]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/crmf/crmf_pbm.c
projects / thirdparty / openssl.git / blob
? search:


21808d014bf73e0117e7cc3e56e772613835d33b
[thirdparty/openssl.git] / crypto / crmf / crmf_pbm.c
1 /*-
2 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 *
11 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12 */
13
14
15 #include <string.h>
16
17 #include <openssl/rand.h>
18 #include <openssl/evp.h>
19 #include <openssl/hmac.h>
20
21 /* explicit #includes not strictly needed since implied by the above: */
22 #include <openssl/asn1t.h>
23 #include <openssl/crmf.h>
24 #include <openssl/err.h>
25 #include <openssl/evp.h>
26 #include <openssl/params.h>
27 #include <openssl/core_names.h>
28
29 #include "internal/sizes.h"
30
31 #include "crmf_local.h"
32
33 /*-
34 * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
35 * |slen| SHOULD be at least 8 (16 is common)
36 * |owfnid| e.g., NID_sha256
37 * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
38 * |macnid| e.g., NID_hmac_sha1
39 * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
40 */
41 OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
42 int owfnid, size_t itercnt,
43 int macnid)
44 {
45 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
46 unsigned char *salt = NULL;
47
48 if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
49 goto err;
50
51 /*
52 * salt contains a randomly generated value used in computing the key
53 * of the MAC process. The salt SHOULD be at least 8 octets (64
54 * bits) long.
55 */
56 if ((salt = OPENSSL_malloc(slen)) == NULL)
57 goto err;
58 if (RAND_bytes_ex(libctx, salt, (int)slen, 0) <= 0) {
59 ERR_raise(ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM);
60 goto err;
61 }
62 if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
63 goto err;
64
65 /*
66 * owf identifies the hash algorithm and associated parameters used to
67 * compute the key used in the MAC process. All implementations MUST
68 * support SHA-1.
69 */
70 if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
71 ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
72 goto err;
73 }
74
75 /*
76 * iterationCount identifies the number of times the hash is applied
77 * during the key computation process. The iterationCount MUST be a
78 * minimum of 100. Many people suggest using values as high as 1000
79 * iterations as the minimum value. The trade off here is between
80 * protection of the password from attacks and the time spent by the
81 * server processing all of the different iterations in deriving
82 * passwords. Hashing is generally considered a cheap operation but
83 * this may not be true with all hash functions in the future.
84 */
85 if (itercnt < 100) {
86 ERR_raise(ERR_LIB_CRMF, CRMF_R_ITERATIONCOUNT_BELOW_100);
87 goto err;
88 }
89 if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
90 ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
91 goto err;
92 }
93
94 if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
95 ERR_raise(ERR_LIB_CRMF, CRMF_R_CRMFERROR);
96 goto err;
97 }
98
99 /*
100 * mac identifies the algorithm and associated parameters of the MAC
101 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
102 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
103 */
104 if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
105 ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
106 goto err;
107 }
108
109 OPENSSL_free(salt);
110 return pbm;
111 err:
112 OPENSSL_free(salt);
113 OSSL_CRMF_PBMPARAMETER_free(pbm);
114 return NULL;
115 }
116
117 /*-
118 * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
119 * |pbmp| identifies the algorithms, salt to use
120 * |msg| message to apply the PBM for
121 * |msglen| length of the message
122 * |sec| key to use
123 * |seclen| length of the key
124 * |out| pointer to the computed mac, will be set on success
125 * |outlen| if not NULL, will set variable to the length of the mac on success
126 * returns 1 on success, 0 on error
127 */
128 /* TODO try to combine with other MAC calculations in the libray */
129 int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
130 const OSSL_CRMF_PBMPARAMETER *pbmp,
131 const unsigned char *msg, size_t msglen,
132 const unsigned char *sec, size_t seclen,
133 unsigned char **out, size_t *outlen)
134 {
135 int mac_nid, hmac_md_nid = NID_undef;
136 char mdname[OSSL_MAX_NAME_SIZE];
137 char hmac_mdname[OSSL_MAX_NAME_SIZE];
138 EVP_MD *owf = NULL;
139 EVP_MD_CTX *ctx = NULL;
140 unsigned char basekey[EVP_MAX_MD_SIZE];
141 unsigned int bklen = EVP_MAX_MD_SIZE;
142 int64_t iterations;
143 unsigned char *mac_res = 0;
144 unsigned int maclen;
145 int ok = 0;
146
147 if (out == NULL || pbmp == NULL || pbmp->mac == NULL
148 || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
149 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
150 goto err;
151 }
152 if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
153 goto err;
154
155 /*
156 * owf identifies the hash algorithm and associated parameters used to
157 * compute the key used in the MAC process. All implementations MUST
158 * support SHA-1.
159 */
160 OBJ_obj2txt(mdname, sizeof(mdname), pbmp->owf->algorithm, 0);
161 if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) {
162 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
163 goto err;
164 }
165
166 if ((ctx = EVP_MD_CTX_new()) == NULL)
167 goto err;
168
169 /* compute the basekey of the salted secret */
170 if (!EVP_DigestInit_ex(ctx, owf, NULL))
171 goto err;
172 /* first the secret */
173 if (!EVP_DigestUpdate(ctx, sec, seclen))
174 goto err;
175 /* then the salt */
176 if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
177 goto err;
178 if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
179 goto err;
180 if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
181 || iterations < 100 /* min from RFC */
182 || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
183 ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
184 goto err;
185 }
186
187 /* the first iteration was already done above */
188 while (--iterations > 0) {
189 if (!EVP_DigestInit_ex(ctx, owf, NULL))
190 goto err;
191 if (!EVP_DigestUpdate(ctx, basekey, bklen))
192 goto err;
193 if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
194 goto err;
195 }
196
197 /*
198 * mac identifies the algorithm and associated parameters of the MAC
199 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
200 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
201 */
202 mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
203
204 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
205 || !OBJ_obj2txt(hmac_mdname, sizeof(hmac_mdname),
206 OBJ_nid2obj(hmac_md_nid), 0)) {
207 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
208 goto err;
209 }
210 /* TODO generalize to non-HMAC: */
211 if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen,
212 msg, msglen, mac_res, EVP_MAX_MD_SIZE, &maclen) == NULL)
213 goto err;
214
215 *outlen = (size_t)maclen;
216 ok = 1;
217
218 err:
219 OPENSSL_cleanse(basekey, bklen);
220 EVP_MD_free(owf);
221 EVP_MD_CTX_free(ctx);
222
223 if (ok == 1) {
224 *out = mac_res;
225 return 1;
226 }
227
228 OPENSSL_free(mac_res);
229
230 if (pbmp != NULL && pbmp->mac != NULL) {
231 char buf[128];
232
233 if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
234 ERR_add_error_data(1, buf);
235 }
236 return 0;
237 }
A mirror of the official openssl repository