Preliminary support for enveloped data content type creation.

Fix signed data creation so versions are only corrected if structure is being created.
2008-03-17 13:38:51 +00:00 · 2008-03-17 13:38:51 +00:00 · 761ffa729f
commit 761ffa729f
parent 1e26a8baed
7 changed files with 221 additions and 31 deletions
--- a/crypto/cms/cms.h
+++ b/crypto/cms/cms.h
@ -169,6 +169,9 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert,
 STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms);
 int CMS_RecipientInfo_type(CMS_RecipientInfo *ri);
 CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
 CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 					X509 *recip, unsigned int flags);
 int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
 					EVP_PKEY **pk, X509 **recip,
@ -290,6 +293,7 @@ void ERR_load_CMS_strings(void);
 #define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO		 111
 #define CMS_F_CMS_DIGESTEDDATA_DO_FINAL			 112
 #define CMS_F_CMS_DIGEST_VERIFY				 113
 #define CMS_F_CMS_ENCRYPT				 154
 #define CMS_F_CMS_ENCRYPTEDCONTENT_DECRYPT_BIO		 146
 #define CMS_F_CMS_ENCRYPTEDCONTENT_ENCRYPT_BIO		 144
 #define CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO		 148
@ -299,6 +303,8 @@ void ERR_load_CMS_strings(void);
 #define CMS_F_CMS_ENCRYPTEDDATA_INIT_BIO		 147
 #define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY		 141
 #define CMS_F_CMS_ENCRYPTED_DATA_DECRYPT		 139
 #define CMS_F_CMS_ENVELOPEDDATA_CREATE			 153
 #define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO		 156
 #define CMS_F_CMS_ENVELOPED_DATA_INIT			 114
 #define CMS_F_CMS_FINAL					 115
 #define CMS_F_CMS_GET0_CERTIFICATE_CHOICES		 116
@ -309,6 +315,7 @@ void ERR_load_CMS_strings(void);
 #define CMS_F_CMS_GET0_SIGNED				 121
 #define CMS_F_CMS_RECIPIENTINFO_DECRYPT			 150
 #define CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP		 122
 #define CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT		 155
 #define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS		 123
 #define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID	 124
 #define CMS_F_CMS_SET1_SIGNERIDENTIFIER			 125
@ -340,6 +347,7 @@ void ERR_load_CMS_strings(void);
 #define CMS_R_CTRL_FAILURE				 108
 #define CMS_R_ERROR_GETTING_PUBLIC_KEY			 109
 #define CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE	 110
 #define CMS_R_ERROR_SETTING_RECIPIENTINFO		 150
 #define CMS_R_INVALID_KEY_LENGTH			 140
 #define CMS_R_MD_BIO_INIT_ERROR				 111
 #define CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH	 112
@ -358,6 +366,7 @@ void ERR_load_CMS_strings(void);
 #define CMS_R_NO_PUBLIC_KEY				 121
 #define CMS_R_NO_SIGNERS				 122
 #define CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 123
 #define CMS_R_RECIPIENT_ERROR				 149
 #define CMS_R_SIGNER_CERTIFICATE_NOT_FOUND		 124
 #define CMS_R_SIGNFINAL_ERROR				 125
 #define CMS_R_SMIME_TEXT_ERROR				 126
@ -373,6 +382,7 @@ void ERR_load_CMS_strings(void);
 #define CMS_R_UNKNOWN_ID				 133
 #define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 134
 #define CMS_R_UNSUPPORTED_CONTENT_TYPE			 135
 #define CMS_R_UNSUPPORTED_RECIPIENT_TYPE		 151
 #define CMS_R_UNSUPPORTED_TYPE				 136
 #define CMS_R_VERIFICATION_FAILURE			 137
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@ -92,7 +92,14 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 	BIO_get_cipher_ctx(b, &ctx);
 	if (enc)
 		{
 		ciph = ec->cipher;
 		/* If not keeping key set cipher to NULL so subsequent calls
 		 * decrypt.
