]>
Commit | Line | Data |
---|---|---|
a61b7f2f | 1 | /*- |
8869ad4a AK |
2 | * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. |
3 | * Copyright Nokia 2007-2019 | |
4 | * Copyright Siemens AG 2015-2019 | |
a61b7f2f | 5 | * |
ce9b9964 | 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
a61b7f2f DO |
7 | * this file except in compliance with the License. You can obtain a copy |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | * | |
11 | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. | |
12 | */ | |
13 | ||
14 | ||
776796e8 RL |
15 | #include <string.h> |
16 | ||
a61b7f2f DO |
17 | #include <openssl/rand.h> |
18 | #include <openssl/evp.h> | |
19 | ||
706457b7 | 20 | #include "crmf_local.h" |
a61b7f2f DO |
21 | |
22 | /* explicit #includes not strictly needed since implied by the above: */ | |
23 | #include <openssl/asn1t.h> | |
24 | #include <openssl/crmf.h> | |
25 | #include <openssl/err.h> | |
26 | #include <openssl/evp.h> | |
776796e8 RL |
27 | #include <openssl/params.h> |
28 | #include <openssl/core_names.h> | |
a61b7f2f DO |
29 | |
30 | /*- | |
31 | * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4) | |
32 | * |slen| SHOULD be > 8 (16 is common) | |
33 | * |owfnid| e.g., NID_sha256 | |
34 | * |itercnt| MUST be > 100 (500 is common) | |
35 | * |macnid| e.g., NID_hmac_sha1 | |
36 | * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error | |
37 | */ | |
38 | OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, | |
39 | int itercnt, int macnid) | |
40 | { | |
41 | OSSL_CRMF_PBMPARAMETER *pbm = NULL; | |
42 | unsigned char *salt = NULL; | |
43 | ||
7960dbec | 44 | if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) |
a61b7f2f | 45 | goto err; |
a61b7f2f DO |
46 | |
47 | /* | |
48 | * salt contains a randomly generated value used in computing the key | |
49 | * of the MAC process. The salt SHOULD be at least 8 octets (64 | |
50 | * bits) long. | |
51 | */ | |
7960dbec | 52 | if ((salt = OPENSSL_malloc(slen)) == NULL) |
a61b7f2f | 53 | goto err; |
a61b7f2f DO |
54 | if (RAND_bytes(salt, (int)slen) <= 0) { |
55 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM); | |
56 | goto err; | |
57 | } | |
58 | if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen)) | |
59 | goto err; | |
60 | ||
61 | /* | |
62 | * owf identifies the hash algorithm and associated parameters used to | |
63 | * compute the key used in the MAC process. All implementations MUST | |
64 | * support SHA-1. | |
65 | */ | |
66 | if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) { | |
67 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_OWF_ALGOR_FAILURE); | |
68 | goto err; | |
69 | } | |
70 | ||
71 | /* | |
72 | * iterationCount identifies the number of times the hash is applied | |
73 | * during the key computation process. The iterationCount MUST be a | |
235595c4 | 74 | * minimum of 100. Many people suggest using values as high as 1000 |
a61b7f2f DO |
75 | * iterations as the minimum value. The trade off here is between |
76 | * protection of the password from attacks and the time spent by the | |
77 | * server processing all of the different iterations in deriving | |
78 | * passwords. Hashing is generally considered a cheap operation but | |
79 | * this may not be true with all hash functions in the future. | |
80 | */ | |
81 | if (itercnt < 100) { | |
82 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100); | |
83 | goto err; | |
84 | } | |
85 | ||
86 | if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) { | |
87 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR); | |
88 | goto err; | |
89 | } | |
90 | ||
91 | /* | |
92 | * mac identifies the algorithm and associated parameters of the MAC | |
93 | * function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. | |
94 | * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11]. | |
95 | */ | |
96 | if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) { | |
97 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_MAC_ALGOR_FAILURE); | |
98 | goto err; | |
99 | } | |
100 | ||
101 | OPENSSL_free(salt); | |
102 | return pbm; | |
103 | err: | |
104 | OPENSSL_free(salt); | |
105 | OSSL_CRMF_PBMPARAMETER_free(pbm); | |
106 | return NULL; | |
107 | } | |
108 | ||
109 | /*- | |
110 | * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER | |
111 | * |pbmp| identifies the algorithms, salt to use | |
112 | * |msg| message to apply the PBM for | |
113 | * |msglen| length of the message | |
114 | * |sec| key to use | |
115 | * |seclen| length of the key | |
116 | * |mac| pointer to the computed mac, will be set on success | |
