]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
b1322259 | 2 | * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. |
8d8c7266 | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8d8c7266 DSH |
8 | */ |
9 | ||
0f113f3e | 10 | # include <stdio.h> |
b39fc560 | 11 | # include "internal/cryptlib.h" |
bf7c6817 | 12 | # include <openssl/crypto.h> |
0f113f3e MC |
13 | # include <openssl/hmac.h> |
14 | # include <openssl/rand.h> | |
15 | # include <openssl/pkcs12.h> | |
03922a63 | 16 | # include "p12_lcl.h" |
8d8c7266 | 17 | |
28da1455 | 18 | int PKCS12_mac_present(const PKCS12 *p12) |
293042c9 | 19 | { |
c9018bdf | 20 | return p12->mac ? 1 : 0; |
293042c9 DSH |
21 | } |
22 | ||
59b4da05 DSH |
23 | void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, |
24 | const X509_ALGOR **pmacalg, | |
25 | const ASN1_OCTET_STRING **psalt, | |
26 | const ASN1_INTEGER **piter, | |
27 | const PKCS12 *p12) | |
293042c9 DSH |
28 | { |
29 | if (p12->mac) { | |
59b4da05 | 30 | X509_SIG_get0(p12->mac->dinfo, pmacalg, pmac); |
293042c9 DSH |
31 | if (psalt) |
32 | *psalt = p12->mac->salt; | |
33 | if (piter) | |
34 | *piter = p12->mac->iter; | |
35 | } else { | |
36 | if (pmac) | |
37 | *pmac = NULL; | |
38 | if (pmacalg) | |
39 | *pmacalg = NULL; | |
40 | if (psalt) | |
41 | *psalt = NULL; | |
42 | if (piter) | |
43 | *piter = NULL; | |
44 | } | |
45 | } | |
46 | ||
77886387 MC |
47 | # define TK26_MAC_KEY_LEN 32 |
48 | ||
49 | static int pkcs12_gen_gost_mac_key(const char *pass, int passlen, | |
50 | const unsigned char *salt, int saltlen, | |
51 | int iter, int keylen, unsigned char *key, | |
52 | const EVP_MD *digest) | |
53 | { | |
54 | unsigned char out[96]; | |
55 | ||
56 | if (keylen != TK26_MAC_KEY_LEN) { | |
57 | return 0; | |
58 | } | |
59 | ||
60 | if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, | |
61 | digest, sizeof(out), out)) { | |
62 | return 0; | |
63 | } | |
64 | memcpy(key, out + sizeof(out) - TK26_MAC_KEY_LEN, TK26_MAC_KEY_LEN); | |
65 | OPENSSL_cleanse(out, sizeof(out)); | |
66 | return 1; | |
67 | } | |
68 | ||
1194ea8d AP |
69 | #undef PKCS12_key_gen |
70 | /* | |
71 | * |PKCS12_key_gen| is used to convey information about old-style broken | |
72 | * password being used to PKCS12_PBE_keyivgen in decrypt cases. Workflow | |
73 | * is if PKCS12_verify_mac notes that password encoded with compliant | |
74 | * PKCS12_key_gen_utf8 conversion subroutine isn't right, while encoded | |
75 | * with legacy non-compliant one is, then it sets |PKCS12_key_gen| to | |
76 | * legacy PKCS12_key_gen_asc conversion subroutine, which is then picked | |
77 | * by PKCS12_PBE_keyivgen. This applies to reading data. Written data | |
78 | * on the other hand is protected with standard-compliant encoding, i.e. | |
79 | * in backward-incompatible manner. Note that formally the approach is | |
80 | * not MT-safe. Rationale is that in order to access PKCS#12 files from | |
81 | * MT or even production application, you would be required to convert | |
82 | * data to correct interoperable format. In which case this variable | |
83 | * won't have to change. Conversion would have to be done with pkcs12 | |
84 | * utility, which is not MT, and hence can tolerate it. In other words | |
85 | * goal is not to make this heuristic approach work in general case, | |
86 | * but in one specific one, apps/pkcs12.c. | |
87 | */ | |
88 | int (*PKCS12_key_gen)(const char *pass, int passlen, | |
89 | unsigned char *salt, int slen, | |
90 | int id, int iter, int n, | |
91 | unsigned char *out, | |
92 | const EVP_MD *md_type) = NULL; | |
93 | ||
94 | ||
8d8c7266 | 95 | /* Generate a MAC */ |
1194ea8d AP |
96 | static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, |
97 | unsigned char *mac, unsigned int *maclen, | |
