p5_crpt2.c 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265
  1. /*
  2. * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include "internal/cryptlib.h"
  12. # include <openssl/x509.h>
  13. # include <openssl/evp.h>
  14. # include <openssl/hmac.h>
  15. # include "evp_local.h"
  16. /* set this to print out info about the keygen algorithm */
  17. /* #define OPENSSL_DEBUG_PKCS5V2 */
  18. # ifdef OPENSSL_DEBUG_PKCS5V2
  19. static void h__dump(const unsigned char *p, int len);
  20. # endif
  21. /*
  22. * This is an implementation of PKCS#5 v2.0 password based encryption key
  23. * derivation function PBKDF2. SHA1 version verified against test vectors
  24. * posted by Peter Gutmann to the PKCS-TNG mailing list.
  25. */
  26. int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
  27. const unsigned char *salt, int saltlen, int iter,
  28. const EVP_MD *digest, int keylen, unsigned char *out)
  29. {
  30. const char *empty = "";
  31. unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
  32. int cplen, j, k, tkeylen, mdlen;
  33. unsigned long i = 1;
  34. HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
  35. mdlen = EVP_MD_size(digest);
  36. if (mdlen < 0)
  37. return 0;
  38. hctx_tpl = HMAC_CTX_new();
  39. if (hctx_tpl == NULL)
  40. return 0;
  41. p = out;
  42. tkeylen = keylen;
  43. if (pass == NULL) {
  44. pass = empty;
  45. passlen = 0;
  46. } else if (passlen == -1) {
  47. passlen = strlen(pass);
  48. }
  49. if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) {
  50. HMAC_CTX_free(hctx_tpl);
  51. return 0;
  52. }
  53. hctx = HMAC_CTX_new();
  54. if (hctx == NULL) {
  55. HMAC_CTX_free(hctx_tpl);
  56. return 0;
  57. }
  58. while (tkeylen) {
  59. if (tkeylen > mdlen)
  60. cplen = mdlen;
  61. else
  62. cplen = tkeylen;
  63. /*
  64. * We are unlikely to ever use more than 256 blocks (5120 bits!) but
  65. * just in case...
  66. */
  67. itmp[0] = (unsigned char)((i >> 24) & 0xff);
  68. itmp[1] = (unsigned char)((i >> 16) & 0xff);
  69. itmp[2] = (unsigned char)((i >> 8) & 0xff);
  70. itmp[3] = (unsigned char)(i & 0xff);
  71. if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
  72. HMAC_CTX_free(hctx);
  73. HMAC_CTX_free(hctx_tpl);
  74. return 0;
  75. }
  76. if (!HMAC_Update(hctx, salt, saltlen)
  77. || !HMAC_Update(hctx, itmp, 4)
  78. || !HMAC_Final(hctx, digtmp, NULL)) {
  79. HMAC_CTX_free(hctx);
  80. HMAC_CTX_free(hctx_tpl);
  81. return 0;
  82. }
  83. memcpy(p, digtmp, cplen);
  84. for (j = 1; j < iter; j++) {
  85. if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
  86. HMAC_CTX_free(hctx);
  87. HMAC_CTX_free(hctx_tpl);
  88. return 0;
  89. }
  90. if (!HMAC_Update(hctx, digtmp, mdlen)
  91. || !HMAC_Final(hctx, digtmp, NULL)) {
  92. HMAC_CTX_free(hctx);
  93. HMAC_CTX_free(hctx_tpl);
  94. return 0;
  95. }
  96. for (k = 0; k < cplen; k++)
  97. p[k] ^= digtmp[k];
  98. }
  99. tkeylen -= cplen;
  100. i++;
  101. p += cplen;
  102. }
  103. HMAC_CTX_free(hctx);
  104. HMAC_CTX_free(hctx_tpl);
  105. # ifdef OPENSSL_DEBUG_PKCS5V2
  106. fprintf(stderr, "Password:\n");
  107. h__dump(pass, passlen);
  108. fprintf(stderr, "Salt:\n");
  109. h__dump(salt, saltlen);
  110. fprintf(stderr, "Iteration count %d\n", iter);
  111. fprintf(stderr, "Key:\n");
  112. h__dump(out, keylen);
  113. # endif
  114. return 1;
  115. }
  116. int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
  117. const unsigned char *salt, int saltlen, int iter,
  118. int keylen, unsigned char *out)
  119. {
  120. return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, EVP_sha1(),
  121. keylen, out);
  122. }
  123. /*
  124. * Now the key derivation function itself. This is a bit evil because it has
  125. * to check the ASN1 parameters are valid: and there are quite a few of
  126. * them...
