1 /* 2 * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/x509.h> 13 #include <openssl/asn1.h> 14 #include "dh_local.h" 15 #include <openssl/bn.h> 16 #include "crypto/asn1.h" 17 #include "crypto/evp.h" 18 #include <openssl/cms.h> 19 20 /* 21 * i2d/d2i like DH parameter functions which use the appropriate routine for 22 * PKCS#3 DH or X9.42 DH. 23 */ 24 25 static DH *d2i_dhp(const EVP_PKEY *pkey, const unsigned char **pp, 26 long length) 27 { 28 if (pkey->ameth == &dhx_asn1_meth) 29 return d2i_DHxparams(NULL, pp, length); 30 return d2i_DHparams(NULL, pp, length); 31 } 32 33 static int i2d_dhp(const EVP_PKEY *pkey, const DH *a, unsigned char **pp) 34 { 35 if (pkey->ameth == &dhx_asn1_meth) 36 return i2d_DHxparams(a, pp); 37 return i2d_DHparams(a, pp); 38 } 39 40 static void int_dh_free(EVP_PKEY *pkey) 41 { 42 DH_free(pkey->pkey.dh); 43 } 44 45 static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 46 { 47 const unsigned char *p, *pm; 48 int pklen, pmlen; 49 int ptype; 50 const void *pval; 51 const ASN1_STRING *pstr; 52 X509_ALGOR *palg; 53 ASN1_INTEGER *public_key = NULL; 54 55 DH *dh = NULL; 56 57 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) 58 return 0; 59 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 60 61 if (ptype != V_ASN1_SEQUENCE) { 62 DHerr(DH_F_DH_PUB_DECODE, DH_R_PARAMETER_ENCODING_ERROR); 63 goto err; 64 } 65 66 pstr = pval; 67 pm = pstr->data; 68 pmlen = pstr->length; 69 70 if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL) { 71 DHerr(DH_F_DH_PUB_DECODE, DH_R_DECODE_ERROR); 72 goto err; 73 } 74 75 if ((public_key = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) { 76 DHerr(DH_F_DH_PUB_DECODE, DH_R_DECODE_ERROR); 77 goto err; 78 } 79 80 /* We have parameters now set public key */ 81 if ((dh->pub_key = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) { 82 DHerr(DH_F_DH_PUB_DECODE, DH_R_BN_DECODE_ERROR); 83 goto err; 84 } 85 86 ASN1_INTEGER_free(public_key); 87 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh); 88 return 1; 89 90 err: 91 ASN1_INTEGER_free(public_key); 92 DH_free(dh); 93 return 0; 94 95 } 96 97 static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 98 { 99 DH *dh; 100 int ptype; 101 unsigned char *penc = NULL; 102 int penclen; 103 ASN1_STRING *str; 104 ASN1_INTEGER *pub_key = NULL; 105 106 dh = pkey->pkey.dh; 107 108 str = ASN1_STRING_new(); 109 if (str == NULL) { 110 DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 111 goto err; 112 } 113 str->length = i2d_dhp(pkey, dh, &str->data); 114 if (str->length <= 0) { 115 DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 116 goto err; 117 } 118 ptype = V_ASN1_SEQUENCE; 119 120 pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL); 121 if (!pub_key) 122 goto err; 123 124 penclen = i2d_ASN1_INTEGER(pub_key, &penc); 125 126 ASN1_INTEGER_free(pub_key); 127 128 if (penclen <= 0) { 129 DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 130 goto err; 131 } 132 133 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), 134 ptype, str, penc, penclen)) 135 return 1; 136 137 err: 138 OPENSSL_free(penc); 139 ASN1_STRING_free(str); 140 141 return 0; 142 } 143 144 /* 145 * PKCS#8 DH is defined in PKCS#11 of all places. It is similar to DH in that 146 * the AlgorithmIdentifier contains the parameters, the private key is 147 * explicitly included and the pubkey must be recalculated. 