117 | * |maclen| if not NULL, will set variable to the length of the mac on success | |
118 | * returns 1 on success, 0 on error | |
119 | */ | |
120 | int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, | |
121 | const unsigned char *msg, size_t msglen, | |
122 | const unsigned char *sec, size_t seclen, | |
776796e8 | 123 | unsigned char **out, size_t *outlen) |
a61b7f2f DO |
124 | { |
125 | int mac_nid, hmac_md_nid = NID_undef; | |
776796e8 | 126 | const char *mdname = NULL; |
a61b7f2f DO |
127 | const EVP_MD *m = NULL; |
128 | EVP_MD_CTX *ctx = NULL; | |
129 | unsigned char basekey[EVP_MAX_MD_SIZE]; | |
130 | unsigned int bklen = EVP_MAX_MD_SIZE; | |
131 | int64_t iterations; | |
132 | unsigned char *mac_res = 0; | |
133 | int ok = 0; | |
776796e8 | 134 | EVP_MAC *mac = NULL; |
a61b7f2f | 135 | EVP_MAC_CTX *mctx = NULL; |
3dbc5156 | 136 | OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END}; |
a61b7f2f | 137 | |
776796e8 | 138 | if (out == NULL || pbmp == NULL || pbmp->mac == NULL |
a61b7f2f DO |
139 | || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) { |
140 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT); | |
141 | goto err; | |
142 | } | |
7960dbec | 143 | if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) |
a61b7f2f | 144 | goto err; |
a61b7f2f DO |
145 | |
146 | /* | |
147 | * owf identifies the hash algorithm and associated parameters used to | |
148 | * compute the key used in the MAC process. All implementations MUST | |
149 | * support SHA-1. | |
150 | */ | |
151 | if ((m = EVP_get_digestbyobj(pbmp->owf->algorithm)) == NULL) { | |
152 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM); | |
153 | goto err; | |
154 | } | |
155 | ||
7960dbec | 156 | if ((ctx = EVP_MD_CTX_new()) == NULL) |
a61b7f2f | 157 | goto err; |
a61b7f2f DO |
158 | |
159 | /* compute the basekey of the salted secret */ | |
160 | if (!EVP_DigestInit_ex(ctx, m, NULL)) | |
161 | goto err; | |
162 | /* first the secret */ | |
163 | if (!EVP_DigestUpdate(ctx, sec, seclen)) | |
164 | goto err; | |
165 | /* then the salt */ | |
166 | if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length)) | |
167 | goto err; | |
168 | if (!EVP_DigestFinal_ex(ctx, basekey, &bklen)) | |
169 | goto err; | |
170 | if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount) | |
171 | || iterations < 100 /* min from RFC */ | |
172 | || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) { | |
173 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT); | |
174 | goto err; | |
175 | } | |
176 | ||
177 | /* the first iteration was already done above */ | |
178 | while (--iterations > 0) { | |
179 | if (!EVP_DigestInit_ex(ctx, m, NULL)) | |
180 | goto err; | |
181 | if (!EVP_DigestUpdate(ctx, basekey, bklen)) | |
182 | goto err; | |
183 | if (!EVP_DigestFinal_ex(ctx, basekey, &bklen)) | |
184 | goto err; | |
185 | } | |
186 | ||
187 | /* | |
188 | * mac identifies the algorithm and associated parameters of the MAC | |
189 | * function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. | |
190 | * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11]. | |
191 | */ | |
192 | mac_nid = OBJ_obj2nid(pbmp->mac->algorithm); | |
193 | ||
194 | if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL) | |
3dbc5156 | 195 | || (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) { |
a61b7f2f DO |
196 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM); |
197 | goto err; | |
198 | } | |
199 | ||
3dbc5156 DDO |
200 | macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, |
201 | (char *)mdname, 0); | |
202 | macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, | |
203 | basekey, bklen); | |
776796e8 RL |
204 | if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL |
205 | || (mctx = EVP_MAC_CTX_new(mac)) == NULL | |
206 | || !EVP_MAC_CTX_set_params(mctx, macparams) | |
a61b7f2f DO |
207 | || !EVP_MAC_init(mctx) |
208 | || !EVP_MAC_update(mctx, msg, msglen) | |
776796e8 | 209 | || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE)) |
a61b7f2f DO |
210 | goto err; |
211 | ||
212 | ok = 1; | |
213 | ||
214 | err: | |
215 | /* cleanup */ | |
216 | OPENSSL_cleanse(basekey, bklen); | |
217 | EVP_MAC_CTX_free(mctx); | |
776796e8 | 218 | EVP_MAC_free(mac); |
a61b7f2f DO |
219 | EVP_MD_CTX_free(ctx); |
220 | ||
221 | if (ok == 1) { | |
776796e8 | 222 | *out = mac_res; |
a61b7f2f DO |
223 | return 1; |
224 | } | |
225 | ||
226 | OPENSSL_free(mac_res); | |
227 | ||
228 | if (pbmp != NULL && pbmp->mac != NULL) { | |
229 | char buf[128]; | |
230 | ||
231 | if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0)) | |
232 | ERR_add_error_data(1, buf); | |
233 | } | |
234 | return 0; | |
235 | } |