crypto/crmf/crmf_pbm.c

   1 /*-
   2  * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  * Copyright Nokia 2007-2019
   4  * Copyright Siemens AG 2015-2019
   5  *
   6  * Licensed under the Apache License 2.0 (the "License").  You may not use
   7  * this file except in compliance with the License.  You can obtain a copy
   8  * in the file LICENSE in the source distribution or at
   9  * https://www.openssl.org/source/license.html
  10  *
  11  * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
  12  */
  13
  14
  15 #include <string.h>
  16
  17 #include <openssl/rand.h>
  18 #include <openssl/evp.h>
  19
  20 #include "crmf_local.h"
  21
  22 /* explicit #includes not strictly needed since implied by the above: */
  23 #include <openssl/asn1t.h>
  24 #include <openssl/crmf.h>
  25 #include <openssl/err.h>
  26 #include <openssl/evp.h>
  27 #include <openssl/params.h>
  28 #include <openssl/core_names.h>
  29
  30 /*-
  31  * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
  32  * |slen| SHOULD be at least 8 (16 is common)
  33  * |owfnid| e.g., NID_sha256
  34  * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
  35  * |macnid| e.g., NID_hmac_sha1
  36  * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
  37  */
  38 OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
  39                                            int owfnid, size_t itercnt,
  40                                            int macnid)
  41 {
  42     OSSL_CRMF_PBMPARAMETER *pbm = NULL;
  43     unsigned char *salt = NULL;
  44
  45     if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
  46         goto err;
  47
  48     /*
  49      * salt contains a randomly generated value used in computing the key
  50      * of the MAC process.  The salt SHOULD be at least 8 octets (64
  51      * bits) long.
  52      */
  53     if ((salt = OPENSSL_malloc(slen)) == NULL)
  54         goto err;
  55     if (RAND_bytes_ex(libctx, salt, (int)slen) <= 0) {
  56         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
  57         goto err;
  58     }
  59     if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
  60         goto err;
  61
  62     /*
  63      * owf identifies the hash algorithm and associated parameters used to
  64      * compute the key used in the MAC process.  All implementations MUST
  65      * support SHA-1.
  66      */
  67     if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
  68         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
  69         goto err;
  70     }
  71
  72     /*
  73      * iterationCount identifies the number of times the hash is applied
  74      * during the key computation process.  The iterationCount MUST be a
  75      * minimum of 100. Many people suggest using values as high as 1000
  76      * iterations as the minimum value.  The trade off here is between
  77      * protection of the password from attacks and the time spent by the
  78      * server processing all of the different iterations in deriving
  79      * passwords.  Hashing is generally considered a cheap operation but
  80      * this may not be true with all hash functions in the future.
  81      */
  82     if (itercnt < 100) {
  83         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100);
  84         goto err;
  85     }
  86     if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
  87         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
  88         goto err;
  89     }
  90
  91     if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
  92         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR);
  93         goto err;
  94     }
  95
  96     /*
  97      * mac identifies the algorithm and associated parameters of the MAC
  98      * function to be used.  All implementations MUST support HMAC-SHA1 [HMAC].
