[thirdparty/openssl.git] / crypto / crmf / crmf_pbm.c

/*-
 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright Nokia 2007-2019
 * Copyright Siemens AG 2015-2019
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
 */


#include <string.h>

#include <openssl/rand.h>
#include <openssl/evp.h>

#include "crmf_local.h"

/* explicit #includes not strictly needed since implied by the above: */
#include <openssl/asn1t.h>
#include <openssl/crmf.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/params.h>
#include <openssl/core_names.h>

/*-
 * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
 * |slen| SHOULD be > 8    (16 is common)
 * |owfnid| e.g., NID_sha256
 * |itercnt| MUST be > 100 (500 is common)
 * |macnid| e.g., NID_hmac_sha1
 * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
 */
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
                                           int itercnt, int macnid)
{
    OSSL_CRMF_PBMPARAMETER *pbm = NULL;
    unsigned char *salt = NULL;

    if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
        goto err;

    /*
     * salt contains a randomly generated value used in computing the key
     * of the MAC process.  The salt SHOULD be at least 8 octets (64
     * bits) long.
     */
    if ((salt = OPENSSL_malloc(slen)) == NULL)
        goto err;
    if (RAND_bytes(salt, (int)slen) <= 0) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
        goto err;
    }
    if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
        goto err;

    /*
     * owf identifies the hash algorithm and associated parameters used to
     * compute the key used in the MAC process.  All implementations MUST
     * support SHA-1.
     */
    if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
        goto err;
    }

    /*
     * iterationCount identifies the number of times the hash is applied
     * during the key computation process.  The iterationCount MUST be a
     * minimum of 100. Many people suggest using values as high as 1000
     * iterations as the minimum value.  The trade off here is between
     * protection of the password from attacks and the time spent by the
     * server processing all of the different iterations in deriving
     * passwords.  Hashing is generally considered a cheap operation but
     * this may not be true with all hash functions in the future.
     */
    if (itercnt < 100) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100);
        goto err;
    }

    if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR);
        goto err;
    }

    /*
     * mac identifies the algorithm and associated parameters of the MAC
     * function to be used.  All implementations MUST support HMAC-SHA1 [HMAC].
     * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
     */
    if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
        goto err;
    }

    OPENSSL_free(salt);
    return pbm;
 err:
    OPENSSL_free(salt);
    OSSL_CRMF_PBMPARAMETER_free(pbm);
    return NULL;
}

/*-
 * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
 * |pbmp| identifies the algorithms, salt to use
 * |msg| message to apply the PBM for
 * |msglen| length of the message
 * |sec| key to use
 * |seclen| length of the key
 * |mac| pointer to the computed mac, will be set on success
 * |maclen| if not NULL, will set variable to the length of the mac on success
 * returns 1 on success, 0 on error
 */
int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
                      const unsigned char *msg, size_t msglen,
                      const unsigned char *sec, size_t seclen,
                      unsigned char **out, size_t *outlen)
{
    int mac_nid, hmac_md_nid = NID_undef;
    const char *mdname = NULL;
    const EVP_MD *m = NULL;
    EVP_MD_CTX *ctx = NULL;
    unsigned char basekey[EVP_MAX_MD_SIZE];
    unsigned int bklen = EVP_MAX_MD_SIZE;
    int64_t iterations;
    unsigned char *mac_res = 0;
    int ok = 0;
    EVP_MAC *mac = NULL;
    EVP_MAC_CTX *mctx = NULL;
    OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END};

    if (out == NULL || pbmp == NULL || pbmp->mac == NULL
            || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
        goto err;
    }
    if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
        goto err;

    /*
     * owf identifies the hash algorithm and associated parameters used to
     * compute the key used in the MAC process.  All implementations MUST
     * support SHA-1.
     */
    if ((m = EVP_get_digestbyobj(pbmp->owf->algorithm)) == NULL) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
        goto err;
    }

    if ((ctx = EVP_MD_CTX_new()) == NULL)
        goto err;

    /* compute the basekey of the salted secret */
    if (!EVP_DigestInit_ex(ctx, m, NULL))
        goto err;
    /* first the secret */
    if (!EVP_DigestUpdate(ctx, sec, seclen))
        goto err;
    /* then the salt */
    if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
        goto err;
    if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
        goto err;
    if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
            || iterations < 100 /* min from RFC */
            || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
        goto err;
    }

    /* the first iteration was already done above */
    while (--iterations > 0) {
        if (!EVP_DigestInit_ex(ctx, m, NULL))
            goto err;
        if (!EVP_DigestUpdate(ctx, basekey, bklen))
            goto err;
        if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
            goto err;
    }

