1 /*
2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include "internal/cryptlib.h"
13 #include <openssl/x509.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include <openssl/hmac.h>
17 #include <openssl/trace.h>
18 #include <openssl/core_names.h>
19 #include "crypto/evp.h"
20 #include "evp_local.h"
21
ossl_pkcs5_pbkdf2_hmac_ex(const char * pass,int passlen,const unsigned char * salt,int saltlen,int iter,const EVP_MD * digest,int keylen,unsigned char * out,OSSL_LIB_CTX * libctx,const char * propq)22 int ossl_pkcs5_pbkdf2_hmac_ex(const char *pass, int passlen,
23 const unsigned char *salt, int saltlen, int iter,
24 const EVP_MD *digest, int keylen, unsigned char *out,
25 OSSL_LIB_CTX *libctx, const char *propq)
26 {
27 const char *empty = "";
28 int rv = 1, mode = 1;
29 EVP_KDF *kdf;
30 EVP_KDF_CTX *kctx;
31 const char *mdname = EVP_MD_get0_name(digest);
32 OSSL_PARAM params[6], *p = params;
33
34 /* Keep documented behaviour. */
35 if (pass == NULL) {
36 pass = empty;
37 passlen = 0;
38 } else if (passlen == -1) {
39 passlen = strlen(pass);
40 }
41 if (salt == NULL && saltlen == 0)
42 salt = (unsigned char *)empty;
43
44 kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, propq);
45 kctx = EVP_KDF_CTX_new(kdf);
46 EVP_KDF_free(kdf);
47 if (kctx == NULL)
48 return 0;
49 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
50 (char *)pass, (size_t)passlen);
51 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
52 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
53 (unsigned char *)salt, saltlen);
54 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_ITER, &iter);
55 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
56 (char *)mdname, 0);
57 *p = OSSL_PARAM_construct_end();
58 if (EVP_KDF_derive(kctx, out, keylen, params) != 1)
59 rv = 0;
60
61 EVP_KDF_CTX_free(kctx);
62
63 OSSL_TRACE_BEGIN(PKCS5V2) {
64 BIO_printf(trc_out, "Password:\n");
65 BIO_hex_string(trc_out,
66 0, passlen, pass, passlen);
67 BIO_printf(trc_out, "\n");
68 BIO_printf(trc_out, "Salt:\n");
69 BIO_hex_string(trc_out,
70 0, saltlen, salt, saltlen);
71 BIO_printf(trc_out, "\n");
72 BIO_printf(trc_out, "Iteration count %d\n", iter);
73 BIO_printf(trc_out, "Key:\n");
74 BIO_hex_string(trc_out,
75 0, keylen, out, keylen);
76 BIO_printf(trc_out, "\n");
77 } OSSL_TRACE_END(PKCS5V2);
78 return rv;
79 }
80
PKCS5_PBKDF2_HMAC(const char * pass,int passlen,const unsigned char * salt,int saltlen,int iter,const EVP_MD * digest,int keylen,unsigned char * out)81 int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
82 int saltlen, int iter, const EVP_MD *digest, int keylen,
83 unsigned char *out)
84 {
85 return ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter, digest,
86 keylen, out, NULL, NULL);
87 }
88
89
PKCS5_PBKDF2_HMAC_SHA1(const char * pass,int passlen,const unsigned char * salt,int saltlen,int iter,int keylen,unsigned char * out)90 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
91 const unsigned char *salt, int saltlen, int iter,
92 int keylen, unsigned char *out)
93 {
94 EVP_MD *digest;
95 int r = 0;
96
97 if ((digest = EVP_MD_fetch(NULL, SN_sha1, NULL)) != NULL)
98 r = ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter,
99 digest, keylen, out, NULL, NULL);
100 EVP_MD_free(digest);
101 return r;
102 }
103
104 /*
105 * Now the key derivation function itself. This is a bit evil because it has
106 * to check the ASN1 parameters are valid: and there are quite a few of
107 * them...
108 */
109
PKCS5_v2_PBE_keyivgen_ex(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de,OSSL_LIB_CTX * libctx,const char * propq)110 int PKCS5_v2_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
111 ASN1_TYPE *param, const EVP_CIPHER *c,
112 const EVP_MD *md, int en_de,
113 OSSL_LIB_CTX *libctx, const char *propq)
114 {
115 PBE2PARAM *pbe2 = NULL;
116 char ciph_name[80];
117 const EVP_CIPHER *cipher = NULL;
118 EVP_CIPHER *cipher_fetch = NULL;
119 EVP_PBE_KEYGEN_EX *kdf;
120
121 int rv = 0;
122
123 pbe2 = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBE2PARAM), param);
124 if (pbe2 == NULL) {
125 ERR_raise(ERR_LIB_EVP, EVP_R_DECODE_ERROR);
126 goto err;
127 }
128
129 /* See if we recognise the key derivation function */
130 if (!EVP_PBE_find_ex(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm),
131 NULL, NULL, NULL, &kdf)) {
132 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
133 goto err;
134 }
135
136 /*
137 * lets see if we recognise the encryption algorithm.