 		 */
 		if (ec->key)
 			ec->cipher = NULL;
 		}
 	else
 		{
 		ciph = EVP_get_cipherbyobj(calg->algorithm);
@ -112,12 +119,10 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 		goto err;
 		}
 	if (enc)
 		calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx));
 	if (enc)
 		{
 		int ivlen;
 		calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx));
 		/* Generate a random IV if we need one */
 		ivlen = EVP_CIPHER_CTX_iv_length(ctx);
 		if (ivlen > 0)
@ -128,11 +133,11 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 			}
 		}
 	else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0)
-			{
+		{
-			CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
+		CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
 				CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
-			goto err;
+		goto err;
-			}
+		}
 	if (enc && !ec->key)
@ -200,7 +205,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 	return NULL;
 	}
-static int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, 
+int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, 
 				const EVP_CIPHER *cipher,
 				const unsigned char *key, size_t keylen)
 	{
@ -252,7 +257,7 @@ int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph,
 BIO *cms_EncryptedData_init_bio(CMS_ContentInfo *cms)
 	{
 	CMS_EncryptedData *enc = cms->d.encryptedData;
-	if (enc->unprotectedAttrs)
+	if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs)
 		enc->version = 2;
 	return cms_EncryptedContent_init_bio(enc->encryptedContentInfo);
 	}
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@ -104,7 +104,7 @@ static CMS_EnvelopedData *cms_enveloped_data_init(CMS_ContentInfo *cms)
 STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms)
 	{
 	CMS_EnvelopedData *env;
-	env = cms_enveloped_data_init(cms);
+	env = cms_get0_enveloped(cms);
 	if (!env)
 		return NULL;
 	return env->recipientInfos;
@ -115,10 +115,30 @@ int CMS_RecipientInfo_type(CMS_RecipientInfo *ri)
 	return ri->type;
 	}
 CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
 	{
 	CMS_ContentInfo *cms;
 	CMS_EnvelopedData *env;
 	cms = CMS_ContentInfo_new();
 	if (!cms)
 		goto merr;
 	env = cms_enveloped_data_init(cms);
 	if (!env)
 		goto merr;
 	if (!cms_EncryptedContent_init(env->encryptedContentInfo,
 					cipher, NULL, 0))
 		goto merr;
 	return cms;
 	merr:
 	if (cms)
 		CMS_ContentInfo_free(cms);
 	CMSerr(CMS_F_CMS_ENVELOPEDDATA_CREATE, ERR_R_MALLOC_FAILURE);
 	return NULL;
 	}
 /* Add a recipient certificate. For now only handle key transport.
 * If we ever handle key agreement will need updating.
 */
 #if 0 /* currently unused/undeclared */
 CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 					X509 *recip, unsigned int flags)
 	{
@ -127,17 +147,16 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 	CMS_EnvelopedData *env;
 	EVP_PKEY *pk = NULL;
 	int i, type;
-	/* Init enveloped data */
+	env = cms_get0_enveloped(cms);
 	env = cms_enveloped_data_init(cms);
 	if (!env)
 		goto err;
-	/* Initialized recipient info */
+	/* Initialize recipient info */
 	ri = M_ASN1_new_of(CMS_RecipientInfo);
 	if (!ri)
 		goto merr;
-	/* Initialize and add key transrport recipient info */
+	/* Initialize and add key transport recipient info */
 	ri->d.ktri = M_ASN1_new_of(CMS_KeyTransRecipientInfo);
 	if (!ri->d.ktri)
@ -155,7 +174,6 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 		goto err;
 		}
 	CRYPTO_add(&recip->references, 1, CRYPTO_LOCK_X509);
 	CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY);