148 */ 149 150 static int dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 151 { 152 const unsigned char *p, *pm; 153 int pklen, pmlen; 154 int ptype; 155 const void *pval; 156 const ASN1_STRING *pstr; 157 const X509_ALGOR *palg; 158 ASN1_INTEGER *privkey = NULL; 159 160 DH *dh = NULL; 161 162 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) 163 return 0; 164 165 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 166 167 if (ptype != V_ASN1_SEQUENCE) 168 goto decerr; 169 if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) 170 goto decerr; 171 172 pstr = pval; 173 pm = pstr->data; 174 pmlen = pstr->length; 175 if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL) 176 goto decerr; 177 178 /* We have parameters now set private key */ 179 if ((dh->priv_key = BN_secure_new()) == NULL 180 || !ASN1_INTEGER_to_BN(privkey, dh->priv_key)) { 181 DHerr(DH_F_DH_PRIV_DECODE, DH_R_BN_ERROR); 182 goto dherr; 183 } 184 /* Calculate public key */ 185 if (!DH_generate_key(dh)) 186 goto dherr; 187 188 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh); 189 190 ASN1_STRING_clear_free(privkey); 191 192 return 1; 193 194 decerr: 195 DHerr(DH_F_DH_PRIV_DECODE, EVP_R_DECODE_ERROR); 196 dherr: 197 DH_free(dh); 198 ASN1_STRING_clear_free(privkey); 199 return 0; 200 } 201 202 static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 203 { 204 ASN1_STRING *params = NULL; 205 ASN1_INTEGER *prkey = NULL; 206 unsigned char *dp = NULL; 207 int dplen; 208 209 params = ASN1_STRING_new(); 210 211 if (params == NULL) { 212 DHerr(DH_F_DH_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 213 goto err; 214 } 215 216 params->length = i2d_dhp(pkey, pkey->pkey.dh, ¶ms->data); 217 if (params->length <= 0) { 218 DHerr(DH_F_DH_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 219 goto err; 220 } 221 params->type = V_ASN1_SEQUENCE; 222 223 /* Get private key into integer */ 224 prkey = BN_to_ASN1_INTEGER(pkey->pkey.dh->priv_key, NULL); 225 226 if (!prkey) { 227 DHerr(DH_F_DH_PRIV_ENCODE, DH_R_BN_ERROR); 228 goto err; 229 } 230 231 dplen = i2d_ASN1_INTEGER(prkey, &dp); 232 233 ASN1_STRING_clear_free(prkey); 234 prkey = NULL; 235 236 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, 237 V_ASN1_SEQUENCE, params, dp, dplen)) 238 goto err; 239 240 return 1; 241 242 err: 243 OPENSSL_free(dp); 244 ASN1_STRING_free(params); 245 ASN1_STRING_clear_free(prkey); 246 return 0; 247 } 248 249 static int dh_param_decode(EVP_PKEY *pkey, 250 const unsigned char **pder, int derlen) 251 { 252 DH *dh; 253 254 if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL) { 255 DHerr(DH_F_DH_PARAM_DECODE, ERR_R_DH_LIB); 256 return 0; 257 } 258 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh); 259 return 1; 260 } 261 262 static int dh_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 263 { 264 return i2d_dhp(pkey, pkey->pkey.dh, pder); 265 } 266 267 static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype) 268 { 269 int reason = ERR_R_BUF_LIB; 270 const char *ktype = NULL; 271 BIGNUM *priv_key, *pub_key; 272 273 if (ptype == 2) 274 priv_key = x->priv_key; 275 else 276 priv_key = NULL; 277 278 if (ptype > 0) 279 pub_key = x->pub_key; 280 else 281 pub_key = NULL; 282 283 if (x->p == NULL || (ptype == 2 && priv_key == NULL) 284 || (ptype > 0 && pub_key == NULL)) { 285 reason = ERR_R_PASSED_NULL_PARAMETER; 286 goto err; 287 } 288 289 if (ptype == 2) 290 ktype = "DH Private-Key"; 291 else if (ptype == 1) 292 ktype = "DH Public-Key"; 293 else 294 ktype = "DH Parameters"; 295 296 BIO_indent(bp, indent, 128); 297 if (BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) <= 0) 298 goto err; 299 indent += 4; 300 301 if (!ASN1_bn_print(bp, "private-key:", priv_key, NULL, indent)) 302 goto err; 303 if (!ASN1_bn_print(bp, "public-key:", pub_key, NULL, indent)) 304 goto err; 305 306 if (!ASN1_bn_print(bp, "prime:", x->p, NULL, indent)) 307 goto err; 308 if (!ASN1_bn_print(bp, "generator:", x->g, NULL, indent)) 309 goto err; 310 if (x->q && !ASN1_bn_print(bp, "subgroup order:", x->q, NULL, indent)) 311 goto err; 312 if (x->j && !ASN1_bn_print(bp, "subgroup factor:", x->j, NULL, indent)) 313 goto err; 314 if (x->seed) { 315 int i; 316 BIO_indent(bp, indent, 128); 317 BIO_puts(bp, "seed:"); 318 for (i = 0; i < x->seedlen; i++) { 319 if ((i % 15) == 0) { 320 if (BIO_puts(bp, "\n") <= 0 321 || !BIO_indent(bp, indent + 4, 128)) 322 goto err; 323 } 324 if (BIO_printf(bp, "%02x%s", x->seed[i], 325 ((i + 1) == x->seedlen) ? "" : ":") <= 0) 326 goto err; 327 } 328 if (BIO_write(bp, "\n", 1) <= 0) 329 return 0; 330 } 331 if (x->counter && !ASN1_bn_print(bp, "counter:", x->counter, NULL, indent)) 332 goto err; 333 if (x->length != 0) { 334 BIO_indent(bp, indent, 128); 335 if (BIO_printf(bp, "recommended-private-length: %d bits\n", 336 (int)x->length) <= 0) 337 goto err; 338 } 339 340 return 1; 341 342 err: 343 DHerr(DH_F_DO_DH_PRINT, reason); 344 return 0; 345 } 346 347 static int int_dh_size(const EVP_PKEY *pkey) 348 { 349 return DH_size(pkey->pkey.dh); 350 } 351 352 static int dh_bits(const EVP_PKEY *pkey) 353 { 354 return BN_num_bits(pkey->pkey.dh->p); 355 } 356 357 static int dh_security_bits(const EVP_PKEY *pkey) 358 { 359 return DH_security_bits(pkey->pkey.dh); 360 } 361 362 static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) 363 { 364 if (BN_cmp(a->pkey.dh->p, b->pkey.dh->p) || 365 BN_cmp(a->pkey.dh->g, b->pkey.dh->g)) 366 return 0; 367 else if (a->ameth == &dhx_asn1_meth) { 368 if (BN_cmp(a->pkey.dh->q, b->pkey.dh->q)) 369 return 0; 370 } 371 return 1; 372 } 373 374 static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) 375 { 376 BIGNUM *a; 377 378 /* 379 * If source is read only just copy the pointer, so 380 * we don't have to reallocate it. 381 */ 382 if (src == NULL) 383 a = NULL; 384 else if (BN_get_flags(src, BN_FLG_STATIC_DATA) 385 && !BN_get_flags(src, BN_FLG_MALLOCED)) 386 a = (BIGNUM *)src; 387 else if ((a = BN_dup(src)) == NULL) 388 return 0; 389 BN_clear_free(*dst); 390 *dst = a; 391 return 1; 392 } 393 394 static int int_dh_param_copy(DH *to, const DH *from, int is_x942) 395 { 396 if (is_x942 == -1) 397 is_x942 = ! !from->q; 398 if (!int_dh_bn_cpy(&to->p, from->p)) 399 