2
0

crmf_pbm.c 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
  1. /*-
  2. * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. *
  11. * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
  12. */
  13. #include <string.h>
  14. #include <openssl/rand.h>
  15. #include <openssl/evp.h>
  16. #include "crmf_local.h"
  17. /* explicit #includes not strictly needed since implied by the above: */
  18. #include <openssl/asn1t.h>
  19. #include <openssl/crmf.h>
  20. #include <openssl/err.h>
  21. #include <openssl/evp.h>
  22. #include <openssl/params.h>
  23. #include <openssl/core_names.h>
  24. /*-
  25. * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
  26. * |slen| SHOULD be at least 8 (16 is common)
  27. * |owfnid| e.g., NID_sha256
  28. * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
  29. * |macnid| e.g., NID_hmac_sha1
  30. * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
  31. */
  32. OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
  33. int owfnid, size_t itercnt,
  34. int macnid)
  35. {
  36. OSSL_CRMF_PBMPARAMETER *pbm = NULL;
  37. unsigned char *salt = NULL;
  38. if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
  39. goto err;
  40. /*
  41. * salt contains a randomly generated value used in computing the key
  42. * of the MAC process. The salt SHOULD be at least 8 octets (64
  43. * bits) long.
  44. */
  45. if ((salt = OPENSSL_malloc(slen)) == NULL)
  46. goto err;
  47. if (RAND_bytes_ex(libctx, salt, (int)slen) <= 0) {
  48. CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
  49. goto err;
  50. }
  51. if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
  52. goto err;
  53. /*
  54. * owf identifies the hash algorithm and associated parameters used to
  55. * compute the key used in the MAC process. All implementations MUST
  56. * support SHA-1.
  57. */
  58. if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
  59. CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
  60. goto err;
  61. }
  62. /*
  63. * iterationCount identifies the number of times the hash is applied
  64. * during the key computation process. The iterationCount MUST be a
  65. * minimum of 100. Many people suggest using values as high as 1000
  66. * iterations as the minimum value. The trade off here is between
  67. * protection of the password from attacks and the time spent by the
  68. * server processing all of the different iterations in deriving
  69. * passwords. Hashing is generally considered a cheap operation but
  70. * this may not be true with all hash functions in the future.
  71. */
  72. if (itercnt < 100) {
  73. CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_ITERATIONCOUNT_BELOW_100);
  74. goto err;
  75. }
  76. if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
  77. CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
  78. goto err;
  79. }
  80. if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
  81. CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_CRMFERROR);
  82. goto err;
  83. }
  84. /*
  85. * mac identifies the algorithm and associated parameters of the MAC
  86. * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
  87. * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
  88. */
  89. if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
  90. CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
  91. goto err;
  92. }
  93. OPENSSL_free(salt);
  94. return pbm;
  95. err:
  96. OPENSSL_free(salt);
  97. OSSL_CRMF_PBMPARAMETER_free(pbm);
  98. return NULL;
  99. }
  100. /*-
  101. * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
  102. * |pbmp| identifies the algorithms, salt to use
  103. * |msg| message to apply the PBM for
  104. * |msglen| length of the message
  105. * |sec| key to use
  106. * |seclen| length of the key
  107. * |mac| pointer to the computed mac, will be set on success
  108. * |maclen| if not NULL, will set variable to the length of the mac on success
  109. * returns 1 on success, 0 on error
  110. */
  111. /* TODO try to combine with other MAC calculations in the libray */
  112. int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
  113. const OSSL_CRMF_PBMPARAMETER *pbmp,
  114. const unsigned char *msg, size_t msglen,
  115. const unsigned char *sec, size_t seclen,
  116. unsigned char **out, size_t *outlen)
  117. {
  118. int mac_nid, hmac_md_nid = NID_undef;
  119. const char *mdname;
  120. EVP_MD *owf = NULL;
  121. EVP_MD_CTX *ctx = NULL;
  122. unsigned char basekey[EVP_MAX_MD_SIZE];
  123. unsigned int bklen = EVP_MAX_MD_SIZE;
  124. int64_t iterations;
  125. unsigned char *mac_res = 0;
  126. int ok = 0;
  127. EVP_MAC *mac = NULL;
  128. EVP_MAC_CTX *mctx = NULL;
  129. OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END};
  130. if (out == NULL || pbmp == NULL || pbmp->mac == NULL
  131. || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
  132. CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
  133. goto err;
  134. }
  135. if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
  136. goto err;
  137. /*
  138. * owf identifies the hash algorithm and associated parameters used to
  139. * compute the key used in the MAC process. All implementations MUST
  140. * support SHA-1.
  141. */
  142. mdname = OBJ_nid2sn(OBJ_obj2nid(pbmp->owf->algorithm));
  143. if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) {
  144. CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
  145. goto err;
  146. }
  147. if ((ctx = EVP_MD_CTX_new()) == NULL)
  148. goto err;
  149. /* compute the basekey of the salted secret */
  150. if (!EVP_DigestInit_ex(ctx, owf, NULL))
  151. goto err;
  152. /* first the secret */
  153. if (!EVP_DigestUpdate(ctx, sec, seclen))
  154. goto err;
  155. /* then the salt */
  156. if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
  157. goto err;
  158. if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
  159. goto err;
  160. if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
  161. || iterations < 100 /* min from RFC */
  162. || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
  163. CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_BAD_PBM_ITERATIONCOUNT);
  164. goto err;
  165. }
  166. /* the first iteration was already done above */
  167. while (--iterations > 0) {
  168. if (!EVP_DigestInit_ex(ctx, owf, NULL))
  169. goto err;
  170. if (!EVP_DigestUpdate(ctx, basekey, bklen))
  171. goto err;
  172. if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
  173. goto err;
  174. }
  175. /*
  176. * mac identifies the algorithm and associated parameters of the MAC
  177. * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
  178. * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
  179. */
  180. mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
  181. if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
  182. || (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) {
  183. CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM);
  184. goto err;
  185. }
  186. macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
  187. (char *)mdname, 0);
  188. macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
  189. basekey, bklen);
  190. if ((mac = EVP_MAC_fetch(libctx, "HMAC", propq)) == NULL
  191. || (mctx = EVP_MAC_CTX_new(mac)) == NULL
  192. || !EVP_MAC_CTX_set_params(mctx, macparams)
  193. || !EVP_MAC_init(mctx)
  194. || !EVP_MAC_update(mctx, msg, msglen)
  195. || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE))
  196. goto err;
  197. ok = 1;
  198. err:
  199. OPENSSL_cleanse(basekey, bklen);
  200. EVP_MAC_CTX_free(mctx);
  201. EVP_MAC_free(mac);
  202. EVP_MD_free(owf);
  203. EVP_MD_CTX_free(ctx);
  204. if (ok == 1) {
  205. *out = mac_res;
  206. return 1;
  207. }
  208. OPENSSL_free(mac_res);
  209. if (pbmp != NULL && pbmp->mac != NULL) {
  210. char buf[128];
  211. if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
  212. ERR_add_error_data(1, buf);
  213. }
  214. return 0;
  215. }