1 /* $OpenBSD: evp_pbe.c,v 1.50 2024/04/09 13:52:41 beck Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include <stdio.h>
60 #include <string.h>
61
62 #include <openssl/asn1.h>
63 #include <openssl/err.h>
64 #include <openssl/evp.h>
65 #include <openssl/hmac.h>
66 #include <openssl/objects.h>
67 #include <openssl/pkcs12.h>
68 #include <openssl/x509.h>
69
70 #include "evp_local.h"
71 #include "hmac_local.h"
72 #include "pkcs12_local.h"
73 #include "x509_local.h"
74
75 /* Password based encryption (PBE) functions */
76 int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
77 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de);
78 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
79 ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de);
80 int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
81 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type,
82 int en_de);
83 int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
84 ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de);
85
86 static const struct pbe_config {
87 int pbe_nid;
88 int cipher_nid;
89 int md_nid;
90 EVP_PBE_KEYGEN *keygen;
91 } pbe_outer[] = {
92 {
93 .pbe_nid = NID_pbeWithMD2AndDES_CBC,
94 .cipher_nid = NID_des_cbc,
95 .md_nid = NID_md2,
96 .keygen = PKCS5_PBE_keyivgen,
97 },
98 {
99 .pbe_nid = NID_pbeWithMD5AndDES_CBC,
100 .cipher_nid = NID_des_cbc,
101 .md_nid = NID_md5,
102 .keygen = PKCS5_PBE_keyivgen,
103 },
104 {
105 .pbe_nid = NID_pbeWithSHA1AndRC2_CBC,
106 .cipher_nid = NID_rc2_64_cbc,
107 .md_nid = NID_sha1,
108 .keygen = PKCS5_PBE_keyivgen,
109 },
110 {
111 .pbe_nid = NID_id_pbkdf2,
112 .cipher_nid = -1,
113 .md_nid = -1,
114 .keygen = PKCS5_v2_PBKDF2_keyivgen,
115 },
116 {
117 .pbe_nid = NID_pbe_WithSHA1And128BitRC4,
118 .cipher_nid = NID_rc4,
119 .md_nid = NID_sha1,
120 .keygen = PKCS12_PBE_keyivgen,
121 },
122 {
123 .pbe_nid = NID_pbe_WithSHA1And40BitRC4,
124 .cipher_nid = NID_rc4_40,
125 .md_nid = NID_sha1,
126 .keygen = PKCS12_PBE_keyivgen,
127 },
128 {
129 .pbe_nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
130 .cipher_nid = NID_des_ede3_cbc,
131 .md_nid = NID_sha1,
132 .keygen = PKCS12_PBE_keyivgen,
133 },
134 {
135 .pbe_nid = NID_pbe_WithSHA1And2_Key_TripleDES_CBC,
136 .cipher_nid = NID_des_ede_cbc,
137 .md_nid = NID_sha1,
138 .keygen = PKCS12_PBE_keyivgen,
139 },
140 {
141 .pbe_nid = NID_pbe_WithSHA1And128BitRC2_CBC,
142 .cipher_nid = NID_rc2_cbc,
143 .md_nid = NID_sha1,
144 .keygen = PKCS12_PBE_keyivgen,
145 },
146 {
147 .pbe_nid = NID_pbe_WithSHA1And40BitRC2_CBC,
148 .cipher_nid = NID_rc2_40_cbc,
149 .md_nid = NID_sha1,
150 .keygen = PKCS12_PBE_keyivgen,
151 },
152 {
153 .pbe_nid = NID_pbes2,
154 .cipher_nid = -1,
155 .md_nid = -1,
156 .keygen = PKCS5_v2_PBE_keyivgen,
157 },
158 {
159 .pbe_nid = NID_pbeWithMD2AndRC2_CBC,
160 .cipher_nid = NID_rc2_64_cbc,
161 .md_nid = NID_md2,
162 .keygen = PKCS5_PBE_keyivgen,
163 },
164 {
165 .pbe_nid = NID_pbeWithMD5AndRC2_CBC,
166 .cipher_nid = NID_rc2_64_cbc,
167 .md_nid = NID_md5,
168 .keygen = PKCS5_PBE_keyivgen,
169 },
170 {
171 .pbe_nid = NID_pbeWithSHA1AndDES_CBC,
172 .cipher_nid = NID_des_cbc,
173 .md_nid = NID_sha1,
174 .keygen = PKCS5_PBE_keyivgen,
175 },
176 };
177
178 #define N_PBE_OUTER (sizeof(pbe_outer) / sizeof(pbe_outer[0]))
179
180 int