    /*
     * mac identifies the algorithm and associated parameters of the MAC
     * function to be used.  All implementations MUST support HMAC-SHA1 [HMAC].
     * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
     */
    mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);

    if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
            || (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) {
        CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
        goto err;
    }

    macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
                                                    (char *)mdname, 0);
    macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
                                                     basekey, bklen);
    if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL
            || (mctx = EVP_MAC_CTX_new(mac)) == NULL
            || !EVP_MAC_CTX_set_params(mctx, macparams)
            || !EVP_MAC_init(mctx)
            || !EVP_MAC_update(mctx, msg, msglen)
            || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE))
        goto err;

    ok = 1;

 err:
    /* cleanup */
    OPENSSL_cleanse(basekey, bklen);
    EVP_MAC_CTX_free(mctx);
    EVP_MAC_free(mac);
    EVP_MD_CTX_free(ctx);

    if (ok == 1) {
        *out = mac_res;
        return 1;
    }

    OPENSSL_free(mac_res);

    if (pbmp != NULL && pbmp->mac != NULL) {
        char buf[128];

        if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
            ERR_add_error_data(1, buf);
    }
    return 0;
}
Commit	Line	Data
a61b7f2f	1	/*-
8869ad4a AK	2	* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
	3	* Copyright Nokia 2007-2019
	4	* Copyright Siemens AG 2015-2019
a61b7f2f	5	*
ce9b9964	6	* Licensed under the Apache License 2.0 (the "License"). You may not use
a61b7f2f DO	7	* this file except in compliance with the License. You can obtain a copy
	8	* in the file LICENSE in the source distribution or at
	9	* https://www.openssl.org/source/license.html
	10	*
	11	* CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
	12	*/
	13
	14
776796e8 RL	15	#include <string.h>
776796e8 RL	16
a61b7f2f DO	17	#include <openssl/rand.h>
	18	#include <openssl/evp.h>
	19
706457b7	20	#include "crmf_local.h"
a61b7f2f DO	21
	22	/* explicit #includes not strictly needed since implied by the above: */
	23	#include <openssl/asn1t.h>
	24	#include <openssl/crmf.h>
	25	#include <openssl/err.h>
	26	#include <openssl/evp.h>
776796e8 RL	27	#include <openssl/params.h>
776796e8 RL	28	#include <openssl/core_names.h>
a61b7f2f DO	29
	30	/*-
	31	* creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
	32	* \|slen\| SHOULD be > 8 (16 is common)
	33	* \|owfnid\| e.g., NID_sha256
	34	* \|itercnt\| MUST be > 100 (500 is common)
	35	* \|macnid\| e.g., NID_hmac_sha1
	36	* returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
	37	*/
	38	OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
	39	int itercnt, int macnid)
	40	{
	41	OSSL_CRMF_PBMPARAMETER *pbm = NULL;
	42	unsigned char *salt = NULL;
	43
7960dbec	44	if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
a61b7f2f	45	goto err;
a61b7f2f DO	46
	47	/*
	48	* salt contains a randomly generated value used in computing the key
	49	* of the MAC process. The salt SHOULD be at least 8 octets (64
	50	* bits) long.
	51	*/
7960dbec	52	if ((salt = OPENSSL_malloc(slen)) == NULL)
a61b7f2f	53	goto err;
a61b7f2f DO	54	if (RAND_bytes(salt, (int)slen) <= 0) {
	55	CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
	56	goto err;
	57	}
	58	if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
	59	goto err;
	60
	61	/*
	62	* owf identifies the hash algorithm and associated parameters used to
	63	* compute the key used in the MAC process. All implementations MUST
	64	* support SHA-1.
	65	*/
	66	if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
	67	CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
	68	goto err;
	69	}
	70
	71	/*
	72	* iterationCount identifies the number of times the hash is applied
	73	* during the key computation process. The iterationCount MUST be a
235595c4	74	* minimum of 100. Many people suggest using values as high as 1000
a61b7f2f DO	75	* iterations as the minimum value. The trade off here is between
	76	* protection of the password from attacks and the time spent by the
	77	* server processing all of the different iterations in deriving
	78	* passwords. Hashing is generally considered a cheap operation but
	79	* this may not be true with all hash functions in the future.
	80	*/
	81	if (itercnt < 100) {
	82	CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100);
	83	goto err;
	84	}
	85
	86	if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
	87	CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR);
	88	goto err;
	89	}
	90
	91	/*
	92	* mac identifies the algorithm and associated parameters of the MAC