98 | int (*pkcs12_key_gen)(const char *pass, int passlen, | |
99 | unsigned char *salt, int slen, | |
100 | int id, int iter, int n, | |
101 | unsigned char *out, | |
102 | const EVP_MD *md_type)) | |
8d8c7266 | 103 | { |
0f113f3e | 104 | const EVP_MD *md_type; |
bf7c6817 | 105 | HMAC_CTX *hmac = NULL; |
0f113f3e MC |
106 | unsigned char key[EVP_MAX_MD_SIZE], *salt; |
107 | int saltlen, iter; | |
77886387 MC |
108 | int md_size = 0; |
109 | int md_type_nid; | |
59b4da05 | 110 | const X509_ALGOR *macalg; |
ac4e2577 | 111 | const ASN1_OBJECT *macoid; |
dbad1690 | 112 | |
1194ea8d AP |
113 | if (pkcs12_key_gen == NULL) |
114 | pkcs12_key_gen = PKCS12_key_gen; | |
115 | if (pkcs12_key_gen == NULL) | |
116 | pkcs12_key_gen = PKCS12_key_gen_utf8; | |
117 | ||
0f113f3e MC |
118 | if (!PKCS7_type_is_data(p12->authsafes)) { |
119 | PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA); | |
120 | return 0; | |
121 | } | |
1c2f1fe5 | 122 | |
0f113f3e MC |
123 | salt = p12->mac->salt->data; |
124 | saltlen = p12->mac->salt->length; | |
125 | if (!p12->mac->iter) | |
126 | iter = 1; | |
127 | else | |
128 | iter = ASN1_INTEGER_get(p12->mac->iter); | |
59b4da05 | 129 | X509_SIG_get0(p12->mac->dinfo, &macalg, NULL); |
a6eb1ce6 DSH |
130 | X509_ALGOR_get0(&macoid, NULL, NULL, macalg); |
131 | if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) { | |
0f113f3e MC |
132 | PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); |
133 | return 0; | |
134 | } | |
135 | md_size = EVP_MD_size(md_type); | |
77886387 | 136 | md_type_nid = EVP_MD_type(md_type); |
0f113f3e MC |
137 | if (md_size < 0) |
138 | return 0; | |
77886387 MC |
139 | if ((md_type_nid == NID_id_GostR3411_94 |
140 | || md_type_nid == NID_id_GostR3411_2012_256 | |
141 | || md_type_nid == NID_id_GostR3411_2012_512) | |
142 | && !getenv("LEGACY_GOST_PKCS12")) { | |
143 | md_size = TK26_MAC_KEY_LEN; | |
144 | if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter, | |
145 | md_size, key, md_type)) { | |
146 | PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR); | |
147 | return 0; | |
148 | } | |
149 | } else | |
1194ea8d AP |
150 | if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, |
151 | iter, md_size, key, md_type)) { | |
0f113f3e MC |
152 | PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR); |
153 | return 0; | |
154 | } | |
bf7c6817 RL |
155 | hmac = HMAC_CTX_new(); |
156 | if (!HMAC_Init_ex(hmac, key, md_size, md_type, NULL) | |
157 | || !HMAC_Update(hmac, p12->authsafes->d.data->data, | |
0f113f3e | 158 | p12->authsafes->d.data->length) |
bf7c6817 RL |
159 | || !HMAC_Final(hmac, mac, maclen)) { |
160 | HMAC_CTX_free(hmac); | |
0f113f3e MC |
161 | return 0; |
162 | } | |
bf7c6817 | 163 | HMAC_CTX_free(hmac); |
0f113f3e | 164 | return 1; |
8d8c7266 DSH |
165 | } |
166 | ||
1194ea8d AP |
167 | int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, |
168 | unsigned char *mac, unsigned int *maclen) | |
169 | { | |
170 | return pkcs12_gen_mac(p12, pass, passlen, mac, maclen, NULL); | |
171 | } | |
172 | ||
8d8c7266 | 173 | /* Verify the mac */ |
8afca8d9 | 174 | int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) |
8d8c7266 | 175 | { |
0f113f3e MC |
176 | unsigned char mac[EVP_MAX_MD_SIZE]; |
177 | unsigned int maclen; | |
59b4da05 | 178 | const ASN1_OCTET_STRING *macoct; |
a6eb1ce6 | 179 | |
0f113f3e MC |
180 | if (p12->mac == NULL) { |
181 | PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT); | |
182 | return 0; | |
183 | } | |
1194ea8d AP |
184 | if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, |
185 | PKCS12_key_gen_utf8)) { | |
0f113f3e MC |
186 | PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR); |
187 | return 0; | |
188 | } | |
59b4da05 | 189 | X509_SIG_get0(p12->mac->dinfo, NULL, &macoct); |
1194ea8d | 190 | if (maclen != (unsigned int)ASN1_STRING_length(macoct)) |