EVP_PBE_CipherInit(ASN1_OBJECT * pbe_obj,const char * pass,int passlen,ASN1_TYPE * param,EVP_CIPHER_CTX * ctx,int en_de)181 EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
182 ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
183 {
184 const struct pbe_config *cfg = NULL;
185 const EVP_CIPHER *cipher = NULL;
186 const EVP_MD *md = NULL;
187 int pbe_nid;
188 size_t i;
189
190 if ((pbe_nid = OBJ_obj2nid(pbe_obj)) == NID_undef) {
191 EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
192 return 0;
193 }
194
195 for (i = 0; i < N_PBE_OUTER; i++) {
196 if (pbe_nid == pbe_outer[i].pbe_nid) {
197 cfg = &pbe_outer[i];
198 break;
199 }
200 }
201 if (cfg == NULL) {
202 EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
203 ERR_asprintf_error_data("NID=%d", pbe_nid);
204 return 0;
205 }
206
207 if (pass == NULL)
208 passlen = 0;
209 if (passlen == -1)
210 passlen = strlen(pass);
211
212 if (cfg->cipher_nid != -1) {
213 if ((cipher = EVP_get_cipherbynid(cfg->cipher_nid)) == NULL) {
214 EVPerror(EVP_R_UNKNOWN_CIPHER);
215 return 0;
216 }
217 }
218 if (cfg->md_nid != -1) {
219 if ((md = EVP_get_digestbynid(cfg->md_nid)) == NULL) {
220 EVPerror(EVP_R_UNKNOWN_DIGEST);
221 return 0;
222 }
223 }
224
225 if (!cfg->keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
226 EVPerror(EVP_R_KEYGEN_FAILURE);
227 return 0;
228 }
229
230 return 1;
231 }
232
233 int
PKCS5_PBE_keyivgen(EVP_CIPHER_CTX * cctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * cipher,const EVP_MD * md,int en_de)234 PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
235 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
236 {
237 EVP_MD_CTX *md_ctx;
238 unsigned char md_tmp[EVP_MAX_MD_SIZE];
239 unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
240 int i;
241 PBEPARAM *pbe;
242 int saltlen, iter;
243 unsigned char *salt;
244 const unsigned char *pbuf;
245 int mdsize;
246 int ret = 0;
247
248 /* Extract useful info from parameter */
249 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
250 param->value.sequence == NULL) {
251 EVPerror(EVP_R_DECODE_ERROR);
252 return 0;
253 }
254
255 mdsize = EVP_MD_size(md);
256 if (mdsize < 0)
257 return 0;
258
259 pbuf = param->value.sequence->data;
260 if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
261 EVPerror(EVP_R_DECODE_ERROR);
262 return 0;
263 }
264
265 if (!pbe->iter)
266 iter = 1;
267 else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
268 EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
269 PBEPARAM_free(pbe);
270 return 0;
271 }
272 salt = pbe->salt->data;
273 saltlen = pbe->salt->length;
274
275 if (!pass)
276 passlen = 0;
277 else if (passlen == -1)
278 passlen = strlen(pass);
279
280 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
281 goto err;
282
283 if (!EVP_DigestInit_ex(md_ctx, md, NULL))
284 goto err;
285 if (!EVP_DigestUpdate(md_ctx, pass, passlen))
286 goto err;
287 if (!EVP_DigestUpdate(md_ctx, salt, saltlen))
288 goto err;
289 if (!EVP_DigestFinal_ex(md_ctx, md_tmp, NULL))
290 goto err;
291 for (i = 1; i < iter; i++) {
292 if (!EVP_DigestInit_ex(md_ctx, md, NULL))
293 goto err;
294 if (!EVP_DigestUpdate(md_ctx, md_tmp, mdsize))
295 goto err;
296 if (!EVP_DigestFinal_ex(md_ctx, md_tmp, NULL))
297 goto err;
298 }
299 if ((size_t)EVP_CIPHER_key_length(cipher) > sizeof(md_tmp)) {
300 EVPerror(EVP_R_BAD_KEY_LENGTH);
301 goto err;
302 }
303 memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