 	ktri->pkey = pk;
 	ktri->recip = recip;
@ -208,7 +226,6 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 	return NULL;
 	}
 #endif
 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
 					EVP_PKEY **pk, X509 **recip,
@ -262,6 +279,71 @@ int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
 	return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert);
 	}
 /* Encrypt content key in key transport recipient info */
 static int cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms,
 					CMS_RecipientInfo *ri)
 	{
 	CMS_KeyTransRecipientInfo *ktri;
 	CMS_EncryptedContentInfo *ec;
 	EVP_PKEY_CTX *pctx = NULL;
 	unsigned char *ek = NULL;
 	size_t eklen;
 	int ret = 0;
 	if (ri->type != CMS_RECIPINFO_TRANS)
 		{
 		CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT,
 			CMS_R_NOT_KEY_TRANSPORT);
 		return 0;
 		}
 	ktri = ri->d.ktri;
 	ec = cms->d.envelopedData->encryptedContentInfo;
 	pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
 	if (!pctx)
 		return 0;
 	if (EVP_PKEY_encrypt_init(pctx) <= 0)
 		goto err;
 	if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
 				EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0)
 		{
 		CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, CMS_R_CTRL_ERROR);
 		goto err;
 		}
 	if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
 		goto err;
 	ek = OPENSSL_malloc(eklen);
 	if (ek == NULL)
 		{
 		CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT,
 							ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 	if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0)
 		goto err;
 	ASN1_STRING_set0(ktri->encryptedKey, ek, eklen);
 	ek = NULL;
 	ret = 1;
 	err:
 	if (pctx)
 		EVP_PKEY_CTX_free(pctx);
 	if (ek)
 		OPENSSL_free(ek);
 	return ret;
 	}
 int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
 			       EVP_PKEY *pkey)
 	{
@ -332,6 +414,57 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
 BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
 	{
 	CMS_EncryptedContentInfo *ec;
 	STACK_OF(CMS_RecipientInfo) *rinfos;
 	CMS_RecipientInfo *ri;
 	int i, r, ok = 0;
 	BIO *ret;
 	/* Get BIO first to set up key */
 	ec = cms->d.envelopedData->encryptedContentInfo;
-	return cms_EncryptedContent_init_bio(ec);
+	ret = cms_EncryptedContent_init_bio(ec);
 	/* If error or no cipher end of processing */
 	if (!ret || !ec->cipher)
 		return ret;
 	rinfos = cms->d.envelopedData->recipientInfos;
 	for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++)
 		{
 		ri = sk_CMS_RecipientInfo_value(rinfos, i);
 		if (ri->type == CMS_RECIPINFO_TRANS)
 			r = cms_RecipientInfo_ktri_encrypt(cms, ri);
 		else
 			{
 			CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
 				CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
 			goto err;
 			}
 		if (r <= 0)
 			{
 			CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
 				CMS_R_ERROR_SETTING_RECIPIENTINFO);
 			goto err;
 			}
 		}
 	ok = 1;
 	err:
 	ec->cipher = NULL;
 	if (ec->key)
 		{
 		OPENSSL_cleanse(ec->key, ec->keylen);
 		OPENSSL_free(ec->key);
 		ec->key = NULL;
 		ec->keylen = 0;
 		}
 	if (ok)
 		return ret;
 	BIO_free(ret);
 	return NULL;
 	}
--- a/crypto/cms/cms_err.c
+++ b/crypto/cms/cms_err.c
@ -71,7 +71,7 @@
 static ERR_STRING_DATA CMS_str_functs[]=
 	{
 {ERR_FUNC(CMS_F_CHECK_CONTENT),	"CHECK_CONTENT"},
-{ERR_FUNC(CMS_F_CMS_ADD1_RECIPIENT_CERT),	"CMS_ADD1_RECIPIENT_CERT"},
+{ERR_FUNC(CMS_F_CMS_ADD1_RECIPIENT_CERT),	"CMS_add1_recipient_cert"},
 {ERR_FUNC(CMS_F_CMS_ADD1_SIGNER),	"CMS_add1_signer"},