return 0; 400 if (!int_dh_bn_cpy(&to->g, from->g)) 401 return 0; 402 if (is_x942) { 403 if (!int_dh_bn_cpy(&to->q, from->q)) 404 return 0; 405 if (!int_dh_bn_cpy(&to->j, from->j)) 406 return 0; 407 OPENSSL_free(to->seed); 408 to->seed = NULL; 409 to->seedlen = 0; 410 if (from->seed) { 411 to->seed = OPENSSL_memdup(from->seed, from->seedlen); 412 if (!to->seed) 413 return 0; 414 to->seedlen = from->seedlen; 415 } 416 } else 417 to->length = from->length; 418 return 1; 419 } 420 421 DH *DHparams_dup(DH *dh) 422 { 423 DH *ret; 424 ret = DH_new(); 425 if (ret == NULL) 426 return NULL; 427 if (!int_dh_param_copy(ret, dh, -1)) { 428 DH_free(ret); 429 return NULL; 430 } 431 return ret; 432 } 433 434 static int dh_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) 435 { 436 if (to->pkey.dh == NULL) { 437 to->pkey.dh = DH_new(); 438 if (to->pkey.dh == NULL) 439 return 0; 440 } 441 return int_dh_param_copy(to->pkey.dh, from->pkey.dh, 442 from->ameth == &dhx_asn1_meth); 443 } 444 445 static int dh_missing_parameters(const EVP_PKEY *a) 446 { 447 if (a->pkey.dh == NULL || a->pkey.dh->p == NULL || a->pkey.dh->g == NULL) 448 return 1; 449 return 0; 450 } 451 452 static int dh_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 453 { 454 if (dh_cmp_parameters(a, b) == 0) 455 return 0; 456 if (BN_cmp(b->pkey.dh->pub_key, a->pkey.dh->pub_key) != 0) 457 return 0; 458 else 459 return 1; 460 } 461 462 static int dh_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, 463 ASN1_PCTX *ctx) 464 { 465 return do_dh_print(bp, pkey->pkey.dh, indent, 0); 466 } 467 468 static int dh_public_print(BIO *bp, const EVP_PKEY *pkey, int indent, 469 ASN1_PCTX *ctx) 470 { 471 return do_dh_print(bp, pkey->pkey.dh, indent, 1); 472 } 473 474 static int dh_private_print(BIO *bp, const EVP_PKEY *pkey, int indent, 475 ASN1_PCTX *ctx) 476 { 477 return do_dh_print(bp, pkey->pkey.dh, indent, 2); 478 } 479 480 int DHparams_print(BIO *bp, const DH *x) 481 { 482 return do_dh_print(bp, x, 4, 0); 483 } 484 485 #ifndef OPENSSL_NO_CMS 486 static int dh_cms_decrypt(CMS_RecipientInfo *ri); 487 static int dh_cms_encrypt(CMS_RecipientInfo *ri); 488 #endif 489 490 static int dh_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 491 { 492 switch (op) { 493 #ifndef OPENSSL_NO_CMS 494 495 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 496 if (arg1 == 1) 497 return dh_cms_decrypt(arg2); 498 else if (arg1 == 0) 499 return dh_cms_encrypt(arg2); 500 return -2; 501 502 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 503 *(int *)arg2 = CMS_RECIPINFO_AGREE; 504 return 1; 505 #endif 506 default: 507 return -2; 508 } 509 510 } 511 512 static int dh_pkey_public_check(const EVP_PKEY *pkey) 513 { 514 DH *dh = pkey->pkey.dh; 515 516 if (dh->pub_key == NULL) { 517 DHerr(DH_F_DH_PKEY_PUBLIC_CHECK, DH_R_MISSING_PUBKEY); 518 return 0; 519 } 520 521 return DH_check_pub_key_ex(dh, dh->pub_key); 522 } 523 524 static int dh_pkey_param_check(const EVP_PKEY *pkey) 525 { 526 DH *dh = pkey->pkey.dh; 527 528 return DH_check_ex(dh); 529 } 530 531 const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { 532 EVP_PKEY_DH, 533 EVP_PKEY_DH, 534 0, 535 536 "DH", 537 "OpenSSL PKCS#3 DH method", 538 