304 if ((size_t)EVP_CIPHER_iv_length(cipher) > 16) {
305 EVPerror(EVP_R_IV_TOO_LARGE);
306 goto err;
307 }
308 memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
309 EVP_CIPHER_iv_length(cipher));
310 if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
311 goto err;
312 explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
313 explicit_bzero(key, EVP_MAX_KEY_LENGTH);
314 explicit_bzero(iv, EVP_MAX_IV_LENGTH);
315
316 ret = 1;
317
318 err:
319 EVP_MD_CTX_free(md_ctx);
320 PBEPARAM_free(pbe);
321
322 return ret;
323 }
324
325 /*
326 * PKCS#5 v2.0 password based encryption key derivation function PBKDF2.
327 */
328
329 int
PKCS5_PBKDF2_HMAC(const char * pass,int passlen,const unsigned char * salt,int saltlen,int iter,const EVP_MD * digest,int keylen,unsigned char * out)330 PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
331 int saltlen, int iter, const EVP_MD *digest, int keylen, unsigned char *out)
332 {
333 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
334 int cplen, j, k, tkeylen, mdlen;
335 unsigned long i = 1;
336 HMAC_CTX hctx_tpl, hctx;
337
338 mdlen = EVP_MD_size(digest);
339 if (mdlen < 0)
340 return 0;
341
342 HMAC_CTX_init(&hctx_tpl);
343 p = out;
344 tkeylen = keylen;
345 if (!pass)
346 passlen = 0;
347 else if (passlen == -1)
348 passlen = strlen(pass);
349 if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
350 HMAC_CTX_cleanup(&hctx_tpl);
351 return 0;
352 }
353 while (tkeylen) {
354 if (tkeylen > mdlen)
355 cplen = mdlen;
356 else
357 cplen = tkeylen;
358 /*
359 * We are unlikely to ever use more than 256 blocks (5120 bits!)
360 * but just in case...
361 */
362 itmp[0] = (unsigned char)((i >> 24) & 0xff);
363 itmp[1] = (unsigned char)((i >> 16) & 0xff);
364 itmp[2] = (unsigned char)((i >> 8) & 0xff);
365 itmp[3] = (unsigned char)(i & 0xff);
366 if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
367 HMAC_CTX_cleanup(&hctx_tpl);
368 return 0;
369 }
370 if (!HMAC_Update(&hctx, salt, saltlen) ||
371 !HMAC_Update(&hctx, itmp, 4) ||
372 !HMAC_Final(&hctx, digtmp, NULL)) {
373 HMAC_CTX_cleanup(&hctx_tpl);
374 HMAC_CTX_cleanup(&hctx);
375 return 0;
376 }
377 HMAC_CTX_cleanup(&hctx);
378 memcpy(p, digtmp, cplen);
379 for (j = 1; j < iter; j++) {
380 if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
381 HMAC_CTX_cleanup(&hctx_tpl);
382 return 0;
383 }
384 if (!HMAC_Update(&hctx, digtmp, mdlen) ||
385 !HMAC_Final(&hctx, digtmp, NULL)) {
386 HMAC_CTX_cleanup(&hctx_tpl);
387 HMAC_CTX_cleanup(&hctx);
388 return 0;
389 }
390 HMAC_CTX_cleanup(&hctx);
391 for (k = 0; k < cplen; k++)
392 p[k] ^= digtmp[k];
393 }
394 tkeylen -= cplen;
395 i++;
396 p += cplen;
397 }
398 HMAC_CTX_cleanup(&hctx_tpl);
399 return 1;
400 }
401 LCRYPTO_ALIAS(PKCS5_PBKDF2_HMAC);
402
403 int
PKCS5_PBKDF2_HMAC_SHA1(const char * pass,int passlen,const unsigned char * salt,int saltlen,int iter,int keylen,unsigned char * out)404 PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, const unsigned char *salt,
405 int saltlen, int iter, int keylen, unsigned char *out)
406 {
407 return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
408 EVP_sha1(), keylen, out);
409 }
410 LCRYPTO_ALIAS(PKCS5_PBKDF2_HMAC_SHA1);
411
412 /*
413 * Now the key derivation function itself. This is a bit evil because
414 * it has to check the ASN1 parameters are valid: and there are quite a
415 * few of them...