 {ERR_FUNC(CMS_F_CMS_ADD1_SIGNINGTIME),	"CMS_ADD1_SIGNINGTIME"},
 {ERR_FUNC(CMS_F_CMS_BIO_TO_ENCRYPTEDCONTENT),	"CMS_BIO_TO_ENCRYPTEDCONTENT"},
@ -91,6 +91,7 @@ static ERR_STRING_DATA CMS_str_functs[]=
 {ERR_FUNC(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO),	"CMS_DIGESTALGORITHM_INIT_BIO"},
 {ERR_FUNC(CMS_F_CMS_DIGESTEDDATA_DO_FINAL),	"CMS_DIGESTEDDATA_DO_FINAL"},
 {ERR_FUNC(CMS_F_CMS_DIGEST_VERIFY),	"CMS_digest_verify"},
 {ERR_FUNC(CMS_F_CMS_ENCRYPT),	"CMS_encrypt"},
 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDCONTENT_DECRYPT_BIO),	"CMS_ENCRYPTEDCONTENT_DECRYPT_BIO"},
 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDCONTENT_ENCRYPT_BIO),	"CMS_ENCRYPTEDCONTENT_ENCRYPT_BIO"},
 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO),	"CMS_ENCRYPTEDCONTENT_INIT_BIO"},
@ -100,6 +101,8 @@ static ERR_STRING_DATA CMS_str_functs[]=
 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDDATA_INIT_BIO),	"CMS_ENCRYPTEDDATA_INIT_BIO"},
 {ERR_FUNC(CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY),	"CMS_EncryptedData_set1_key"},
 {ERR_FUNC(CMS_F_CMS_ENCRYPTED_DATA_DECRYPT),	"CMS_ENCRYPTED_DATA_DECRYPT"},
 {ERR_FUNC(CMS_F_CMS_ENVELOPEDDATA_CREATE),	"CMS_EnvelopedData_create"},
 {ERR_FUNC(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO),	"CMS_ENVELOPEDDATA_INIT_BIO"},
 {ERR_FUNC(CMS_F_CMS_ENVELOPED_DATA_INIT),	"CMS_ENVELOPED_DATA_INIT"},
 {ERR_FUNC(CMS_F_CMS_FINAL),	"CMS_final"},
 {ERR_FUNC(CMS_F_CMS_GET0_CERTIFICATE_CHOICES),	"CMS_GET0_CERTIFICATE_CHOICES"},
@ -110,6 +113,7 @@ static ERR_STRING_DATA CMS_str_functs[]=
 {ERR_FUNC(CMS_F_CMS_GET0_SIGNED),	"CMS_GET0_SIGNED"},
 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_DECRYPT),	"CMS_RecipientInfo_decrypt"},
 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP),	"CMS_RecipientInfo_ktri_cert_cmp"},
 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT),	"CMS_RECIPIENTINFO_KTRI_ENCRYPT"},
 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS),	"CMS_RecipientInfo_ktri_get0_algs"},
 {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID),	"CMS_RecipientInfo_ktri_get0_signer_id"},
 {ERR_FUNC(CMS_F_CMS_SET1_SIGNERIDENTIFIER),	"CMS_SET1_SIGNERIDENTIFIER"},
@ -144,6 +148,7 @@ static ERR_STRING_DATA CMS_str_reasons[]=
 {ERR_REASON(CMS_R_CTRL_FAILURE)          ,"ctrl failure"},
 {ERR_REASON(CMS_R_ERROR_GETTING_PUBLIC_KEY),"error getting public key"},
 {ERR_REASON(CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE),"error reading messagedigest attribute"},
 {ERR_REASON(CMS_R_ERROR_SETTING_RECIPIENTINFO),"error setting recipientinfo"},
 {ERR_REASON(CMS_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
 {ERR_REASON(CMS_R_MD_BIO_INIT_ERROR)     ,"md bio init error"},
 {ERR_REASON(CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH),"messagedigest attribute wrong length"},
@ -162,6 +167,7 @@ static ERR_STRING_DATA CMS_str_reasons[]=
 {ERR_REASON(CMS_R_NO_PUBLIC_KEY)         ,"no public key"},
 {ERR_REASON(CMS_R_NO_SIGNERS)            ,"no signers"},
 {ERR_REASON(CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
 {ERR_REASON(CMS_R_RECIPIENT_ERROR)       ,"recipient error"},
 {ERR_REASON(CMS_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
 {ERR_REASON(CMS_R_SIGNFINAL_ERROR)       ,"signfinal error"},
 {ERR_REASON(CMS_R_SMIME_TEXT_ERROR)      ,"smime text error"},
@ -177,6 +183,7 @@ static ERR_STRING_DATA CMS_str_reasons[]=
 {ERR_REASON(CMS_R_UNKNOWN_ID)            ,"unknown id"},
 {ERR_REASON(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