539 dh_pub_decode, 540 dh_pub_encode, 541 dh_pub_cmp, 542 dh_public_print, 543 544 dh_priv_decode, 545 dh_priv_encode, 546 dh_private_print, 547 548 int_dh_size, 549 dh_bits, 550 dh_security_bits, 551 552 dh_param_decode, 553 dh_param_encode, 554 dh_missing_parameters, 555 dh_copy_parameters, 556 dh_cmp_parameters, 557 dh_param_print, 558 0, 559 560 int_dh_free, 561 0, 562 563 0, 0, 0, 0, 0, 564 565 0, 566 dh_pkey_public_check, 567 dh_pkey_param_check 568 }; 569 570 const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = { 571 EVP_PKEY_DHX, 572 EVP_PKEY_DHX, 573 0, 574 575 "X9.42 DH", 576 "OpenSSL X9.42 DH method", 577 578 dh_pub_decode, 579 dh_pub_encode, 580 dh_pub_cmp, 581 dh_public_print, 582 583 dh_priv_decode, 584 dh_priv_encode, 585 dh_private_print, 586 587 int_dh_size, 588 dh_bits, 589 dh_security_bits, 590 591 dh_param_decode, 592 dh_param_encode, 593 dh_missing_parameters, 594 dh_copy_parameters, 595 dh_cmp_parameters, 596 dh_param_print, 597 0, 598 599 int_dh_free, 600 dh_pkey_ctrl, 601 602 0, 0, 0, 0, 0, 603 604 0, 605 dh_pkey_public_check, 606 dh_pkey_param_check 607 }; 608 609 #ifndef OPENSSL_NO_CMS 610 611 static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, 612 X509_ALGOR *alg, ASN1_BIT_STRING *pubkey) 613 { 614 const ASN1_OBJECT *aoid; 615 int atype; 616 const void *aval; 617 ASN1_INTEGER *public_key = NULL; 618 int rv = 0; 619 EVP_PKEY *pkpeer = NULL, *pk = NULL; 620 DH *dhpeer = NULL; 621 const unsigned char *p; 622 int plen; 623 624 X509_ALGOR_get0(&aoid, &atype, &aval, alg); 625 if (OBJ_obj2nid(aoid) != NID_dhpublicnumber) 626 goto err; 627 /* Only absent parameters allowed in RFC XXXX */ 628 if (atype != V_ASN1_UNDEF && atype == V_ASN1_NULL) 629 goto err; 630 631 pk = EVP_PKEY_CTX_get0_pkey(pctx); 632 if (pk == NULL || pk->type != EVP_PKEY_DHX) 633 goto err; 634 635 /* Get parameters from parent key */ 636 dhpeer = DHparams_dup(pk->pkey.dh); 637 if (dhpeer == NULL) 638 goto err; 639 640 /* We have parameters now set public key */ 641 plen = ASN1_STRING_length(pubkey); 642 p = ASN1_STRING_get0_data(pubkey); 643 if (p == NULL || plen == 0) 644 goto err; 645 646 if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL) { 647 DHerr(DH_F_DH_CMS_SET_PEERKEY, DH_R_DECODE_ERROR); 648 goto err; 649 } 650 651 /* We have parameters now set public key */ 652 if ((dhpeer->pub_key = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) { 653 DHerr(DH_F_DH_CMS_SET_PEERKEY, DH_R_BN_DECODE_ERROR); 654 goto err; 655 } 656 657 pkpeer = EVP_PKEY_new(); 658 if (pkpeer == NULL) 659 goto err; 660 661 EVP_PKEY_assign(pkpeer, pk->ameth->pkey_id, dhpeer); 662 dhpeer = NULL; 663 if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) 664 rv = 1; 665 err: 666 ASN1_INTEGER_free(public_key); 667 EVP_PKEY_free(pkpeer); 668 DH_free(dhpeer); 669 return rv; 670 } 671 672 static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) 673 { 674 int rv = 0; 675 676 X509_ALGOR *alg, *kekalg = NULL; 677 ASN1_OCTET_STRING *ukm; 678 const unsigned char *p; 679 unsigned char *dukm = NULL; 680 size_t dukmlen = 0; 681 int keylen, plen; 682 const EVP_CIPHER *kekcipher; 683 EVP_CIPHER_CTX *kekctx; 684 685 if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) 686 goto err; 687 688 /* 689 * For DH we only have one OID permissible. If ever any more get defined 690 * we will need something cleverer. 