138 */
139 if (OBJ_obj2txt(ciph_name, sizeof(ciph_name), pbe2->encryption->algorithm, 0) <= 0) {
140 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_CIPHER);
141 goto err;
142 }
143
144 (void)ERR_set_mark();
145 cipher = cipher_fetch = EVP_CIPHER_fetch(libctx, ciph_name, propq);
146 /* Fallback to legacy method */
147 if (cipher == NULL)
148 cipher = EVP_get_cipherbyname(ciph_name);
149
150 if (cipher == NULL) {
151 (void)ERR_clear_last_mark();
152 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_CIPHER);
153 goto err;
154 }
155 (void)ERR_pop_to_mark();
156
157 /* Fixup cipher based on AlgorithmIdentifier */
158 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
159 goto err;
160 if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
161 ERR_raise(ERR_LIB_EVP, EVP_R_CIPHER_PARAMETER_ERROR);
162 goto err;
163 }
164 rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de, libctx, propq);
165 err:
166 EVP_CIPHER_free(cipher_fetch);
167 PBE2PARAM_free(pbe2);
168 return rv;
169 }
170
PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de)171 int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
172 ASN1_TYPE *param, const EVP_CIPHER *c,
173 const EVP_MD *md, int en_de)
174 {
175 return PKCS5_v2_PBE_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, NULL, NULL);
176 }
177
PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de,OSSL_LIB_CTX * libctx,const char * propq)178 int PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass,
179 int passlen, ASN1_TYPE *param,
180 const EVP_CIPHER *c, const EVP_MD *md, int en_de,
181 OSSL_LIB_CTX *libctx, const char *propq)
182 {
183 unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
184 int saltlen, iter, t;
185 int rv = 0;
186 unsigned int keylen = 0;
187 int prf_nid, hmac_md_nid;
188 PBKDF2PARAM *kdf = NULL;
189 const EVP_MD *prfmd = NULL;
190 EVP_MD *prfmd_fetch = NULL;
191
192 if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) {
193 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
194 goto err;
195 }
196 keylen = EVP_CIPHER_CTX_get_key_length(ctx);
197 OPENSSL_assert(keylen <= sizeof(key));
198
199 /* Decode parameter */
200
201 kdf = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBKDF2PARAM), param);
202
203 if (kdf == NULL) {
204 ERR_raise(ERR_LIB_EVP, EVP_R_DECODE_ERROR);
205 goto err;
206 }
207
208 t = EVP_CIPHER_CTX_get_key_length(ctx);
209 if (t < 0) {
210 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
211 goto err;
212 }
213 keylen = t;
214
215 /* Now check the parameters of the kdf */
216
217 if (kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)) {
218 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEYLENGTH);
219 goto err;
220 }
221
222 if (kdf->prf)
223 prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
224 else
225 prf_nid = NID_hmacWithSHA1;
226
227 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, 0)) {
228 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_PRF);
229 goto err;
230 }
231
232 prfmd = prfmd_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(hmac_md_nid), propq);
233 if (prfmd == NULL)
234 prfmd = EVP_get_digestbynid(hmac_md_nid);
235 if (prfmd == NULL) {
236 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_PRF);
237 goto err;
238 }
239
240 if (kdf->salt->type != V_ASN1_OCTET_STRING) {
241 ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_SALT_TYPE);
242 goto err;
243 }
244
245 /* it seems that its all OK */
246 salt = kdf->salt->value.octet_string->data;
247 saltlen = kdf->salt->value.octet_string->length;
248 iter = ASN1_INTEGER_get(kdf->iter);
249 if (!ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter, prfmd,
250 keylen, key, libctx, propq))
251 goto err;
252 rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
253 err:
254 OPENSSL_cleanse(key, keylen);
255 PBKDF2PARAM_free(kdf);
256 EVP_MD_free(prfmd_fetch);
257 return rv;
258 }
259
PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de)260 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
261 int passlen, ASN1_TYPE *param,
262 const EVP_CIPHER *c, const EVP_MD *md, int en_de)
263 {
264 return PKCS5_v2_PBKDF2_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de,
265 NULL, NULL);
266 }
267