1 | /*- |
2 | * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 |
5 | * |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | * this file except in compliance with the License. You can obtain a copy |
8 | * in the file LICENSE in the source distribution or at |
9 | * https://www.openssl.org/source/license.html |
10 | * |
11 | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. |
12 | */ |
13 | |
14 | |
15 | #include <string.h> |
16 | |
17 | #include <openssl/rand.h> |
18 | #include <openssl/evp.h> |
19 | |
20 | #include "crmf_local.h" |
21 | |
22 | /* explicit #includes not strictly needed since implied by the above: */ |
23 | #include <openssl/asn1t.h> |
24 | #include <openssl/crmf.h> |
25 | #include <openssl/err.h> |
26 | #include <openssl/evp.h> |
27 | #include <openssl/params.h> |
28 | #include <openssl/core_names.h> |
29 | |
30 | /*- |
31 | * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4) |
32 | * |slen| SHOULD be > 8 (16 is common) |
33 | * |owfnid| e.g., NID_sha256 |
34 | * |itercnt| MUST be > 100 (500 is common) |
35 | * |macnid| e.g., NID_hmac_sha1 |
36 | * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error |
37 | */ |
38 | OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, |
39 | int itercnt, int macnid) |
40 | { |
41 | OSSL_CRMF_PBMPARAMETER *pbm = NULL; |
42 | unsigned char *salt = NULL; |
43 | |
44 | if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) |
45 | goto err; |
46 | |
47 | /* |
48 | * salt contains a randomly generated value used in computing the key |
49 | * of the MAC process. The salt SHOULD be at least 8 octets (64 |
50 | * bits) long. |
51 | */ |
52 | if ((salt = OPENSSL_malloc(slen)) == NULL) |
53 | goto err; |
54 | if (RAND_bytes(salt, (int)slen) <= 0) { |
55 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM); |
56 | goto err; |
57 | } |
58 | if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen)) |
59 | goto err; |
60 | |
61 | /* |
62 | * owf identifies the hash algorithm and associated parameters used to |
63 | * compute the key used in the MAC process. All implementations MUST |
64 | * support SHA-1. |
65 | */ |
66 | if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) { |
67 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_OWF_ALGOR_FAILURE); |
68 | goto err; |
69 | } |
70 | |
71 | /* |
72 | * iterationCount identifies the number of times the hash is applied |
73 | * during the key computation process. The iterationCount MUST be a |
74 | * minimum of 100. Many people suggest using values as high as 1000 |
75 | * iterations as the minimum value. The trade off here is between |
76 | * protection of the password from attacks and the time spent by the |
77 | * server processing all of the different iterations in deriving |
78 | * passwords. Hashing is generally considered a cheap operation but |
79 | * this may not be true with all hash functions in the future. |
80 | */ |
81 | if (itercnt < 100) { |
82 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100); |
83 | goto err; |
84 | } |
85 | |
86 | if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) { |
87 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR); |
88 | goto err; |
89 | } |
90 | |
91 | /* |
92 | * mac identifies the algorithm and associated parameters of the MAC |
93 | * function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. |
94 | * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11]. |
95 | */ |
96 | if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) { |
97 | CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_MAC_ALGOR_FAILURE); |
98 | goto err; |
99 | } |
100 | |
101 | OPENSSL_free(salt); |
102 | return pbm; |
103 | err: |
104 | OPENSSL_free(salt); |
105 | OSSL_CRMF_PBMPARAMETER_free(pbm); |
106 | return NULL; |
107 | } |
108 | |
109 | /*- |
110 | * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER |
111 | * |pbmp| identifies the algorithms, salt to use |
112 | * |msg| message to apply the PBM for |
113 | * |msglen| length of the message |
114 | * |sec| key to use |
115 | * |seclen| length of the key |
116 | * |mac| pointer to the computed mac, will be set on success |