  127. */
  128. int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
  129. ASN1_TYPE *param, const EVP_CIPHER *c,
  130. const EVP_MD *md, int en_de)
  131. {
  132. PBE2PARAM *pbe2 = NULL;
  133. const EVP_CIPHER *cipher;
  134. EVP_PBE_KEYGEN *kdf;
  135. int rv = 0;
  136. pbe2 = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBE2PARAM), param);
  137. if (pbe2 == NULL) {
  138. EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_DECODE_ERROR);
  139. goto err;
  140. }
  141. /* See if we recognise the key derivation function */
  142. if (!EVP_PBE_find(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm),
  143. NULL, NULL, &kdf)) {
  144. EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
  145. EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
  146. goto err;
  147. }
  148. /*
  149. * lets see if we recognise the encryption algorithm.
  150. */
  151. cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
  152. if (!cipher) {
  153. EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_CIPHER);
  154. goto err;
  155. }
  156. /* Fixup cipher based on AlgorithmIdentifier */
  157. if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
  158. goto err;
  159. if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
  160. EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_CIPHER_PARAMETER_ERROR);
  161. goto err;
  162. }
  163. rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de);
  164. err:
  165. PBE2PARAM_free(pbe2);
  166. return rv;
  167. }
  168. int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
  169. int passlen, ASN1_TYPE *param,
  170. const EVP_CIPHER *c, const EVP_MD *md, int en_de)
  171. {
  172. unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
  173. int saltlen, iter;
  174. int rv = 0;
  175. unsigned int keylen = 0;
  176. int prf_nid, hmac_md_nid;
  177. PBKDF2PARAM *kdf = NULL;
  178. const EVP_MD *prfmd;
  179. if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
  180. EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_NO_CIPHER_SET);
  181. goto err;
  182. }
  183. keylen = EVP_CIPHER_CTX_key_length(ctx);
  184. OPENSSL_assert(keylen <= sizeof(key));
  185. /* Decode parameter */
  186. kdf = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBKDF2PARAM), param);
  187. if (kdf == NULL) {
  188. EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_DECODE_ERROR);
  189. goto err;
  190. }
  191. keylen = EVP_CIPHER_CTX_key_length(ctx);
  192. /* Now check the parameters of the kdf */
  193. if (kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)) {
  194. EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_UNSUPPORTED_KEYLENGTH);
  195. goto err;
  196. }
  197. if (kdf->prf)
  198. prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
  199. else
  200. prf_nid = NID_hmacWithSHA1;
  201. if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, 0)) {
  202. EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
  203. goto err;
  204. }
  205. prfmd = EVP_get_digestbynid(hmac_md_nid);
  206. if (prfmd == NULL) {
  207. EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
  208. goto err;
  209. }
  210. if (kdf->salt->type != V_ASN1_OCTET_STRING) {
  211. EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_UNSUPPORTED_SALT_TYPE);
  212. goto err;
  213. }
  214. /* it seems that its all OK */
  215. salt = kdf->salt->value.octet_string->data;
  216. saltlen = kdf->salt->value.octet_string->length;
  217. iter = ASN1_INTEGER_get(kdf->iter);
  218. if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
  219. keylen, key))
  220. goto err;
  221. rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
  222. err:
  223. OPENSSL_cleanse(key, keylen);
  224. PBKDF2PARAM_free(kdf);
  225. return rv;
  226. }
  227. # ifdef OPENSSL_DEBUG_PKCS5V2
  228. static void h__dump(const unsigned char *p, int len)
  229. {
  230. for (; len--; p++)
  231. fprintf(stderr, "%02X ", *p);
  232. fprintf(stderr, "\n");
  233. }
  234. # endif