1 /* $OpenBSD: p5_pbev2.c,v 1.27 2021/12/25 13:17:48 jsing Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 1999-2004.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 
63 #include <openssl/asn1t.h>
64 #include <openssl/err.h>
65 #include <openssl/x509.h>
66 
67 #include "evp_locl.h"
68 
69 /* PKCS#5 v2.0 password based encryption structures */
70 
71 static const ASN1_TEMPLATE PBE2PARAM_seq_tt[] = {
72 	{
73 		.offset = offsetof(PBE2PARAM, keyfunc),
74 		.field_name = "keyfunc",
75 		.item = &X509_ALGOR_it,
76 	},
77 	{
78 		.offset = offsetof(PBE2PARAM, encryption),
79 		.field_name = "encryption",
80 		.item = &X509_ALGOR_it,
81 	},
82 };
83 
84 const ASN1_ITEM PBE2PARAM_it = {
85 	.itype = ASN1_ITYPE_SEQUENCE,
86 	.utype = V_ASN1_SEQUENCE,
87 	.templates = PBE2PARAM_seq_tt,
88 	.tcount = sizeof(PBE2PARAM_seq_tt) / sizeof(ASN1_TEMPLATE),
89 	.size = sizeof(PBE2PARAM),
90 	.sname = "PBE2PARAM",
91 };
92 
93 
94 PBE2PARAM *
95 d2i_PBE2PARAM(PBE2PARAM **a, const unsigned char **in, long len)
96 {
97 	return (PBE2PARAM *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
98 	    &PBE2PARAM_it);
99 }
100 
101 int
102 i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **out)
103 {
104 	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PBE2PARAM_it);
105 }
106 
107 PBE2PARAM *
108 PBE2PARAM_new(void)
109 {
110 	return (PBE2PARAM *)ASN1_item_new(&PBE2PARAM_it);
111 }
112 
113 void
114 PBE2PARAM_free(PBE2PARAM *a)
115 {
116 	ASN1_item_free((ASN1_VALUE *)a, &PBE2PARAM_it);
117 }
118 
119 static const ASN1_TEMPLATE PBKDF2PARAM_seq_tt[] = {
120 	{
121 		.offset = offsetof(PBKDF2PARAM, salt),
122 		.field_name = "salt",
123 		.item = &ASN1_ANY_it,
124 	},
125 	{
126 		.offset = offsetof(PBKDF2PARAM, iter),
127 		.field_name = "iter",
128 		.item = &ASN1_INTEGER_it,
129 	},
130 	{
131 		.flags = ASN1_TFLG_OPTIONAL,
132 		.offset = offsetof(PBKDF2PARAM, keylength),
133 		.field_name = "keylength",
134 		.item = &ASN1_INTEGER_it,
135 	},
136 	{
137 		.flags = ASN1_TFLG_OPTIONAL,
138 		.offset = offsetof(PBKDF2PARAM, prf),
139 		.field_name = "prf",
140 		.item = &X509_ALGOR_it,
141 	},
142 };
143 
144 const ASN1_ITEM PBKDF2PARAM_it = {
145 	.itype = ASN1_ITYPE_SEQUENCE,
146 	.utype = V_ASN1_SEQUENCE,
147 	.templates = PBKDF2PARAM_seq_tt,
148 	.tcount = sizeof(PBKDF2PARAM_seq_tt) / sizeof(ASN1_TEMPLATE),
149 	.size = sizeof(PBKDF2PARAM),
150 	.sname = "PBKDF2PARAM",
151 };
152 
153 
154 PBKDF2PARAM *
155 d2i_PBKDF2PARAM(PBKDF2PARAM **a, const unsigned char **in, long len)
156 {
157 	return (PBKDF2PARAM *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
158 	    &PBKDF2PARAM_it);
159 }
160 
161 int
162 i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **out)
163 {
164 	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PBKDF2PARAM_it);
165 }
166 
167 PBKDF2PARAM *
168 PBKDF2PARAM_new(void)
169 {
170 	return (PBKDF2PARAM *)ASN1_item_new(&PBKDF2PARAM_it);
171 }
172 
173 void
174 PBKDF2PARAM_free(PBKDF2PARAM *a)
175 {
176 	ASN1_item_free((ASN1_VALUE *)a, &PBKDF2PARAM_it);
177 }
178 
179 /* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm:
180  * yes I know this is horrible!
181  *
182  * Extended version to allow application supplied PRF NID and IV.
183  */
184 
185 X509_ALGOR *
186 PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
187     int saltlen, unsigned char *aiv, int prf_nid)
188 {
189 	X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
190 	int alg_nid, keylen;
191 	EVP_CIPHER_CTX ctx;
192 	unsigned char iv[EVP_MAX_IV_LENGTH];
193 	PBE2PARAM *pbe2 = NULL;
194 	ASN1_OBJECT *obj;
195 
196 	alg_nid = EVP_CIPHER_type(cipher);
197 	if (alg_nid == NID_undef) {
198 		ASN1error(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
199 		goto err;
200 	}
201 	obj = OBJ_nid2obj(alg_nid);
202 
203 	if (!(pbe2 = PBE2PARAM_new()))
204 		goto merr;
205 
206 	/* Setup the AlgorithmIdentifier for the encryption scheme */
207 	scheme = pbe2->encryption;
208 
209 	scheme->algorithm = obj;
210 	if (!(scheme->parameter = ASN1_TYPE_new()))
211 		goto merr;
212 
213 	/* Create random IV */
214 	if (EVP_CIPHER_iv_length(cipher)) {
215 		if (aiv)
216 			memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
217 		else
218 			arc4random_buf(iv, EVP_CIPHER_iv_length(cipher));
219 	}
220 
221 	EVP_CIPHER_CTX_init(&ctx);
222 
223 	/* Dummy cipherinit to just setup the IV, and PRF */
224 	if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0))
225 		goto err;
226 	if (EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
227 		ASN1error(ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
228 		EVP_CIPHER_CTX_cleanup(&ctx);
229 		goto err;
230 	}
231 	/* If prf NID unspecified see if cipher has a preference.