691 */ 692 if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) { 693 DHerr(DH_F_DH_CMS_SET_SHARED_INFO, DH_R_KDF_PARAMETER_ERROR); 694 goto err; 695 } 696 697 if (EVP_PKEY_CTX_set_dh_kdf_type(pctx, EVP_PKEY_DH_KDF_X9_42) <= 0) 698 goto err; 699 700 if (EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0) 701 goto err; 702 703 if (alg->parameter->type != V_ASN1_SEQUENCE) 704 goto err; 705 706 p = alg->parameter->value.sequence->data; 707 plen = alg->parameter->value.sequence->length; 708 kekalg = d2i_X509_ALGOR(NULL, &p, plen); 709 if (!kekalg) 710 goto err; 711 kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); 712 if (!kekctx) 713 goto err; 714 kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); 715 if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) 716 goto err; 717 if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) 718 goto err; 719 if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) 720 goto err; 721 722 keylen = EVP_CIPHER_CTX_key_length(kekctx); 723 if (EVP_PKEY_CTX_set_dh_kdf_outlen(pctx, keylen) <= 0) 724 goto err; 725 /* Use OBJ_nid2obj to ensure we use built in OID that isn't freed */ 726 if (EVP_PKEY_CTX_set0_dh_kdf_oid(pctx, 727 OBJ_nid2obj(EVP_CIPHER_type(kekcipher))) 728 <= 0) 729 goto err; 730 731 if (ukm) { 732 dukmlen = ASN1_STRING_length(ukm); 733 dukm = OPENSSL_memdup(ASN1_STRING_get0_data(ukm), dukmlen); 734 if (!dukm) 735 goto err; 736 } 737 738 if (EVP_PKEY_CTX_set0_dh_kdf_ukm(pctx, dukm, dukmlen) <= 0) 739 goto err; 740 dukm = NULL; 741 742 rv = 1; 743 err: 744 X509_ALGOR_free(kekalg); 745 OPENSSL_free(dukm); 746 return rv; 747 } 748 749 static int dh_cms_decrypt(CMS_RecipientInfo *ri) 750 { 751 EVP_PKEY_CTX *pctx; 752 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 753 if (!pctx) 754 return 0; 755 /* See if we need to set peer key */ 756 if (!EVP_PKEY_CTX_get0_peerkey(pctx)) { 757 X509_ALGOR *alg; 758 ASN1_BIT_STRING *pubkey; 759 if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey, 760 NULL, NULL, NULL)) 761 return 0; 762 if (!alg || !pubkey) 763 return 0; 764 if (!dh_cms_set_peerkey(pctx, alg, pubkey)) { 765 DHerr(DH_F_DH_CMS_DECRYPT, DH_R_PEER_KEY_ERROR); 766 return 0; 767 } 768 } 769 /* Set DH derivation parameters and initialise unwrap context */ 770 if (!dh_cms_set_shared_info(pctx, ri)) { 771 DHerr(DH_F_DH_CMS_DECRYPT, DH_R_SHARED_INFO_ERROR); 772 return 0; 773 } 774 return 1; 775 } 776 777 static int dh_cms_encrypt(CMS_RecipientInfo *ri) 778 { 779 EVP_PKEY_CTX *pctx; 780 EVP_PKEY *pkey; 781 EVP_CIPHER_CTX *ctx; 782 int keylen; 783 X509_ALGOR *talg, *wrap_alg = NULL; 784 const ASN1_OBJECT *aoid; 785 ASN1_BIT_STRING *pubkey; 786 ASN1_STRING *wrap_str; 787 ASN1_OCTET_STRING *ukm; 788 unsigned char *penc = NULL, *dukm = NULL; 789 int penclen; 790 size_t dukmlen = 0; 791 int rv = 0; 792 int kdf_type, wrap_nid; 793 const EVP_MD *kdf_md; 794 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 795 if (!pctx) 796 return 0; 797 /* Get ephemeral key */ 798 pkey = EVP_PKEY_CTX_get0_pkey(pctx); 799 