
  95         int ivlen;
  96
  97         env = cms_get0_enveloped(cms);
  98         if (!env)
  99                 return NULL;
 100
 101         if (wrap_nid <= 0)
 102                 wrap_nid = NID_id_alg_PWRI_KEK;
 103
 104         if (pbe_nid <= 0)
 105                 pbe_nid = NID_id_pbkdf2;
 106
 107         /* Get from enveloped data */
 108         if (kekciph == NULL)
 109                 kekciph = env->encryptedContentInfo->cipher;
 110
 111         if (kekciph == NULL)
 112                 {
 113                 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, CMS_R_NO_CIPHER);
 114                 return NULL;
 115                 }
 116         if (wrap_nid != NID_id_alg_PWRI_KEK)
 117                 {
 118                 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
 119                                 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
 120                 return NULL;
 121                 }
 122
 123         /* Setup algorithm identifier for cipher */
 124         encalg = X509_ALGOR_new();
 125         EVP_CIPHER_CTX_init(&ctx);
 126
 127         if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0)
 128                 {
 129                 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
 130                 goto err;
 131                 }
 132
 133         ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
 134
 135         if (ivlen > 0)
 136                 {
 137                 if (RAND_pseudo_bytes(iv, ivlen) <= 0)
 138                         goto err;
 139                 if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0)
 140                         {
 141                         CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
 142                                                         ERR_R_EVP_LIB);
 143                         goto err;
 144                         }
 145                 encalg->parameter = ASN1_TYPE_new();
 146                 if (!encalg->parameter)
 147                         {
 148                         CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
 149                                                         ERR_R_MALLOC_FAILURE);
 150                         goto err;
 151                         }
 152                 if (EVP_CIPHER_param_to_asn1(&ctx, encalg->parameter) <= 0)
 153                         {
 154                         CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
 155                                 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
 156                         goto err;
 157                         }
 158                 }
 159
 160
 161         encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(&ctx));
 162
 163         EVP_CIPHER_CTX_cleanup(&ctx);
 164
 165         /* Initialize recipient info */
 166         ri = M_ASN1_new_of(CMS_RecipientInfo);
 167         if (!ri)
 168                 goto merr;
 169
 170         ri->d.pwri = M_ASN1_new_of(CMS_PasswordRecipientInfo);
 171         if (!ri->d.pwri)
 172                 goto merr;
 173         ri->type = CMS_RECIPINFO_PASS;
 174
 175         pwri = ri->d.pwri;
 176         /* Since this is overwritten, free up empty structure already there */
 177         X509_ALGOR_free(pwri->keyEncryptionAlgorithm);
 178         pwri->keyEncryptionAlgorithm = X509_ALGOR_new();
 179         if (!pwri->keyEncryptionAlgorithm)
 180                 goto merr;
 181         pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid);
 182         pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new();
 183         if (!pwri->keyEncryptionAlgorithm->parameter)
 184                 goto merr;
 185
 186         if(!ASN1_item_pack(encalg, ASN1_ITEM_rptr(X509_ALGOR),
 187             &pwri->keyEncryptionAlgorithm->parameter->value.sequence))
 188                 goto merr;
 189         pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE;
 190
 191         X509_ALGOR_free(encalg);
 192         encalg = NULL;
 193
 194         /* Setup PBE algorithm */
 195
 196         pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1);
 197
 198         if (!pwri->keyDerivationAlgorithm)
 199                 goto err;
 200
 201         CMS_RecipientInfo_set0_password(ri, pass, passlen);
 202         pwri->version = 0;
 203
 204         if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
 205                 goto merr;
 206
 207         return ri;
 208
 209         merr:
 210         CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE);
 211         err:
 212         EVP_CIPHER_CTX_cleanup(&ctx);
 213         if (ri)
 214                 M_ASN1_free_of(ri, CMS_RecipientInfo);
 215         if (encalg)
 216                 X509_ALGOR_free(encalg);
 217         return NULL;
 218
 219         }
 220
 221 /* This is an implementation of the key wrapping mechanism in RFC3211,
 222  * at some point this should go into EVP.
 223  */
 224
 225 static int kek_unwrap_key(unsigned char *out, size_t *outlen,
 226                 const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx)
 227         {
 228         size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
 229         unsigned char *tmp;
 230         int outl, rv = 0;
 231         if (inlen < 2 * blocklen)
 232                 {
 233                 /* too small */
 234                 return 0;
 235                 }
 236         if (inlen % blocklen)
 237                 {
 238                 /* Invalid size */
 239                 return 0;
 240                 }
 241         tmp = OPENSSL_malloc(inlen);
 242         /* setup IV by decrypting last two blocks */
 243         if (!EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
 244                                in  + inlen - 2 * blocklen, blocklen * 2)
 245         /* Do a decrypt of last decrypted block to set IV to correct value
 246          * output it to start of buffer so we don't corrupt decrypted block
 247          * this works because buffer is at least two block lengths long.
 248          */
 249             || !EVP_DecryptUpdate(ctx, tmp, &outl,
 250                                   tmp  + inlen - blocklen, blocklen)
 251         /* Can now decrypt first n - 1 blocks */
 252             || !EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen)
 253
 254         /* Reset IV to original value */
 255             || !EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL)
 256         /* Decrypt again */
 257             || !EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen))
 258                 goto err;
 259         /* Check check bytes */
 260         if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff)
 261                 {
 262                 /* Check byte failure */
 263                 goto err;
 264                 }
 265         if (inlen < (size_t)(tmp[0] - 4 ))
 266                 {
 267                 /* Invalid length value */
 268                 goto err;
 269                 }
 270         *outlen = (size_t)tmp[0];
 271         memcpy(out, tmp + 4, *outlen);
 272         rv = 1;
 273         err:
 274         OPENSSL_cleanse(tmp, inlen);
 275         OPENSSL_free(tmp);
 276         return rv;
 277
 278         }
 279
 280 static int kek_wrap_key(unsigned char *out, size_t *outlen,
 281                 const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx)
 282         {
 283         size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
 284         size_t olen;
 285         int dummy;
 286         /* First decide length of output buffer: need header and round up to
 287          * multiple of block length.
