2 * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2018
4 * Copyright Siemens AG 2015-2018
6 * Licensed under the OpenSSL license (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
11 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
15 #include <openssl/rand.h>
16 #include <openssl/evp.h>
20 /* explicit #includes not strictly needed since implied by the above: */
21 #include <openssl/asn1t.h>
22 #include <openssl/crmf.h>
23 #include <openssl/err.h>
24 #include <openssl/evp.h>
27 * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
28 * |slen| SHOULD be > 8 (16 is common)
29 * |owfnid| e.g., NID_sha256
30 * |itercnt| MUST be > 100 (500 is common)
31 * |macnid| e.g., NID_hmac_sha1
32 * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
34 OSSL_CRMF_PBMPARAMETER
*OSSL_CRMF_pbmp_new(size_t slen
, int owfnid
,
35 int itercnt
, int macnid
)
37 OSSL_CRMF_PBMPARAMETER
*pbm
= NULL
;
38 unsigned char *salt
= NULL
;
40 if ((pbm
= OSSL_CRMF_PBMPARAMETER_new()) == NULL
) {
41 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, ERR_R_MALLOC_FAILURE
);
46 * salt contains a randomly generated value used in computing the key
47 * of the MAC process. The salt SHOULD be at least 8 octets (64
50 if ((salt
= OPENSSL_malloc(slen
)) == NULL
) {
51 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, ERR_R_MALLOC_FAILURE
);
54 if (RAND_bytes(salt
, (int)slen
) <= 0) {
55 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, CRMF_R_FAILURE_OBTAINING_RANDOM
);
58 if (!ASN1_OCTET_STRING_set(pbm
->salt
, salt
, (int)slen
))
62 * owf identifies the hash algorithm and associated parameters used to
63 * compute the key used in the MAC process. All implementations MUST
66 if (!X509_ALGOR_set0(pbm
->owf
, OBJ_nid2obj(owfnid
), V_ASN1_UNDEF
, NULL
)) {
67 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, CRMF_R_SETTING_OWF_ALGOR_FAILURE
);
72 * iterationCount identifies the number of times the hash is applied
73 * during the key computation process. The iterationCount MUST be a
74 * minimum of 100. Many people suggest using values as high as 1000
75 * iterations as the minimum value. The trade off here is between
76 * protection of the password from attacks and the time spent by the
77 * server processing all of the different iterations in deriving
78 * passwords. Hashing is generally considered a cheap operation but
79 * this may not be true with all hash functions in the future.
82 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, CRMF_R_ITERATIONCOUNT_BELOW_100
);
86 if (!ASN1_INTEGER_set(pbm
->iterationCount
, itercnt
)) {
87 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, CRMF_R_CRMFERROR
);
92 * mac identifies the algorithm and associated parameters of the MAC
93 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
94 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
96 if (!X509_ALGOR_set0(pbm
->mac
, OBJ_nid2obj(macnid
), V_ASN1_UNDEF
, NULL
)) {
97 CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW
, CRMF_R_SETTING_MAC_ALGOR_FAILURE
);
105 OSSL_CRMF_PBMPARAMETER_free(pbm
);
110 * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
111 * |pbmp| identifies the algorithms, salt to use
112 * |msg| message to apply the PBM for
113 * |msglen| length of the message
115 * |seclen| length of the key
116 * |mac| pointer to the computed mac, will be set on success
117 * |maclen| if not NULL, will set variable to the length of the mac on success
118 * returns 1 on success, 0 on error
120 int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER
*pbmp
,
121 const unsigned char *msg
, size_t msglen
,
122 const unsigned char *sec
, size_t seclen
,
123 unsigned char **mac
, size_t *maclen
)
125 int mac_nid
, hmac_md_nid
= NID_undef
;
126 const EVP_MD
*m
= NULL
;
127 EVP_MD_CTX
*ctx
= NULL
;
128 unsigned char basekey
[EVP_MAX_MD_SIZE
];
129 unsigned int bklen
= EVP_MAX_MD_SIZE
;
131 unsigned char *mac_res
= 0;
133 EVP_MAC_CTX
*mctx
= NULL
;
135 if (mac
== NULL
|| pbmp
== NULL
|| pbmp
->mac
== NULL
136 || pbmp
->mac
->algorithm
== NULL
|| msg
== NULL
|| sec
== NULL
) {
137 CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW
, CRMF_R_NULL_ARGUMENT
);
140 if ((mac_res
= OPENSSL_malloc(EVP_MAX_MD_SIZE
)) == NULL
) {
141 CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW
, ERR_R_MALLOC_FAILURE
);
146 * owf identifies the hash algorithm and associated parameters used to
147 * compute the key used in the MAC process. All implementations MUST
150 if ((m
= EVP_get_digestbyobj(pbmp
->owf
->algorithm
)) == NULL
) {
151 CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW
, CRMF_R_UNSUPPORTED_ALGORITHM
);
155 if ((ctx
= EVP_MD_CTX_new()) == NULL
) {
156 CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW
, ERR_R_MALLOC_FAILURE
);
160 /* compute the basekey of the salted secret */
161 if (!EVP_DigestInit_ex(ctx
, m
, NULL
))
163 /* first the secret */
164 if (!EVP_DigestUpdate(ctx
, sec
, seclen
))
167 if (!EVP_DigestUpdate(ctx
, pbmp
->salt
->data
, pbmp
->salt
->length
))
169 if (!EVP_DigestFinal_ex(ctx
, basekey
, &bklen
))
171 if (!ASN1_INTEGER_get_int64(&iterations
, pbmp
->iterationCount
)
172 || iterations
< 100 /* min from RFC */
173 || iterations
> OSSL_CRMF_PBM_MAX_ITERATION_COUNT
) {
174 CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW
, CRMF_R_BAD_PBM_ITERATIONCOUNT
);
178 /* the first iteration was already done above */
179 while (--iterations
> 0) {
180 if (!EVP_DigestInit_ex(ctx
, m
, NULL
))
182 if (!EVP_DigestUpdate(ctx
, basekey
, bklen
))
184 if (!EVP_DigestFinal_ex(ctx
, basekey
, &bklen
))
189 * mac identifies the algorithm and associated parameters of the MAC
190 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
191 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
193 mac_nid
= OBJ_obj2nid(pbmp
->mac
->algorithm
);
195 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF
, mac_nid
, NULL
, &hmac_md_nid
, NULL
)
196 || ((m
= EVP_get_digestbynid(hmac_md_nid
)) == NULL
)) {
197 CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW
, CRMF_R_UNSUPPORTED_ALGORITHM
);
201 if ((mctx
= EVP_MAC_CTX_new(EVP_get_macbyname("HMAC"))) == NULL
202 || EVP_MAC_ctrl(mctx
, EVP_MAC_CTRL_SET_MD
, m
) <= 0
203 || EVP_MAC_ctrl(mctx
, EVP_MAC_CTRL_SET_KEY
, basekey
, bklen
) <= 0
204 || !EVP_MAC_init(mctx
)
205 || !EVP_MAC_update(mctx
, msg
, msglen
)
206 || !EVP_MAC_final(mctx
, mac_res
, maclen
))
213 OPENSSL_cleanse(basekey
, bklen
);
214 EVP_MAC_CTX_free(mctx
);
215 EVP_MD_CTX_free(ctx
);
222 OPENSSL_free(mac_res
);
224 if (pbmp
!= NULL
&& pbmp
->mac
!= NULL
) {
227 if (OBJ_obj2txt(buf
, sizeof(buf
), pbmp
->mac
->algorithm
, 0))
228 ERR_add_error_data(1, buf
);