10Sstevel@tonic-gate /* p5_crpt2.c */
20Sstevel@tonic-gate /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
30Sstevel@tonic-gate * project 1999.
40Sstevel@tonic-gate */
50Sstevel@tonic-gate /* ====================================================================
60Sstevel@tonic-gate * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without
90Sstevel@tonic-gate * modification, are permitted provided that the following conditions
100Sstevel@tonic-gate * are met:
110Sstevel@tonic-gate *
120Sstevel@tonic-gate * 1. Redistributions of source code must retain the above copyright
130Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer.
140Sstevel@tonic-gate *
150Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright
160Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in
170Sstevel@tonic-gate * the documentation and/or other materials provided with the
180Sstevel@tonic-gate * distribution.
190Sstevel@tonic-gate *
200Sstevel@tonic-gate * 3. All advertising materials mentioning features or use of this
210Sstevel@tonic-gate * software must display the following acknowledgment:
220Sstevel@tonic-gate * "This product includes software developed by the OpenSSL Project
230Sstevel@tonic-gate * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
240Sstevel@tonic-gate *
250Sstevel@tonic-gate * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
260Sstevel@tonic-gate * endorse or promote products derived from this software without
270Sstevel@tonic-gate * prior written permission. For written permission, please contact
280Sstevel@tonic-gate * licensing@OpenSSL.org.
290Sstevel@tonic-gate *
300Sstevel@tonic-gate * 5. Products derived from this software may not be called "OpenSSL"
310Sstevel@tonic-gate * nor may "OpenSSL" appear in their names without prior written
320Sstevel@tonic-gate * permission of the OpenSSL Project.
330Sstevel@tonic-gate *
340Sstevel@tonic-gate * 6. Redistributions of any form whatsoever must retain the following
350Sstevel@tonic-gate * acknowledgment:
360Sstevel@tonic-gate * "This product includes software developed by the OpenSSL Project
370Sstevel@tonic-gate * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
380Sstevel@tonic-gate *
390Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
400Sstevel@tonic-gate * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
410Sstevel@tonic-gate * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
420Sstevel@tonic-gate * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
430Sstevel@tonic-gate * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
440Sstevel@tonic-gate * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
450Sstevel@tonic-gate * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
460Sstevel@tonic-gate * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
470Sstevel@tonic-gate * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
480Sstevel@tonic-gate * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
490Sstevel@tonic-gate * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
500Sstevel@tonic-gate * OF THE POSSIBILITY OF SUCH DAMAGE.
510Sstevel@tonic-gate * ====================================================================
520Sstevel@tonic-gate *
530Sstevel@tonic-gate * This product includes cryptographic software written by Eric Young
540Sstevel@tonic-gate * (eay@cryptsoft.com). This product includes software written by Tim
550Sstevel@tonic-gate * Hudson (tjh@cryptsoft.com).
560Sstevel@tonic-gate *
570Sstevel@tonic-gate */
580Sstevel@tonic-gate #include <stdio.h>
590Sstevel@tonic-gate #include <stdlib.h>
600Sstevel@tonic-gate #include "cryptlib.h"
61*2139Sjp161948 #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
620Sstevel@tonic-gate #include <openssl/x509.h>
630Sstevel@tonic-gate #include <openssl/evp.h>
640Sstevel@tonic-gate #include <openssl/hmac.h>
650Sstevel@tonic-gate
660Sstevel@tonic-gate /* set this to print out info about the keygen algorithm */
670Sstevel@tonic-gate /* #define DEBUG_PKCS5V2 */
680Sstevel@tonic-gate
690Sstevel@tonic-gate #ifdef DEBUG_PKCS5V2
700Sstevel@tonic-gate static void h__dump (const unsigned char *p, int len);
710Sstevel@tonic-gate #endif
720Sstevel@tonic-gate
730Sstevel@tonic-gate /* This is an implementation of PKCS#5 v2.0 password based encryption key
740Sstevel@tonic-gate * derivation function PBKDF2 using the only currently defined function HMAC
750Sstevel@tonic-gate * with SHA1. Verified against test vectors posted by Peter Gutmann
760Sstevel@tonic-gate * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
770Sstevel@tonic-gate */
780Sstevel@tonic-gate
PKCS5_PBKDF2_HMAC_SHA1(const char * pass,int passlen,const unsigned char * salt,int saltlen,int iter,int keylen,unsigned char * out)790Sstevel@tonic-gate int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
80*2139Sjp161948 const unsigned char *salt, int saltlen, int iter,
810Sstevel@tonic-gate int keylen, unsigned char *out)
820Sstevel@tonic-gate {
830Sstevel@tonic-gate unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4];
840Sstevel@tonic-gate int cplen, j, k, tkeylen;
850Sstevel@tonic-gate unsigned long i = 1;
860Sstevel@tonic-gate HMAC_CTX hctx;
870Sstevel@tonic-gate
880Sstevel@tonic-gate HMAC_CTX_init(&hctx);
890Sstevel@tonic-gate p = out;
900Sstevel@tonic-gate tkeylen = keylen;
910Sstevel@tonic-gate if(!pass) passlen = 0;
920Sstevel@tonic-gate else if(passlen == -1) passlen = strlen(pass);
930Sstevel@tonic-gate while(tkeylen) {
940Sstevel@tonic-gate if(tkeylen > SHA_DIGEST_LENGTH) cplen = SHA_DIGEST_LENGTH;
950Sstevel@tonic-gate else cplen = tkeylen;
960Sstevel@tonic-gate /* We are unlikely to ever use more than 256 blocks (5120 bits!)