117 | * |maclen| if not NULL, will set variable to the length of the mac on success |
118 | * returns 1 on success, 0 on error |
119 | */ |
120 | int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, |
121 | const unsigned char *msg, size_t msglen, |
122 | const unsigned char *sec, size_t seclen, |
123 | unsigned char **out, size_t *outlen) |
124 | { |
125 | int mac_nid, hmac_md_nid = NID_undef; |
126 | const char *mdname = NULL; |
127 | const EVP_MD *m = NULL; |
128 | EVP_MD_CTX *ctx = NULL; |
129 | unsigned char basekey[EVP_MAX_MD_SIZE]; |
130 | unsigned int bklen = EVP_MAX_MD_SIZE; |
131 | int64_t iterations; |
132 | unsigned char *mac_res = 0; |
133 | int ok = 0; |
134 | EVP_MAC *mac = NULL; |
135 | EVP_MAC_CTX *mctx = NULL; |
136 | OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END}; |
137 | |
138 | if (out == NULL || pbmp == NULL || pbmp->mac == NULL |
139 | || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) { |
140 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT); |
141 | goto err; |
142 | } |
143 | if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) |
144 | goto err; |
145 | |
146 | /* |
147 | * owf identifies the hash algorithm and associated parameters used to |
148 | * compute the key used in the MAC process. All implementations MUST |
149 | * support SHA-1. |
150 | */ |
151 | if ((m = EVP_get_digestbyobj(pbmp->owf->algorithm)) == NULL) { |
152 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM); |
153 | goto err; |
154 | } |
155 | |
156 | if ((ctx = EVP_MD_CTX_new()) == NULL) |
157 | goto err; |
158 | |
159 | /* compute the basekey of the salted secret */ |
160 | if (!EVP_DigestInit_ex(ctx, m, NULL)) |
161 | goto err; |
162 | /* first the secret */ |
163 | if (!EVP_DigestUpdate(ctx, sec, seclen)) |
164 | goto err; |
165 | /* then the salt */ |
166 | if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length)) |
167 | goto err; |
168 | if (!EVP_DigestFinal_ex(ctx, basekey, &bklen)) |
169 | goto err; |
170 | if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount) |
171 | || iterations < 100 /* min from RFC */ |
172 | || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) { |
173 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT); |
174 | goto err; |
175 | } |
176 | |
177 | /* the first iteration was already done above */ |
178 | while (--iterations > 0) { |
179 | if (!EVP_DigestInit_ex(ctx, m, NULL)) |
180 | goto err; |
181 | if (!EVP_DigestUpdate(ctx, basekey, bklen)) |
182 | goto err; |
183 | if (!EVP_DigestFinal_ex(ctx, basekey, &bklen)) |
184 | goto err; |
185 | } |
186 | |
187 | /* |
188 | * mac identifies the algorithm and associated parameters of the MAC |
189 | * function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. |
190 | * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11]. |
191 | */ |
192 | mac_nid = OBJ_obj2nid(pbmp->mac->algorithm); |
193 | |
194 | if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL) |
195 | || (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) { |
196 | CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM); |
197 | goto err; |
198 | } |
199 | |
200 | macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, |
201 | (char *)mdname, 0); |
202 | macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
203 | basekey, bklen); |
204 | if ((mac = EVP_MAC_fetch(NULL, "HMAC" , NULL)) == NULL |
205 | || (mctx = EVP_MAC_CTX_new(mac)) == NULL |
206 | || !EVP_MAC_CTX_set_params(mctx, macparams) |
207 | || !EVP_MAC_init(mctx) |
208 | || !EVP_MAC_update(mctx, msg, msglen) |
209 | || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE)) |
210 | goto err; |
211 | |
212 | ok = 1; |
213 | |
214 | err: |
215 | /* cleanup */ |
216 | OPENSSL_cleanse(basekey, bklen); |
217 | EVP_MAC_CTX_free(mctx); |
218 | EVP_MAC_free(mac); |
219 | EVP_MD_CTX_free(ctx); |
220 | |
221 | if (ok == 1) { |
222 | *out = mac_res; |
223 | return 1; |
224 | } |
225 | |
226 | OPENSSL_free(mac_res); |
227 | |
228 | if (pbmp != NULL && pbmp->mac != NULL) { |
229 | char buf[128]; |
230 | |
231 | if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0)) |
232 | ERR_add_error_data(1, buf); |
233 | } |
234 | return 0; |
235 | } |
236 | |