416 */
417
418 int
PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de)419 PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
420 ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
421 {
422 const unsigned char *pbuf;
423 int plen;
424 PBE2PARAM *pbe2 = NULL;
425 const EVP_CIPHER *cipher;
426 int ret = 0;
427
428 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
429 param->value.sequence == NULL) {
430 EVPerror(EVP_R_DECODE_ERROR);
431 goto err;
432 }
433
434 pbuf = param->value.sequence->data;
435 plen = param->value.sequence->length;
436 if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
437 EVPerror(EVP_R_DECODE_ERROR);
438 goto err;
439 }
440
441 /* See if we recognise the key derivation function */
442
443 if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
444 EVPerror(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
445 goto err;
446 }
447
448 /* Let's see if we recognise the encryption algorithm. */
449 cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
450 if (!cipher) {
451 EVPerror(EVP_R_UNSUPPORTED_CIPHER);
452 goto err;
453 }
454
455 /* Fixup cipher based on AlgorithmIdentifier */
456 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
457 goto err;
458 if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
459 EVPerror(EVP_R_CIPHER_PARAMETER_ERROR);
460 goto err;
461 }
462
463 ret = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
464 pbe2->keyfunc->parameter, c, md, en_de);
465
466 err:
467 PBE2PARAM_free(pbe2);
468
469 return ret;
470 }
471
472 static int
md_nid_from_prf_nid(int nid)473 md_nid_from_prf_nid(int nid)
474 {
475 switch (nid) {
476 case NID_hmacWithMD5:
477 return NID_md5;
478 case NID_hmacWithSHA1:
479 return NID_sha1;
480 case NID_hmacWithSHA224:
481 return NID_sha224;
482 case NID_hmacWithSHA256:
483 return NID_sha256;
484 case NID_hmacWithSHA384:
485 return NID_sha384;
486 case NID_hmacWithSHA512:
487 return NID_sha512;
488 case NID_hmacWithSHA512_224:
489 return NID_sha512_224;
490 case NID_hmacWithSHA512_256:
491 return NID_sha512_256;
492 case NID_hmac_sha3_224:
493 return NID_sha3_224;
494 case NID_hmac_sha3_256:
495 return NID_sha3_256;
496 case NID_hmac_sha3_384:
497 return NID_sha3_384;
498 case NID_hmac_sha3_512:
499 return NID_sha3_512;
500 default:
501 return NID_undef;
502 }
503 }
504
505 int
PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de)506 PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
507 ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
508 {
509 unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
510 const unsigned char *pbuf;
511 int saltlen, iter, plen;
512 unsigned int keylen = 0;
513 int prf_nid, hmac_md_nid;
514 PBKDF2PARAM *kdf = NULL;
515 const EVP_MD *prfmd;
516 int ret = 0;
517
518 if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
519 EVPerror(EVP_R_NO_CIPHER_SET);
520 return 0;
521 }
522 keylen = EVP_CIPHER_CTX_key_length(ctx);
523 if (keylen > sizeof key) {
524 EVPerror(EVP_R_BAD_KEY_LENGTH);
525 return 0;
526 }
527
528 /* Decode parameter */
529
530 if (!param || (param->type != V_ASN1_SEQUENCE)) {
531 EVPerror(EVP_R_DECODE_ERROR);
532 return 0;
533 }
534
