]>
Commit | Line | Data |
---|---|---|
a61b7f2f | 1 | /*- |
8020d79b | 2 | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
8869ad4a AK |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
a61b7f2f | 5 | * |
ce9b9964 | 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
a61b7f2f DO |
7 | * this file except in compliance with the License. You can obtain a copy |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | * | |
11 | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. | |
12 | */ | |
13 | ||
14 | ||
776796e8 RL |
15 | #include <string.h> |
16 | ||
a61b7f2f DO |
17 | #include <openssl/rand.h> |
18 | #include <openssl/evp.h> | |
0a8a6afd | 19 | #include <openssl/hmac.h> |
a61b7f2f | 20 | |
a61b7f2f DO |
21 | /* explicit #includes not strictly needed since implied by the above: */ |
22 | #include <openssl/asn1t.h> | |
23 | #include <openssl/crmf.h> | |
24 | #include <openssl/err.h> | |
25 | #include <openssl/evp.h> | |
776796e8 RL |
26 | #include <openssl/params.h> |
27 | #include <openssl/core_names.h> | |
a61b7f2f | 28 | |
ad57a13b RL |
29 | #include "internal/sizes.h" |
30 | ||
31 | #include "crmf_local.h" | |
32 | ||
a61b7f2f DO |
33 | /*- |
34 | * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4) | |
97e00da9 | 35 | * |slen| SHOULD be at least 8 (16 is common) |
a61b7f2f | 36 | * |owfnid| e.g., NID_sha256 |
97e00da9 | 37 | * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT |
a61b7f2f DO |
38 | * |macnid| e.g., NID_hmac_sha1 |
39 | * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error | |
40 | */ | |
b4250010 | 41 | OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen, |
97e00da9 DDO |
42 | int owfnid, size_t itercnt, |
43 | int macnid) | |
a61b7f2f DO |
44 | { |
45 | OSSL_CRMF_PBMPARAMETER *pbm = NULL; | |
46 | unsigned char *salt = NULL; | |
47 | ||
7960dbec | 48 | if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) |
a61b7f2f | 49 | goto err; |
a61b7f2f DO |
50 | |
51 | /* | |
52 | * salt contains a randomly generated value used in computing the key | |
53 | * of the MAC process. The salt SHOULD be at least 8 octets (64 | |
54 | * bits) long. | |
55 | */ | |
7960dbec | 56 | if ((salt = OPENSSL_malloc(slen)) == NULL) |
a61b7f2f | 57 | goto err; |
28cab209 | 58 | if (RAND_bytes_ex(libctx, salt, slen, 0) <= 0) { |
9311d0c4 | 59 | ERR_raise(ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM); |
a61b7f2f DO |
60 | goto err; |
61 | } | |
62 | if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen)) | |
63 | goto err; | |
64 | ||
65 | /* | |
66 | * owf identifies the hash algorithm and associated parameters used to | |
67 | * compute the key used in the MAC process. All implementations MUST | |
68 | * support SHA-1. | |
69 | */ | |
70 | if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) { | |
9311d0c4 | 71 | ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_OWF_ALGOR_FAILURE); |
a61b7f2f DO |
72 | goto err; |
73 | } | |
74 | ||
75 | /* | |
76 | * iterationCount identifies the number of times the hash is applied | |
77 | * during the key computation process. The iterationCount MUST be a | |
235595c4 | 78 | * minimum of 100. Many people suggest using values as high as 1000 |
a61b7f2f DO |
79 | * iterations as the minimum value. The trade off here is between |
80 | * protection of the password from attacks and the time spent by the | |
81 | * server processing all of the different iterations in deriving | |
82 | * passwords. Hashing is generally considered a cheap operation but | |
83 | * this may not be true with all hash functions in the future. | |
84 | */ | |
85 | if (itercnt < 100) { | |
9311d0c4 | 86 | ERR_raise(ERR_LIB_CRMF, CRMF_R_ITERATIONCOUNT_BELOW_100); |
a61b7f2f | 87 | goto err; |
97e00da9 DDO |
88 | } |
89 | if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) { | |
9311d0c4 | 90 | ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT); |
97e00da9 | 91 | goto err; |
a61b7f2f DO |
92 | } |
93 | ||
94 | if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) { | |
9311d0c4 | 95 | ERR_raise(ERR_LIB_CRMF, CRMF_R_CRMFERROR); |
a61b7f2f DO |
96 | goto err; |
97 | } | |
98 | ||
99 | /* | |
100 | * mac identifies the algorithm and associated parameters of the MAC | |
101 | * function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. | |
102 | * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11]. | |
103 | */ | |
104 | if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) { | |
9311d0c4 | 105 | ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_MAC_ALGOR_FAILURE); |
a61b7f2f DO |
106 | goto err; |
107 | } | |
108 | ||
109 | OPENSSL_free(salt); | |
110 | return pbm; | |
111 | err: | |
112 | OPENSSL_free(salt); | |
113 | OSSL_CRMF_PBMPARAMETER_free(pbm); | |
114 | return NULL; | |
115 | } | |
116 | ||
117 | /*- | |