if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey, 800 NULL, NULL, NULL)) 801 goto err; 802 X509_ALGOR_get0(&aoid, NULL, NULL, talg); 803 /* Is everything uninitialised? */ 804 if (aoid == OBJ_nid2obj(NID_undef)) { 805 ASN1_INTEGER *pubk = BN_to_ASN1_INTEGER(pkey->pkey.dh->pub_key, NULL); 806 if (!pubk) 807 goto err; 808 /* Set the key */ 809 810 penclen = i2d_ASN1_INTEGER(pubk, &penc); 811 ASN1_INTEGER_free(pubk); 812 if (penclen <= 0) 813 goto err; 814 ASN1_STRING_set0(pubkey, penc, penclen); 815 pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); 816 pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; 817 818 penc = NULL; 819 X509_ALGOR_set0(talg, OBJ_nid2obj(NID_dhpublicnumber), 820 V_ASN1_UNDEF, NULL); 821 } 822 823 /* See if custom parameters set */ 824 kdf_type = EVP_PKEY_CTX_get_dh_kdf_type(pctx); 825 if (kdf_type <= 0) 826 goto err; 827 if (!EVP_PKEY_CTX_get_dh_kdf_md(pctx, &kdf_md)) 828 goto err; 829 830 if (kdf_type == EVP_PKEY_DH_KDF_NONE) { 831 kdf_type = EVP_PKEY_DH_KDF_X9_42; 832 if (EVP_PKEY_CTX_set_dh_kdf_type(pctx, kdf_type) <= 0) 833 goto err; 834 } else if (kdf_type != EVP_PKEY_DH_KDF_X9_42) 835 /* Unknown KDF */ 836 goto err; 837 if (kdf_md == NULL) { 838 /* Only SHA1 supported */ 839 kdf_md = EVP_sha1(); 840 if (EVP_PKEY_CTX_set_dh_kdf_md(pctx, kdf_md) <= 0) 841 goto err; 842 } else if (EVP_MD_type(kdf_md) != NID_sha1) 843 /* Unsupported digest */ 844 goto err; 845 846 if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm)) 847 goto err; 848 849 /* Get wrap NID */ 850 ctx = CMS_RecipientInfo_kari_get0_ctx(ri); 851 wrap_nid = EVP_CIPHER_CTX_type(ctx); 852 if (EVP_PKEY_CTX_set0_dh_kdf_oid(pctx, OBJ_nid2obj(wrap_nid)) <= 0) 853 goto err; 854 keylen = EVP_CIPHER_CTX_key_length(ctx); 855 856 /* Package wrap algorithm in an AlgorithmIdentifier */ 857 858 wrap_alg = X509_ALGOR_new(); 859 if (wrap_alg == NULL) 860 goto err; 861 wrap_alg->algorithm = OBJ_nid2obj(wrap_nid); 862 wrap_alg->parameter = ASN1_TYPE_new(); 863 if (wrap_alg->parameter == NULL) 864 goto err; 865 if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0) 866 goto err; 867 if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) { 868 ASN1_TYPE_free(wrap_alg->parameter); 869 wrap_alg->parameter = NULL; 870 } 871 872 if (EVP_PKEY_CTX_set_dh_kdf_outlen(pctx, keylen) <= 0) 873 goto err; 874 875 if (ukm) { 876 dukmlen = ASN1_STRING_length(ukm); 877 dukm = OPENSSL_memdup(ASN1_STRING_get0_data(ukm), dukmlen); 878 if (!dukm) 879 goto err; 880 } 881 882 if (EVP_PKEY_CTX_set0_dh_kdf_ukm(pctx, dukm, dukmlen) <= 0) 883 goto err; 884 dukm = NULL; 885 886 /* 887 * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter 888 * of another AlgorithmIdentifier. 889 */ 890 penc = NULL; 891 penclen = i2d_X509_ALGOR(wrap_alg, &penc); 892 if (!penc || !penclen) 893 goto err; 894 wrap_str = ASN1_STRING_new(); 895 if (wrap_str == NULL) 896 goto err; 897 ASN1_STRING_set0(wrap_str, penc, penclen); 898 penc = NULL; 899 X509_ALGOR_set0(talg, OBJ_nid2obj(NID_id_smime_alg_ESDH), 900 V_ASN1_SEQUENCE, wrap_str); 901 902 rv = 1; 903 904 err: 905 OPENSSL_free(penc); 906 X509_ALGOR_free(wrap_alg); 907 OPENSSL_free(dukm); 908 return rv; 909 } 910 911 #endif 912