 288          */
 289         olen = (inlen + 4 + blocklen - 1)/blocklen;
 290         olen *= blocklen;
 291         if (olen < 2 * blocklen)
 292                 {
 293                 /* Key too small */
 294                 return 0;
 295                 }
 296         if (inlen > 0xFF)
 297                 {
 298                 /* Key too large */
 299                 return 0;
 300                 }
 301         if (out)
 302                 {
 303                 /* Set header */
 304                 out[0] = (unsigned char)inlen;
 305                 out[1] = in[0] ^ 0xFF;
 306                 out[2] = in[1] ^ 0xFF;
 307                 out[3] = in[2] ^ 0xFF;
 308                 memcpy(out + 4, in, inlen);
 309                 /* Add random padding to end */
 310                 if (olen > inlen + 4)
 311                         RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen);
 312                 /* Encrypt twice */
 313                 if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen)
 314                     || !EVP_EncryptUpdate(ctx, out, &dummy, out, olen))
 315                         return 0;
 316                 }
 317
 318         *outlen = olen;
 319
 320         return 1;
 321         }
 322
 323 /* Encrypt/Decrypt content key in PWRI recipient info */
 324
 325 int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
 326                                                         int en_de)
 327         {
 328         CMS_EncryptedContentInfo *ec;
 329         CMS_PasswordRecipientInfo *pwri;
 330         const unsigned char *p = NULL;
 331         int plen;
 332         int r = 0;
 333         X509_ALGOR *algtmp, *kekalg = NULL;
 334         EVP_CIPHER_CTX kekctx;
 335         const EVP_CIPHER *kekcipher;
 336         unsigned char *key = NULL;
 337         size_t keylen;
 338
 339         ec = cms->d.envelopedData->encryptedContentInfo;
 340
 341         pwri = ri->d.pwri;
 342         EVP_CIPHER_CTX_init(&kekctx);
 343
 344         if (!pwri->pass)
 345                 {
 346                 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_NO_PASSWORD);
 347                 return 0;
 348                 }
 349         algtmp = pwri->keyEncryptionAlgorithm;
 350
 351         if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK)
 352                 {
 353                 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
 354                                 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
 355                 return 0;
 356                 }
 357
 358         if (algtmp->parameter->type == V_ASN1_SEQUENCE)
 359                 {
 360                 p = algtmp->parameter->value.sequence->data;
 361                 plen = algtmp->parameter->value.sequence->length;
 362                 kekalg = d2i_X509_ALGOR(NULL, &p, plen);
 363                 }
 364         if (kekalg == NULL)
 365                 {
 366                 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
 367                                 CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER);
 368                 return 0;
 369                 }
 370
 371         kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
 372
 373         if(!kekcipher)
 374                 {
 375                 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
 376                                 CMS_R_UNKNOWN_CIPHER);
 377                 goto err;
 378                 }
 379
 380         /* Fixup cipher based on AlgorithmIdentifier to set IV etc */
 381         if (!EVP_CipherInit_ex(&kekctx, kekcipher, NULL, NULL, NULL, en_de))
 382                 goto err;
 383         EVP_CIPHER_CTX_set_padding(&kekctx, 0);
 384         if(EVP_CIPHER_asn1_to_param(&kekctx, kekalg->parameter) < 0)
 385                 {
 386                 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
 387                                 CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
 388                 goto err;
 389                 }
 390
 391         algtmp = pwri->keyDerivationAlgorithm;
 392
 393         /* Finish password based key derivation to setup key in "ctx" */
 394
 395         if (EVP_PBE_CipherInit(algtmp->algorithm,
 396                                 (char *)pwri->pass, pwri->passlen,
 397                                 algtmp->parameter, &kekctx, en_de) < 0)
 398                 {
 399                 CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_EVP_LIB);
 400                 goto err;
 401                 }
 402
 403         /* Finally wrap/unwrap the key */
 404
 405         if (en_de)
 406                 {
 407
 408                 if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, &kekctx))
 409                         goto err;
 410
 411                 key = OPENSSL_malloc(keylen);
 412
 413                 if (!key)
 414                         goto err;
 415
 416                 if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, &kekctx))
 417                         goto err;
 418                 pwri->encryptedKey->data = key;
 419                 pwri->encryptedKey->length = keylen;
 420                 }
 421         else
 422                 {
 423                 key = OPENSSL_malloc(pwri->encryptedKey->length);
 424
 425                 if (!key)
 426                         {
 427                         CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
 428                                                         ERR_R_MALLOC_FAILURE);
 429                         goto err;
 430                         }
 431                 if (!kek_unwrap_key(key, &keylen,
 432                                         pwri->encryptedKey->data,
 433                                         pwri->encryptedKey->length, &kekctx))
 434                         {
 435                         CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
 436                                                         CMS_R_UNWRAP_FAILURE);
 437                         goto err;
 438                         }
 439
 440                 ec->key = key;
 441                 ec->keylen = keylen;
 442
 443                 }
 444
 445         r = 1;
 446
 447         err:
 448
 449         EVP_CIPHER_CTX_cleanup(&kekctx);
 450
 451         if (!r && key)
 452                 OPENSSL_free(key);
 453         X509_ALGOR_free(kekalg);
 454
 455         return r;
 456
 457         }