118 | * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER | |
119 | * |pbmp| identifies the algorithms, salt to use | |
120 | * |msg| message to apply the PBM for | |
121 | * |msglen| length of the message | |
122 | * |sec| key to use | |
123 | * |seclen| length of the key | |
0a8a6afd DDO |
124 | * |out| pointer to the computed mac, will be set on success |
125 | * |outlen| if not NULL, will set variable to the length of the mac on success | |
a61b7f2f DO |
126 | * returns 1 on success, 0 on error |
127 | */ | |
b4250010 | 128 | int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, |
6d1f50b5 | 129 | const OSSL_CRMF_PBMPARAMETER *pbmp, |
a61b7f2f DO |
130 | const unsigned char *msg, size_t msglen, |
131 | const unsigned char *sec, size_t seclen, | |
776796e8 | 132 | unsigned char **out, size_t *outlen) |
a61b7f2f DO |
133 | { |
134 | int mac_nid, hmac_md_nid = NID_undef; | |
ad57a13b RL |
135 | char mdname[OSSL_MAX_NAME_SIZE]; |
136 | char hmac_mdname[OSSL_MAX_NAME_SIZE]; | |
6d1f50b5 | 137 | EVP_MD *owf = NULL; |
a61b7f2f DO |
138 | EVP_MD_CTX *ctx = NULL; |
139 | unsigned char basekey[EVP_MAX_MD_SIZE]; | |
140 | unsigned int bklen = EVP_MAX_MD_SIZE; | |
141 | int64_t iterations; | |
142 | unsigned char *mac_res = 0; | |
143 | int ok = 0; | |
a61b7f2f | 144 | |
776796e8 | 145 | if (out == NULL || pbmp == NULL || pbmp->mac == NULL |
a61b7f2f | 146 | || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) { |
9311d0c4 | 147 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
148 | goto err; |
149 | } | |
7960dbec | 150 | if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) |
a61b7f2f | 151 | goto err; |
a61b7f2f DO |
152 | |
153 | /* | |
154 | * owf identifies the hash algorithm and associated parameters used to | |
155 | * compute the key used in the MAC process. All implementations MUST | |
156 | * support SHA-1. | |
157 | */ | |
ad57a13b | 158 | OBJ_obj2txt(mdname, sizeof(mdname), pbmp->owf->algorithm, 0); |
6d1f50b5 | 159 | if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) { |
9311d0c4 | 160 | ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM); |
a61b7f2f DO |
161 | goto err; |
162 | } | |
163 | ||
7960dbec | 164 | if ((ctx = EVP_MD_CTX_new()) == NULL) |
a61b7f2f | 165 | goto err; |
a61b7f2f DO |
166 | |
167 | /* compute the basekey of the salted secret */ | |
6d1f50b5 | 168 | if (!EVP_DigestInit_ex(ctx, owf, NULL)) |
a61b7f2f DO |
169 | goto err; |
170 | /* first the secret */ | |
171 | if (!EVP_DigestUpdate(ctx, sec, seclen)) | |
172 | goto err; | |
173 | /* then the salt */ | |
174 | if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length)) | |
175 | goto err; | |
176 | if (!EVP_DigestFinal_ex(ctx, basekey, &bklen)) | |
177 | goto err; | |
178 | if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount) | |
179 | || iterations < 100 /* min from RFC */ | |
180 | || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) { | |
9311d0c4 | 181 | ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT); |
a61b7f2f DO |
182 | goto err; |
183 | } | |
184 | ||
185 | /* the first iteration was already done above */ | |
186 | while (--iterations > 0) { | |
6d1f50b5 | 187 | if (!EVP_DigestInit_ex(ctx, owf, NULL)) |
a61b7f2f DO |
188 | goto err; |
189 | if (!EVP_DigestUpdate(ctx, basekey, bklen)) | |
190 | goto err; | |
191 | if (!EVP_DigestFinal_ex(ctx, basekey, &bklen)) | |
192 | goto err; | |
193 | } | |
194 | ||
195 | /* | |
196 | * mac identifies the algorithm and associated parameters of the MAC | |
197 | * function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. | |
198 | * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11]. | |
199 | */ | |
200 | mac_nid = OBJ_obj2nid(pbmp->mac->algorithm); | |
201 | ||
202 | if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL) | |
2349d7ba PH |
203 | || OBJ_obj2txt(hmac_mdname, sizeof(hmac_mdname), |
204 | OBJ_nid2obj(hmac_md_nid), 0) <= 0) { | |
9311d0c4 | 205 | ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM); |
a61b7f2f DO |
206 | goto err; |
207 | } | |
0a8a6afd | 208 | if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen, |
21dfdbef | 209 | msg, msglen, mac_res, EVP_MAX_MD_SIZE, outlen) == NULL) |
a61b7f2f DO |
210 | goto err; |
211 | ||
212 | ok = 1; | |
213 | ||
214 | err: | |
a61b7f2f | 215 | OPENSSL_cleanse(basekey, bklen); |
6d1f50b5 | 216 | EVP_MD_free(owf); |
a61b7f2f DO |
217 | EVP_MD_CTX_free(ctx); |
218 | ||
219 | if (ok == 1) { | |
776796e8 | 220 | *out = mac_res; |
a61b7f2f DO |
221 | return 1; |
222 | } | |
223 | ||
224 | OPENSSL_free(mac_res); | |
225 | ||
226 | if (pbmp != NULL && pbmp->mac != NULL) { | |
227 | char buf[128]; | |
228 | ||
229 | if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0)) | |
230 | ERR_add_error_data(1, buf); | |
231 | } | |
232 | return 0; | |
233 | } |