  99      * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
 100      */
 101     if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
 102         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
 103         goto err;
 104     }
 105
 106     OPENSSL_free(salt);
 107     return pbm;
 108  err:
 109     OPENSSL_free(salt);
 110     OSSL_CRMF_PBMPARAMETER_free(pbm);
 111     return NULL;
 112 }
 113
 114 /*-
 115  * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
 116  * |pbmp| identifies the algorithms, salt to use
 117  * |msg| message to apply the PBM for
 118  * |msglen| length of the message
 119  * |sec| key to use
 120  * |seclen| length of the key
 121  * |mac| pointer to the computed mac, will be set on success
 122  * |maclen| if not NULL, will set variable to the length of the mac on success
 123  * returns 1 on success, 0 on error
 124  */
 125 /* TODO try to combine with other MAC calculations in the libray */
 126 int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 127                       const OSSL_CRMF_PBMPARAMETER *pbmp,
 128                       const unsigned char *msg, size_t msglen,
 129                       const unsigned char *sec, size_t seclen,
 130                       unsigned char **out, size_t *outlen)
 131 {
 132     int mac_nid, hmac_md_nid = NID_undef;
 133     const char *mdname;
 134     EVP_MD *owf = NULL;
 135     EVP_MD_CTX *ctx = NULL;
 136     unsigned char basekey[EVP_MAX_MD_SIZE];
 137     unsigned int bklen = EVP_MAX_MD_SIZE;
 138     int64_t iterations;
 139     unsigned char *mac_res = 0;
 140     int ok = 0;
 141     EVP_MAC *mac = NULL;
 142     EVP_MAC_CTX *mctx = NULL;
 143     OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END};
 144
 145     if (out == NULL || pbmp == NULL || pbmp->mac == NULL
 146             || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
 147         CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
 148         goto err;
 149     }
 150     if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
 151         goto err;
 152
 153     /*
 154      * owf identifies the hash algorithm and associated parameters used to
 155      * compute the key used in the MAC process.  All implementations MUST
 156      * support SHA-1.
 157      */
 158     mdname = OBJ_nid2sn(OBJ_obj2nid(pbmp->owf->algorithm));
 159     if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) {
 160         CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
 161         goto err;
 162     }
 163
 164     if ((ctx = EVP_MD_CTX_new()) == NULL)
 165         goto err;
 166
 167     /* compute the basekey of the salted secret */
 168     if (!EVP_DigestInit_ex(ctx, owf, NULL))
 169         goto err;
 170     /* first the secret */
 171     if (!EVP_DigestUpdate(ctx, sec, seclen))
 172         goto err;
 173     /* then the salt */
 174     if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
 175         goto err;
 176     if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
 177         goto err;
 178     if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
 179             || iterations < 100 /* min from RFC */
 180             || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
 181         CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
 182         goto err;
 183     }
 184
 185     /* the first iteration was already done above */
 186     while (--iterations > 0) {
 187         if (!EVP_DigestInit_ex(ctx, owf, NULL))
 188             goto err;
 189         if (!EVP_DigestUpdate(ctx, basekey, bklen))
 190             goto err;
 191         if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
 192             goto err;
 193     }
 194
 195     /*
 196      * mac identifies the algorithm and associated parameters of the MAC
 197      * function to be used.  All implementations MUST support HMAC-SHA1 [HMAC].
 198      * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
 199      */
 200     mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
 201
 202     if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
 203             || (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) {
 204         CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
 205         goto err;
 206     }
 207
 208     macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
 209                                                     (char *)mdname, 0);
 210     macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
 211                                                      basekey, bklen);
 212     if ((mac = EVP_MAC_fetch(libctx, "HMAC", propq)) == NULL
 213             || (mctx = EVP_MAC_CTX_new(mac)) == NULL
 214             || !EVP_MAC_CTX_set_params(mctx, macparams)
 215             || !EVP_MAC_init(mctx)
 216             || !EVP_MAC_update(mctx, msg, msglen)
 217             || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE))
 218         goto err;
 219
 220     ok = 1;
 221
 222  err:
 223     OPENSSL_cleanse(basekey, bklen);
 224     EVP_MAC_CTX_free(mctx);
 225     EVP_MAC_free(mac);
 226     EVP_MD_free(owf);
 227     EVP_MD_CTX_free(ctx);
 228
 229     if (ok == 1) {
 230         *out = mac_res;
 231         return 1;
 232     }
 233
 234     OPENSSL_free(mac_res);
 235
 236     if (pbmp != NULL && pbmp->mac != NULL) {
 237         char buf[128];
 238
 239         if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
 240             ERR_add_error_data(1, buf);
 241     }
 242     return 0;
 243 }