	93	* function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
	94	* All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
	95	*/
	96	if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
	97	CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
	98	goto err;
	99	}
	100
	101	OPENSSL_free(salt);
	102	return pbm;
	103	err:
	104	OPENSSL_free(salt);
	105	OSSL_CRMF_PBMPARAMETER_free(pbm);
	106	return NULL;
	107	}
	108
	109	/*-
	110	* calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
	111	* \|pbmp\| identifies the algorithms, salt to use
	112	* \|msg\| message to apply the PBM for
	113	* \|msglen\| length of the message
	114	* \|sec\| key to use
	115	* \|seclen\| length of the key
	116	* \|mac\| pointer to the computed mac, will be set on success
	117	* \|maclen\| if not NULL, will set variable to the length of the mac on success
	118	* returns 1 on success, 0 on error
	119	*/
	120	int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
	121	const unsigned char *msg, size_t msglen,
	122	const unsigned char *sec, size_t seclen,
776796e8	123	unsigned char *out, size_t outlen)
a61b7f2f DO	124	{
a61b7f2f DO	125	int mac_nid, hmac_md_nid = NID_undef;
776796e8	126	const char *mdname = NULL;
a61b7f2f DO	127	const EVP_MD *m = NULL;
	128	EVP_MD_CTX *ctx = NULL;
	129	unsigned char basekey[EVP_MAX_MD_SIZE];
	130	unsigned int bklen = EVP_MAX_MD_SIZE;
	131	int64_t iterations;
	132	unsigned char *mac_res = 0;
	133	int ok = 0;
776796e8	134	EVP_MAC *mac = NULL;
a61b7f2f	135	EVP_MAC_CTX *mctx = NULL;
3dbc5156	136	OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END};
a61b7f2f	137
776796e8	138	if (out == NULL \|\| pbmp == NULL \|\| pbmp->mac == NULL
a61b7f2f DO	139	\|\| pbmp->mac->algorithm == NULL \|\| msg == NULL \|\| sec == NULL) {
	140	CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
	141	goto err;
	142	}
7960dbec	143	if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
a61b7f2f	144	goto err;
a61b7f2f DO	145
	146	/*
	147	* owf identifies the hash algorithm and associated parameters used to
	148	* compute the key used in the MAC process. All implementations MUST
	149	* support SHA-1.
	150	*/
	151	if ((m = EVP_get_digestbyobj(pbmp->owf->algorithm)) == NULL) {
	152	CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
	153	goto err;
	154	}
	155
7960dbec	156	if ((ctx = EVP_MD_CTX_new()) == NULL)
a61b7f2f	157	goto err;
a61b7f2f DO	158
	159	/* compute the basekey of the salted secret */
	160	if (!EVP_DigestInit_ex(ctx, m, NULL))
	161	goto err;
	162	/* first the secret */
	163	if (!EVP_DigestUpdate(ctx, sec, seclen))
	164	goto err;
	165	/* then the salt */
	166	if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
	167	goto err;
	168	if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
	169	goto err;
	170	if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
	171	\|\| iterations < 100 /* min from RFC */
	172	\|\| iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
	173	CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
	174	goto err;
	175	}
	176
	177	/* the first iteration was already done above */
	178	while (--iterations > 0) {
	179	if (!EVP_DigestInit_ex(ctx, m, NULL))
	180	goto err;
	181	if (!EVP_DigestUpdate(ctx, basekey, bklen))
	182	goto err;
	183	if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
	184	goto err;
	185	}
	186
	187	/*
	188	* mac identifies the algorithm and associated parameters of the MAC
	189	* function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
	190	* All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
	191	*/
	192	mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
	193
	194	if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
3dbc5156	195	\|\| (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) {
a61b7f2f DO	196	CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
	197	goto err;
	198	}
	199
3dbc5156 DDO	200	macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
	201	(char *)mdname, 0);
	202	macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
	203	basekey, bklen);
776796e8 RL	204	if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL
	205	\|\| (mctx = EVP_MAC_CTX_new(mac)) == NULL
	206	\|\| !EVP_MAC_CTX_set_params(mctx, macparams)
a61b7f2f DO	207	\|\| !EVP_MAC_init(mctx)
a61b7f2f DO	208	\|\| !EVP_MAC_update(mctx, msg, msglen)
776796e8	209	\|\| !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE))
a61b7f2f DO	210	goto err;
	211
	212	ok = 1;
	213
	214	err:
	215	/* cleanup */
	216	OPENSSL_cleanse(basekey, bklen);
	217	EVP_MAC_CTX_free(mctx);
776796e8	218	EVP_MAC_free(mac);
a61b7f2f DO	219	EVP_MD_CTX_free(ctx);
	220
	221	if (ok == 1) {
776796e8	222	*out = mac_res;
a61b7f2f DO	223	return 1;
	224	}
	225
	226	OPENSSL_free(mac_res);
	227
	228	if (pbmp != NULL && pbmp->mac != NULL) {
	229	char buf[128];
	230
	231	if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
	232	ERR_add_error_data(1, buf);
	233	}
	234	return 0;
	235	}