Merge pull request #115 from SparkiDev/we_cms

CMS: Add support for CMS/PKCS#7

Author: cconlon

README.md

@@ -58,7 +58,7 @@ sudo make install
 git clone https://github.com/wolfssl/wolfssl.git
 cd wolfssl
 ./autogen.sh
-./configure --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm CPPFLAGS="-DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
+./configure --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf CPPFLAGS="-DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
 make
 sudo make install
 ```

include/wolfengine/we_openssl_bc.h

@@ -173,6 +173,9 @@ size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
 #ifndef EVP_PKEY_HKDEF_MODE_EXPAND_ONLY
 #define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY             2
 #endif
+#ifndef EVP_PKEY_ECDH_KDF_X9_63
+#define EVP_PKEY_ECDH_KDF_X9_63     EVP_PKEY_ECDH_KDF_X9_62
+#endif
 
 const BIGNUM *DH_get0_p(const DH *dh);
 const BIGNUM *DH_get0_g(const DH *dh);

openssl_patches/1.1.1b/tests/openssl_111b.patch

@@ -0,0 +1,40 @@
+diff --git a/apps/openssl.c b/apps/openssl.c
+index a872e2c5..6fe79d59 100644
+--- a/apps/openssl.c
++++ b/apps/openssl.c
+@@ -127,6 +127,20 @@ int main(int argc, char *argv[])
+     const char *prompt;
+     ARGS arg;
+     int first, n, i, ret = 0;
++    ENGINE *e;
++
++    ENGINE_load_dynamic();
++    e = ENGINE_by_id("libwolfengine");
++    if (e == NULL) {
++        printf("Failed to find wolfEngine.\n");
++        return 1;
++    }
++    if (ENGINE_ctrl_cmd(e, "enable_debug", 1, NULL, NULL, 0) != 1) {
++        printf("Failed to enable wolfEngine debug logging.\n");
++        return 1;
++    }
++    ENGINE_set_default(e, ENGINE_METHOD_ALL);
++
+ 
+     arg.argv = NULL;
+     arg.size = 0;
+@@ -260,12 +274,14 @@ int main(int argc, char *argv[])
+ 
+     BIO_free(bio_in);
+     BIO_free_all(bio_out);
++    ENGINE_finish(e);
+     apps_shutdown();
+ #ifndef OPENSSL_NO_CRYPTO_MDEBUG
+     if (CRYPTO_mem_leaks(bio_err) <= 0)
+         ret = 1;
+ #endif
+     BIO_free(bio_err);
++    ENGINE_cleanup();
+     EXIT(ret);
+ }
+ 

openssl_patches/1.1.1b/tests/test_cms.txt_11b.patch

@@ -0,0 +1,129 @@
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index f038bea3..dc8574ed 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -137,9 +137,9 @@ my @smime_pkcs7_tests = (
+ 	"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, 3 recipients",
++    [ "enveloped content test streaming S/MIME format, AES-128, 3 recipients",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	catfile($smdir, "smrsa1.pem"),
+ 	catfile($smdir, "smrsa2.pem"),
+ 	catfile($smdir, "smrsa3.pem") ],
+@@ -147,9 +147,9 @@ my @smime_pkcs7_tests = (
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
++    [ "enveloped content test streaming S/MIME format, AES-128, 3 recipients, 3rd used",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	catfile($smdir, "smrsa1.pem"),
+ 	catfile($smdir, "smrsa2.pem"),
+ 	catfile($smdir, "smrsa3.pem") ],
+@@ -157,9 +157,9 @@ my @smime_pkcs7_tests = (
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
++    [ "enveloped content test streaming S/MIME format, AES-128, 3 recipients, key only used",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	catfile($smdir, "smrsa1.pem"),
+ 	catfile($smdir, "smrsa2.pem"),
+ 	catfile($smdir, "smrsa3.pem") ],
+@@ -219,9 +219,9 @@ my @smime_cms_tests = (
+ 	"-CAfile", catfile($smdir, "smroot.pem") ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
++    [ "enveloped content test streaming S/MIME format, AES-128, 3 recipients, keyid",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms", "-keyid",
++	"-aes128", "-stream", "-out", "test.cms", "-keyid",
+ 	catfile($smdir, "smrsa1.pem"),
+ 	catfile($smdir, "smrsa2.pem"),
+ 	catfile($smdir, "smrsa3.pem") ],
+@@ -324,43 +324,43 @@ my @smime_cms_param_tests = (
+ 	"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
++    [ "enveloped content test streaming S/MIME format, AES-128, OAEP default parameters",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep" ],
+       [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
++    [ "enveloped content test streaming S/MIME format, AES-128, OAEP SHA256",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep",
+ 	"-keyopt", "rsa_oaep_md:sha256" ],
+       [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, ECDH",
++    [ "enveloped content test streaming S/MIME format, AES-128, ECDH",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	"-recip", catfile($smdir, "smec1.pem") ],
+       [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
++    [ "enveloped content test streaming S/MIME format, AES-128, ECDH, 2 recipients, key only used",
+       [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	catfile($smdir, "smec1.pem"),
+ 	catfile($smdir, "smec3.pem") ],
+       [ "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
++    [ "enveloped content test streaming S/MIME format, ECDH, AES-128, key identifier",
+       [ "-encrypt", "-keyid", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
++	"-aes128", "-stream", "-out", "test.cms",
+ 	"-recip", catfile($smdir, "smec1.pem") ],
+       [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+@@ -374,14 +374,14 @@ my @smime_cms_param_tests = (