 {ERR_REASON(CMS_R_UNSUPPORTED_CONTENT_TYPE),"unsupported content type"},
 {ERR_REASON(CMS_R_UNSUPPORTED_RECIPIENT_TYPE),"unsupported recipient type"},
 {ERR_REASON(CMS_R_UNSUPPORTED_TYPE)      ,"unsupported type"},
 {ERR_REASON(CMS_R_VERIFICATION_FAILURE)  ,"verification failure"},
 {0,NULL}
--- a/crypto/cms/cms_lcl.h
+++ b/crypto/cms/cms_lcl.h
@ -123,6 +123,8 @@ struct CMS_EncapsulatedContentInfo_st
 	{
 	ASN1_OBJECT *eContentType;
 	ASN1_OCTET_STRING *eContent;
 	/* Set to 1 if incomplete structure only part set up */
 	int partial;
 	};
 struct CMS_SignerInfo_st
@ -411,6 +413,9 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
 BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec);
 BIO *cms_EncryptedData_init_bio(CMS_ContentInfo *cms);
 int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, 
 				const EVP_CIPHER *cipher,
 				const unsigned char *key, size_t keylen);
 BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@ -87,6 +87,7 @@ static CMS_SignedData *cms_signed_data_init(CMS_ContentInfo *cms)
 		cms->d.signedData->version = 1;
 		cms->d.signedData->encapContentInfo->eContentType =
 						OBJ_nid2obj(NID_pkcs7_data);
 		cms->d.signedData->encapContentInfo->partial = 1;
 		ASN1_OBJECT_free(cms->contentType);
 		cms->contentType = OBJ_nid2obj(NID_pkcs7_signed);
 		return cms->d.signedData;
@ -679,6 +680,7 @@ int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
 		if (!cms_SignerInfo_content_sign(si, chain))
 			return 0;
 		}
 	cms->d.signedData->encapContentInfo->partial = 0;
 	return 1;
 	}
@ -800,7 +802,8 @@ BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms)
 	sd = cms_get0_signed(cms);
 	if (!sd)
 		return NULL;
-	cms_sd_set_version(sd);
+	if (cms->d.signedData->encapContentInfo->partial)
 		cms_sd_set_version(sd);
 	for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++)
 		{
 		X509_ALGOR *digestAlgorithm;
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@ -459,11 +459,38 @@ CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 	return NULL;
 	}
-/* Placeholder for now... */
+CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
 CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
 				const EVP_CIPHER *cipher, unsigned int flags)
 	{
 	CMS_ContentInfo *cms;
 	int i;
 	X509 *recip;
 	cms = CMS_EnvelopedData_create(cipher);
 	if (!cms)
 		goto merr;
 	for (i = 0; i < sk_X509_num(certs); i++)
 		{
 		recip = sk_X509_value(certs, i);
 		if (!CMS_add1_recipient_cert(cms, recip, flags))
 			{
 			CMSerr(CMS_F_CMS_ENCRYPT, CMS_R_RECIPIENT_ERROR);
 			goto err;
 			}
 		}
 	if(!(flags & CMS_DETACHED))
 		CMS_set_detached(cms, 0);
 	if ((flags & (CMS_STREAM|CMS_PARTIAL)) || CMS_final(cms, data, flags))
 		return cms;
 	return cms;
 	merr:
 	CMSerr(CMS_F_CMS_ENCRYPT, ERR_R_MALLOC_FAILURE);
 	err:
 	if (cms)
 		CMS_ContentInfo_free(cms);
 	return NULL;
 	}
@ -488,15 +515,15 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
 		ri = sk_CMS_RecipientInfo_value(ris, i);
 		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
 			continue;
-		if (cert)
+		/* If we have a cert try matching RecipientInfo otherwise
 		 * try them all.
 		 */
 		if (!cert || (CMS_RecipientInfo_ktri_cert_cmp(ri, cert) == 0))
 			{
-			if (CMS_RecipientInfo_ktri_cert_cmp(ri, cert) == 0)
+			if (CMS_RecipientInfo_decrypt(cms, ri, pk) > 0)
-				{
+				break;
-				if (CMS_RecipientInfo_decrypt(cms, ri, pk) <=0)
+			else if (cert)
-					return 0;
+				return 0;
 				else
 					break;
 				}
 			}
 		}