0f113f3e | 191 | return 0; |
1194ea8d AP |
192 | |
193 | if (CRYPTO_memcmp(mac, ASN1_STRING_get0_data(macoct), maclen) != 0) { | |
194 | if (pass == NULL) | |
195 | return 0; | |
196 | /* | |
197 | * In order to facilitate accessing old data retry with | |
198 | * old-style broken password ... | |
199 | */ | |
200 | if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, | |
201 | PKCS12_key_gen_asc)) { | |
202 | PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR); | |
203 | return 0; | |
204 | } | |
205 | if ((maclen != (unsigned int)ASN1_STRING_length(macoct)) | |
206 | || CRYPTO_memcmp(mac, ASN1_STRING_get0_data(macoct), maclen) != 0) | |
207 | return 0; | |
208 | else | |
209 | PKCS12_key_gen = PKCS12_key_gen_asc; | |
210 | /* | |
211 | * ... and if suceeded, pass it on to PKCS12_PBE_keyivgen. | |
212 | */ | |
213 | } | |
0f113f3e | 214 | return 1; |
8d8c7266 DSH |
215 | } |
216 | ||
217 | /* Set a mac */ | |
218 | ||
8afca8d9 | 219 | int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, |
0f113f3e MC |
220 | unsigned char *salt, int saltlen, int iter, |
221 | const EVP_MD *md_type) | |
8d8c7266 | 222 | { |
0f113f3e MC |
223 | unsigned char mac[EVP_MAX_MD_SIZE]; |
224 | unsigned int maclen; | |
a6eb1ce6 | 225 | ASN1_OCTET_STRING *macoct; |
61f5b6f3 | 226 | |
0f113f3e MC |
227 | if (!md_type) |
228 | md_type = EVP_sha1(); | |
229 | if (PKCS12_setup_mac(p12, iter, salt, saltlen, md_type) == PKCS12_ERROR) { | |
230 | PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_SETUP_ERROR); | |
231 | return 0; | |
232 | } | |
1194ea8d AP |
233 | /* |
234 | * Note that output mac is forced to UTF-8... | |
235 | */ | |
236 | if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, | |
237 | PKCS12_key_gen_utf8)) { | |
0f113f3e MC |
238 | PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR); |
239 | return 0; | |
240 | } | |
0b7347ef | 241 | X509_SIG_getm(p12->mac->dinfo, NULL, &macoct); |
a6eb1ce6 | 242 | if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) { |
0f113f3e MC |
243 | PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR); |
244 | return 0; | |
245 | } | |
246 | return 1; | |
8d8c7266 DSH |
247 | } |
248 | ||
249 | /* Set up a mac structure */ | |
8afca8d9 | 250 | int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, |
0f113f3e | 251 | const EVP_MD *md_type) |
8d8c7266 | 252 | { |
a6eb1ce6 DSH |
253 | X509_ALGOR *macalg; |
254 | ||
75ebbd9a | 255 | if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL) |
0f113f3e MC |
256 | return PKCS12_ERROR; |
257 | if (iter > 1) { | |
75ebbd9a | 258 | if ((p12->mac->iter = ASN1_INTEGER_new()) == NULL) { |
0f113f3e MC |
259 | PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); |
260 | return 0; | |
261 | } | |
262 | if (!ASN1_INTEGER_set(p12->mac->iter, iter)) { | |
263 | PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); | |
264 | return 0; | |
265 | } | |
266 | } | |
267 | if (!saltlen) | |
268 | saltlen = PKCS12_SALT_LEN; | |
75ebbd9a | 269 | if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) { |
0f113f3e MC |
270 | PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); |
271 | return 0; | |
272 | } | |
c2319cf9 | 273 | p12->mac->salt->length = saltlen; |
0f113f3e | 274 | if (!salt) { |
266483d2 | 275 | if (RAND_bytes(p12->mac->salt->data, saltlen) <= 0) |
0f113f3e MC |
276 | return 0; |
277 | } else | |
278 | memcpy(p12->mac->salt->data, salt, saltlen); | |
0b7347ef | 279 | X509_SIG_getm(p12->mac->dinfo, &macalg, NULL); |
a6eb1ce6 DSH |
280 | if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)), |
281 | V_ASN1_NULL, NULL)) { | |
0f113f3e MC |
282 | PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); |
283 | return 0; | |
284 | } | |
0f113f3e MC |
285 | |
286 | return 1; | |
8d8c7266 | 287 | } |