535 pbuf = param->value.sequence->data;
536 plen = param->value.sequence->length;
537
538 if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
539 EVPerror(EVP_R_DECODE_ERROR);
540 return 0;
541 }
542
543 /* Now check the parameters of the kdf */
544
545 if (kdf->keylength &&
546 (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
547 EVPerror(EVP_R_UNSUPPORTED_KEYLENGTH);
548 goto err;
549 }
550
551 if (kdf->prf)
552 prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
553 else
554 prf_nid = NID_hmacWithSHA1;
555
556 if ((hmac_md_nid = md_nid_from_prf_nid(prf_nid)) == NID_undef) {
557 EVPerror(EVP_R_UNSUPPORTED_PRF);
558 goto err;
559 }
560
561 prfmd = EVP_get_digestbynid(hmac_md_nid);
562 if (prfmd == NULL) {
563 EVPerror(EVP_R_UNSUPPORTED_PRF);
564 goto err;
565 }
566
567 if (kdf->salt->type != V_ASN1_OCTET_STRING) {
568 EVPerror(EVP_R_UNSUPPORTED_SALT_TYPE);
569 goto err;
570 }
571
572 /* it seems that its all OK */
573 salt = kdf->salt->value.octet_string->data;
574 saltlen = kdf->salt->value.octet_string->length;
575 if ((iter = ASN1_INTEGER_get(kdf->iter)) <= 0) {
576 EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
577 goto err;
578 }
579 if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
580 keylen, key))
581 goto err;
582
583 ret = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
584
585 err:
586 explicit_bzero(key, keylen);
587 PBKDF2PARAM_free(kdf);
588
589 return ret;
590 }
591
592 void
PKCS12_PBE_add(void)593 PKCS12_PBE_add(void)
594 {
595 }
596 LCRYPTO_ALIAS(PKCS12_PBE_add);
597
598 int
PKCS12_PBE_keyivgen(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * cipher,const EVP_MD * md,int en_de)599 PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
600 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
601 {
602 PBEPARAM *pbe;
603 int saltlen, iter, ret;
604 unsigned char *salt;
605 const unsigned char *pbuf;
606 unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
607
608 /* Extract useful info from parameter */
609 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
610 param->value.sequence == NULL) {
611 PKCS12error(PKCS12_R_DECODE_ERROR);
612 return 0;
613 }
614
615 pbuf = param->value.sequence->data;
616 if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
617 PKCS12error(PKCS12_R_DECODE_ERROR);
618 return 0;
619 }
620
621 if (!pbe->iter)
622 iter = 1;
623 else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
624 PKCS12error(PKCS12_R_DECODE_ERROR);
625 PBEPARAM_free(pbe);
626 return 0;
627 }
628 salt = pbe->salt->data;
629 saltlen = pbe->salt->length;
630 if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
631 iter, EVP_CIPHER_key_length(cipher), key, md)) {
632 PKCS12error(PKCS12_R_KEY_GEN_ERROR);
633 PBEPARAM_free(pbe);
634 return 0;
635 }
636 if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
637 iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
638 PKCS12error(PKCS12_R_IV_GEN_ERROR);
639 PBEPARAM_free(pbe);
640 return 0;
641 }
642 PBEPARAM_free(pbe);
643 ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
644 explicit_bzero(key, EVP_MAX_KEY_LENGTH);
645 explicit_bzero(iv, EVP_MAX_IV_LENGTH);
646 return ret;
647 }
648