+ 	"-in", "test.cms", "-out", "smtst.txt" ]
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
+-      [ "-encrypt", "-in", $smcont,
+-	"-stream", "-out", "test.cms",
+-	"-recip", catfile($smdir, "smec2.pem"), "-aes128",
+-	"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
+-      [ "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
+-	"-in", "test.cms", "-out", "smtst.txt" ]
+-    ],
++#    [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
++#      [ "-encrypt", "-in", $smcont,
++#	"-stream", "-out", "test.cms",
++#	"-recip", catfile($smdir, "smec2.pem"), "-aes128",
++#	"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
++#      [ "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
++#	"-in", "test.cms", "-out", "smtst.txt" ]
++#    ],
+ 
+     [ "enveloped content test streaming S/MIME format, X9.42 DH",
+       [ "-encrypt", "-in", $smcont,

scripts/openssl-unit-tests.sh

@@ -274,7 +274,7 @@ run_patched_tests() {
             TEST="$TEST evptests.txt"
         fi
         # main is the common file for 1.1.1b tests
-        if [ "$TEST" == "main" -o "$TEST" == "apps" ]; then
+        if [ "$TEST" == "main" -o "$TEST" == "apps" -o "$TEST" == "openssl" ]; then
             continue
         fi
         if [[ "$TEST" == *".conf.in"* ]]; then
@@ -338,6 +338,7 @@ test_openssl_111b() {
     run_patched_tests
 
     run_test "clienthellotest session.pem"
+    run_test "x509_dup_cert_test certs/leaf.pem"
 
     # test/recipes/15-test_genrsa.t
     for BITS in 2048 3072 4096
@@ -361,6 +362,9 @@ test_openssl_111b() {
     run_111recipe "test_ssl_old"
     run_111recipe "test_ssl_test_ctx"
     run_111recipe "test_sslcorrupt"
+    run_111recipe "test_x509_store"
+    run_111recipe "test_cms"
+    run_111recipe "test_cmsapi"
 
 # individual test runs (recipe is preferred)
 #    for SSL_TEST in "01-simple.conf" "02-protocol-version.conf" \

src/we_aes_block.c

@@ -38,6 +38,8 @@ typedef struct we_AesBlock
     unsigned int   init:1;
     /** Flag to indicate whether we are doing encrypt (1) or decrpyt (0). */
     unsigned int   enc:1;
+    /** Flag to indicate whether iv has been set. */
+    unsigned int   ivSet:1;
 } we_AesBlock;
 
 #endif
@@ -117,6 +119,7 @@ static int we_aes_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                 WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetIV", rc);
                 ret = 0;
             }
+            aes->ivSet = (ret == 1);
         }
     }
 
@@ -352,7 +355,8 @@ static int we_aes_cbc_decrypt(we_AesBlock* aes, unsigned char *out,
 static int we_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len)
 {
-    int ret;
+    int ret = 1;
+    int rc;
     we_AesBlock* aes;
 
     WOLFENGINE_ENTER(WE_LOG_CIPHER, "we_aes_cbc_cipher");
@@ -366,11 +370,22 @@ static int we_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                    "EVP_CIPHER_CTX_get_cipher_data", aes);
         ret = -1;
     }
-    else if (aes->enc) {
-        ret = we_aes_cbc_encrypt(aes, out, in, len);
+    if ((ret == 1) && (!aes->ivSet)) {
+        WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES IV");
+        rc = wc_AesSetIV(&aes->aes, EVP_CIPHER_CTX_iv_noconst(ctx));
+        if (rc != 0) {
+            WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetIV", rc);
+            ret = 0;
+        }
+        aes->ivSet = (ret == 1);
     }
-    else {
-        ret = we_aes_cbc_decrypt(aes, out, in, len);
+    if (ret == 1) {
+        if (aes->enc) {
+            ret = we_aes_cbc_encrypt(aes, out, in, len);
+        }
+        else {
+            ret = we_aes_cbc_decrypt(aes, out, in, len);
+        }
     }
 
     WOLFENGINE_LEAVE(WE_LOG_CIPHER, "we_aes_cbc_cipher", ret);

src/we_des3_cbc.c

@@ -39,6 +39,8 @@ typedef struct we_Des3Cbc
     unsigned int   init:1;
     /** Flag to indicate whether we are doing encrypt (1) or decrpyt (0). */
     unsigned int   enc:1;
+    /** Flag to indicate whether IV has been set. */
+    unsigned int   ivSet:1;
 } we_Des3Cbc;
 
 /**
@@ -105,6 +107,7 @@ static int we_des3_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                 WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_Des3_SetIV", rc);
                 ret = 0;
             }
+            des3->ivSet = (ret == 1);
         }
     }
 
@@ -222,6 +225,7 @@ static int we_des3_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len)
 {
     int ret = 1;
+    int rc;
     we_Des3Cbc* des3;
 
     WOLFENGINE_ENTER(WE_LOG_CIPHER, "we_des3_cbc_cipher");
@@ -235,6 +239,15 @@ static int we_des3_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                    "EVP_CIPHER_CTX_get_cipher_data", des3);
         ret = 0;
     }
+    if ((ret == 1) && (!des3->ivSet)) {
+        WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting 3DES IV");
+        rc = wc_Des3_SetIV(&des3->des3, EVP_CIPHER_CTX_iv_noconst(ctx));
+        if (rc != 0) {
+            WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_Des3_SetIV", rc);
+            ret = 0;
+        }
+        des3->ivSet = (ret == 1); 
+    }
     if (ret == 1) {
         if (des3->enc) {
             ret = we_des3_cbc_encrypt(ctx, des3, out, in, len);