1 /*-
2 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 *
11 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12 */
13
14 #include <string.h>
15
16 #include <openssl/rand.h>
17 #include <openssl/evp.h>
18 #include <openssl/hmac.h>
19
20 /* explicit #includes not strictly needed since implied by the above: */
21 #include <openssl/asn1t.h>
22 #include <openssl/crmf.h>
23 #include <openssl/err.h>
24 #include <openssl/params.h>
25 #include <openssl/core_names.h>
26
27 #include "internal/sizes.h"
28
29 #include "crmf_local.h"
30
31 /*-
32 * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
33 * |slen| SHOULD be at least 8 (16 is common)
34 * |owfnid| e.g., NID_sha256
35 * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
36 * |macnid| e.g., NID_hmac_sha1
37 * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
38 */
OSSL_CRMF_pbmp_new(OSSL_LIB_CTX * libctx,size_t slen,int owfnid,size_t itercnt,int macnid)39 OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
40 int owfnid, size_t itercnt,
41 int macnid)
42 {
43 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
44 unsigned char *salt = NULL;
45
46 if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
47 goto err;
48
49 /*
50 * salt contains a randomly generated value used in computing the key
51 * of the MAC process. The salt SHOULD be at least 8 octets (64
52 * bits) long.
53 */
54 if ((salt = OPENSSL_malloc(slen)) == NULL)
55 goto err;
56 if (RAND_bytes_ex(libctx, salt, slen, 0) <= 0) {
57 ERR_raise(ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM);
58 goto err;
59 }
60 if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
61 goto err;
62
63 /*
64 * owf identifies the hash algorithm and associated parameters used to
65 * compute the key used in the MAC process. All implementations MUST
66 * support SHA-1.
67 */
68 if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
69 ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
70 goto err;
71 }
72
73 /*
74 * iterationCount identifies the number of times the hash is applied
75 * during the key computation process. The iterationCount MUST be a
76 * minimum of 100. Many people suggest using values as high as 1000
77 * iterations as the minimum value. The trade off here is between
78 * protection of the password from attacks and the time spent by the
79 * server processing all of the different iterations in deriving
80 * passwords. Hashing is generally considered a cheap operation but
81 * this may not be true with all hash functions in the future.
82 */
83 if (itercnt < 100) {
84 ERR_raise(ERR_LIB_CRMF, CRMF_R_ITERATIONCOUNT_BELOW_100);
85 goto err;
86 }
87 if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
88 ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
89 goto err;
90 }
91
92 if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
93 ERR_raise(ERR_LIB_CRMF, CRMF_R_CRMFERROR);
94 goto err;
95 }
96
97 /*
98 * mac identifies the algorithm and associated parameters of the MAC
99 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
100 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
101 */
102 if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
103 ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
104 goto err;
105 }
106
107 OPENSSL_free(salt);
108 return pbm;
109 err:
110 OPENSSL_free(salt);
111 OSSL_CRMF_PBMPARAMETER_free(pbm);
112 return NULL;
113 }
114
115 /*-
116 * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
117 * |pbmp| identifies the algorithms, salt to use
118 * |msg| message to apply the PBM for
119 * |msglen| length of the message
120 * |sec| key to use
121 * |seclen| length of the key
122 * |out| pointer to the computed mac, will be set on success
123 * |outlen| if not NULL, will set variable to the length of the mac on success
124 * returns 1 on success, 0 on error
125 */
126 /* could be combined with other MAC calculations in the library */
OSSL_CRMF_pbm_new(OSSL_LIB_CTX * libctx,const char * propq,const OSSL_CRMF_PBMPARAMETER * pbmp,const unsigned char * msg,size_t msglen,const unsigned char * sec,size_t seclen,unsigned char ** out,size_t * outlen)127 int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
128 const OSSL_CRMF_PBMPARAMETER *pbmp,
129 const unsigned char *msg, size_t msglen,
130 const unsigned char *sec, size_t seclen,
131 unsigned char **out, size_t *outlen)
132 {
133 int mac_nid, hmac_md_nid = NID_undef;
134 char mdname[OSSL_MAX_NAME_SIZE];
135 char hmac_mdname[OSSL_MAX_NAME_SIZE];
136 EVP_MD *owf = NULL;
137 EVP_MD_CTX *ctx = NULL;
138 unsigned char basekey[EVP_MAX_MD_SIZE];
139 unsigned int bklen = EVP_MAX_MD_SIZE;
140 int64_t iterations;
141 unsigned char *mac_res = 0;
142 int ok = 0;
143
144 if (out == NULL || pbmp == NULL || pbmp->mac == NULL
145 || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
146 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
147 goto err;
148 }
149 if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
150 goto err;
151
152 /*
153 * owf identifies the hash algorithm and associated parameters used to
154 * compute the key used in the MAC process. All implementations MUST
155 * support SHA-1.
156 */
157 OBJ_obj2txt(mdname, sizeof(mdname), pbmp->owf->algorithm, 0);
158 if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) {
159 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
160 goto err;
161 }
162
163 if ((ctx = EVP_MD_CTX_new()) == NULL)
164 goto err;
165
166 /* compute the basekey of the salted secret */
167 if (!EVP_DigestInit_ex(ctx, owf, NULL))
168 goto err;
169 /* first the secret */
170 if (!EVP_DigestUpdate(ctx, sec, seclen))
171 goto err;
172 /* then the salt */
173 if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
174 goto err;
175 if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
176 goto err;
177 if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
178 || iterations < 100 /* min from RFC */
179 || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
180 ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
181 goto err;
182 }
183
184 /* the first iteration was already done above */
185 while (--iterations > 0) {
186 if (!EVP_DigestInit_ex(ctx, owf, NULL))
187 goto err;
188 if (!EVP_DigestUpdate(ctx, basekey, bklen))
189 goto err;
190 if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
191 goto err;
192 }
193
194 /*
195 * mac identifies the algorithm and associated parameters of the MAC
196 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
197 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
198 */
199 mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
200
201 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
202 || OBJ_obj2txt(hmac_mdname, sizeof(hmac_mdname),
203 OBJ_nid2obj(hmac_md_nid), 0) <= 0) {
204 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
205 goto err;
206 }
207 /* could be generalized to allow non-HMAC: */
208 if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen,
209 msg, msglen, mac_res, EVP_MAX_MD_SIZE, outlen) == NULL)
210 goto err;
211
212 ok = 1;
213
214 err:
215 OPENSSL_cleanse(basekey, bklen);
216 EVP_MD_free(owf);
217 EVP_MD_CTX_free(ctx);
218
219 if (ok == 1) {
220 *out = mac_res;
221 return 1;
222 }
223
224 OPENSSL_free(mac_res);
225
226 if (pbmp != NULL && pbmp->mac != NULL) {
227 char buf[128];
228
229 if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
230 ERR_add_error_data(1, buf);
231 }
232 return 0;
233 }
234
