1 /* 2 * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/asn1t.h> 13 #include <openssl/x509.h> 14 #include <openssl/rand.h> 15 16 /* PKCS#5 v2.0 password based encryption structures */ 17 18 ASN1_SEQUENCE(PBE2PARAM) = { 19 ASN1_SIMPLE(PBE2PARAM, keyfunc, X509_ALGOR), 20 ASN1_SIMPLE(PBE2PARAM, encryption, X509_ALGOR) 21 } ASN1_SEQUENCE_END(PBE2PARAM) 22 23 IMPLEMENT_ASN1_FUNCTIONS(PBE2PARAM) 24 25 ASN1_SEQUENCE(PBKDF2PARAM) = { 26 ASN1_SIMPLE(PBKDF2PARAM, salt, ASN1_ANY), 27 ASN1_SIMPLE(PBKDF2PARAM, iter, ASN1_INTEGER), 28 ASN1_OPT(PBKDF2PARAM, keylength, ASN1_INTEGER), 29 ASN1_OPT(PBKDF2PARAM, prf, X509_ALGOR) 30 } ASN1_SEQUENCE_END(PBKDF2PARAM) 31 32 IMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM) 33 34 /* 35 * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm: yes I know 36 * this is horrible! Extended version to allow application supplied PRF NID 37 * and IV. 38 */ 39 40 X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, 41 unsigned char *salt, int saltlen, 42 unsigned char *aiv, int prf_nid) 43 { 44 X509_ALGOR *scheme = NULL, *ret = NULL; 45 int alg_nid, keylen; 46 EVP_CIPHER_CTX *ctx = NULL; 47 unsigned char iv[EVP_MAX_IV_LENGTH]; 48 PBE2PARAM *pbe2 = NULL; 49 50 alg_nid = EVP_CIPHER_type(cipher); 51 if (alg_nid == NID_undef) { 52 ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, 53 ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER); 54 goto err; 55 } 56 57 if ((pbe2 = PBE2PARAM_new()) == NULL) 58 goto merr; 59 60 /* Setup the AlgorithmIdentifier for the encryption scheme */ 61 scheme = pbe2->encryption; 62 scheme->algorithm = OBJ_nid2obj(alg_nid); 63 if ((scheme->parameter = ASN1_TYPE_new()) == NULL) 64 goto merr; 65 66 /* Create random IV */ 67 if (EVP_CIPHER_iv_length(cipher)) { 68 if (aiv) 69 memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); 70 else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) 71 goto err; 72 } 73 74 ctx = EVP_CIPHER_CTX_new(); 75 if (ctx == NULL) 76 goto merr; 77 78 /* Dummy cipherinit to just setup the IV, and PRF */ 79 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0)) 80 goto err; 81 if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) { 82 ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); 83 goto err; 84 } 85 /* 86 * If prf NID unspecified see if cipher has a preference. An error is OK 87 * here: just means use default PRF. 88 */ 89 if ((prf_nid == -1) && 90 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) { 91 ERR_clear_error(); 92 prf_nid = NID_hmacWithSHA256; 93 } 94 EVP_CIPHER_CTX_free(ctx); 95 ctx = NULL; 96 97 /* If its RC2 then we'd better setup the key length */ 98 99 if (alg_nid == NID_rc2_cbc) 100 keylen = EVP_CIPHER_key_length(cipher); 101 else 102 keylen = -1; 103 104 /* Setup keyfunc */ 105 106 X509_ALGOR_free(pbe2->keyfunc); 107 108 pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen); 109 110 if (!pbe2->keyfunc) 111 goto merr; 112 113 /* Now set up top level AlgorithmIdentifier */ 114 115 if ((ret = X509_ALGOR_new()) == NULL) 116 goto merr; 117 118 ret->algorithm = OBJ_nid2obj(NID_pbes2); 119 120 /* Encode PBE2PARAM into parameter */ 121 122 if (!ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2, 123 &ret->parameter)) 124 goto merr; 125 126 PBE2PARAM_free(pbe2); 127 pbe2 = NULL; 128 129 return ret; 130 131 merr: 132 ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ERR_R_MALLOC_FAILURE); 133 134 err: 135 EVP_CIPHER_CTX_free(ctx); 136 PBE2PARAM_free(pbe2); 137 /* Note 'scheme' is freed as part of pbe2 */ 138 X509_ALGOR_free(ret); 139 140 return NULL; 141 } 142 143 X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, 144 unsigned char *salt, int saltlen) 145 { 146 return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1); 147 } 148 149 X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, 150 int prf_nid, int keylen) 151 { 152 X509_ALGOR *keyfunc = NULL; 153 PBKDF2PARAM *kdf = NULL; 154 ASN1_OCTET_STRING *osalt = NULL; 155 156 if ((kdf = PBKDF2PARAM_new()) == NULL) 157 goto merr; 158 if ((osalt = ASN1_OCTET_STRING_new()) == NULL) 159 goto merr; 160 161 kdf->salt->value.octet_string = osalt; 162 kdf->salt->type = V_ASN1_OCTET_STRING; 163 164 if (saltlen == 0) 165 saltlen = PKCS5_SALT_LEN; 166 if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL) 167 goto merr; 168 169 osalt->length = saltlen; 170 171 if (salt) 172 memcpy(osalt->data, salt, saltlen); 173 else if (RAND_bytes(osalt->data, saltlen) <= 0) 174 goto merr; 175 176 if (iter <= 0) 177 iter = PKCS5_DEFAULT_ITER; 178 179 if (!ASN1_INTEGER_set(kdf->iter, iter)) 180 goto merr; 181 182 /* If have a key len set it up */ 183 184 if (keylen > 0) { 185 if ((kdf->keylength = ASN1_INTEGER_new()) == NULL) 186 goto merr; 187 if (!ASN1_INTEGER_set(kdf->keylength, keylen)) 188 goto merr; 189 } 190 191 /* prf can stay NULL if we are using hmacWithSHA1 */ 192 if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1) { 193 kdf->prf = X509_ALGOR_new(); 194 if (kdf->prf == NULL) 195 goto merr; 196 X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid), V_ASN1_NULL, NULL); 197 } 198 199 /* Finally setup the keyfunc structure */ 200 201 keyfunc = X509_ALGOR_new(); 202 if (keyfunc == NULL) 203 goto merr; 204 205 keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2); 206 207 /* Encode PBKDF2PARAM into parameter of pbe2 */ 208 209 if (!ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBKDF2PARAM), kdf, 210 &keyfunc->parameter)) 211 goto merr; 212 213 PBKDF2PARAM_free(kdf); 214 return keyfunc; 215 216 merr: 217 ASN1err(ASN1_F_PKCS5_PBKDF2_SET, ERR_R_MALLOC_FAILURE); 218 PBKDF2PARAM_free(kdf); 219 X509_ALGOR_free(keyfunc); 220 return NULL; 221 } 222