232 	 * An error is OK here: just means use default PRF.
233 	 */
234 	if ((prf_nid == -1) &&
235 	    EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
236 		ERR_clear_error();
237 		prf_nid = NID_hmacWithSHA1;
238 	}
239 	EVP_CIPHER_CTX_cleanup(&ctx);
240 
241 	/* If its RC2 then we'd better setup the key length */
242 
243 	if (alg_nid == NID_rc2_cbc)
244 		keylen = EVP_CIPHER_key_length(cipher);
245 	else
246 		keylen = -1;
247 
248 	/* Setup keyfunc */
249 
250 	X509_ALGOR_free(pbe2->keyfunc);
251 
252 	pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen);
253 
254 	if (!pbe2->keyfunc)
255 		goto merr;
256 
257 	/* Now set up top level AlgorithmIdentifier */
258 
259 	if (!(ret = X509_ALGOR_new()))
260 		goto merr;
261 	if (!(ret->parameter = ASN1_TYPE_new()))
262 		goto merr;
263 
264 	ret->algorithm = OBJ_nid2obj(NID_pbes2);
265 
266 	/* Encode PBE2PARAM into parameter */
267 
268 	if (!ASN1_item_pack(pbe2, &PBE2PARAM_it,
269 		&ret->parameter->value.sequence)) goto merr;
270 	ret->parameter->type = V_ASN1_SEQUENCE;
271 
272 	PBE2PARAM_free(pbe2);
273 	pbe2 = NULL;
274 
275 	return ret;
276 
277  merr:
278 	ASN1error(ERR_R_MALLOC_FAILURE);
279 
280  err:
281 	PBE2PARAM_free(pbe2);
282 	/* Note 'scheme' is freed as part of pbe2 */
283 	X509_ALGOR_free(kalg);
284 	X509_ALGOR_free(ret);
285 
286 	return NULL;
287 }
288 
289 X509_ALGOR *
290 PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
291     int saltlen)
292 {
293 	return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1);
294 }
295 
296 X509_ALGOR *
297 PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
298     int keylen)
299 {
300 	X509_ALGOR *keyfunc = NULL;
301 	PBKDF2PARAM *kdf = NULL;
302 	ASN1_OCTET_STRING *osalt = NULL;
303 
304 	if (!(kdf = PBKDF2PARAM_new()))
305 		goto merr;
306 	if (!(osalt = ASN1_OCTET_STRING_new()))
307 		goto merr;
308 
309 	kdf->salt->value.octet_string = osalt;
310 	kdf->salt->type = V_ASN1_OCTET_STRING;
311 
312 	if (!saltlen)
313 		saltlen = PKCS5_SALT_LEN;
314 	if (!(osalt->data = malloc (saltlen)))
315 		goto merr;
316 
317 	osalt->length = saltlen;
318 
319 	if (salt)
320 		memcpy (osalt->data, salt, saltlen);
321 	else
322 		arc4random_buf(osalt->data, saltlen);
323 
324 	if (iter <= 0)
325 		iter = PKCS5_DEFAULT_ITER;
326 
327 	if (!ASN1_INTEGER_set(kdf->iter, iter))
328 		goto merr;
329 
330 	/* If have a key len set it up */
331 
332 	if (keylen > 0) {
333 		if (!(kdf->keylength = ASN1_INTEGER_new()))
334 			goto merr;
335 		if (!ASN1_INTEGER_set(kdf->keylength, keylen))
336 			goto merr;
337 	}
338 
339 	/* prf can stay NULL if we are using hmacWithSHA1 */
340 	if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1) {
341 		kdf->prf = X509_ALGOR_new();
342 		if (!kdf->prf)
343 			goto merr;
344 		X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
345 		V_ASN1_NULL, NULL);
346 	}
347 
348 	/* Finally setup the keyfunc structure */
349 
350 	keyfunc = X509_ALGOR_new();
351 	if (!keyfunc)
352 		goto merr;
353 
354 	keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
355 
356 	/* Encode PBKDF2PARAM into parameter of pbe2 */
357 
358 	if (!(keyfunc->parameter = ASN1_TYPE_new()))
359 		goto merr;
360 
361 	if (!ASN1_item_pack(kdf, &PBKDF2PARAM_it,
362 		&keyfunc->parameter->value.sequence))
363 		goto merr;
364 	keyfunc->parameter->type = V_ASN1_SEQUENCE;
365 
366 	PBKDF2PARAM_free(kdf);
367 	return keyfunc;
368 
369  merr:
370 	ASN1error(ERR_R_MALLOC_FAILURE);
371 	PBKDF2PARAM_free(kdf);
372 	X509_ALGOR_free(keyfunc);
373 	return NULL;
374 }
375