970Sstevel@tonic-gate * but just in case...
980Sstevel@tonic-gate */
990Sstevel@tonic-gate itmp[0] = (unsigned char)((i >> 24) & 0xff);
1000Sstevel@tonic-gate itmp[1] = (unsigned char)((i >> 16) & 0xff);
1010Sstevel@tonic-gate itmp[2] = (unsigned char)((i >> 8) & 0xff);
1020Sstevel@tonic-gate itmp[3] = (unsigned char)(i & 0xff);
1030Sstevel@tonic-gate HMAC_Init_ex(&hctx, pass, passlen, EVP_sha1(), NULL);
1040Sstevel@tonic-gate HMAC_Update(&hctx, salt, saltlen);
1050Sstevel@tonic-gate HMAC_Update(&hctx, itmp, 4);
1060Sstevel@tonic-gate HMAC_Final(&hctx, digtmp, NULL);
1070Sstevel@tonic-gate memcpy(p, digtmp, cplen);
1080Sstevel@tonic-gate for(j = 1; j < iter; j++) {
1090Sstevel@tonic-gate HMAC(EVP_sha1(), pass, passlen,
1100Sstevel@tonic-gate digtmp, SHA_DIGEST_LENGTH, digtmp, NULL);
1110Sstevel@tonic-gate for(k = 0; k < cplen; k++) p[k] ^= digtmp[k];
1120Sstevel@tonic-gate }
1130Sstevel@tonic-gate tkeylen-= cplen;
1140Sstevel@tonic-gate i++;
1150Sstevel@tonic-gate p+= cplen;
1160Sstevel@tonic-gate }
1170Sstevel@tonic-gate HMAC_CTX_cleanup(&hctx);
1180Sstevel@tonic-gate #ifdef DEBUG_PKCS5V2
1190Sstevel@tonic-gate fprintf(stderr, "Password:\n");
1200Sstevel@tonic-gate h__dump (pass, passlen);
1210Sstevel@tonic-gate fprintf(stderr, "Salt:\n");
1220Sstevel@tonic-gate h__dump (salt, saltlen);
1230Sstevel@tonic-gate fprintf(stderr, "Iteration count %d\n", iter);
1240Sstevel@tonic-gate fprintf(stderr, "Key:\n");
1250Sstevel@tonic-gate h__dump (out, keylen);
1260Sstevel@tonic-gate #endif
1270Sstevel@tonic-gate return 1;
1280Sstevel@tonic-gate }
1290Sstevel@tonic-gate
1300Sstevel@tonic-gate #ifdef DO_TEST
main()1310Sstevel@tonic-gate main()
1320Sstevel@tonic-gate {
1330Sstevel@tonic-gate unsigned char out[4];
1340Sstevel@tonic-gate unsigned char salt[] = {0x12, 0x34, 0x56, 0x78};
1350Sstevel@tonic-gate PKCS5_PBKDF2_HMAC_SHA1("password", -1, salt, 4, 5, 4, out);
1360Sstevel@tonic-gate fprintf(stderr, "Out %02X %02X %02X %02X\n",
1370Sstevel@tonic-gate out[0], out[1], out[2], out[3]);
1380Sstevel@tonic-gate }
1390Sstevel@tonic-gate
1400Sstevel@tonic-gate #endif
1410Sstevel@tonic-gate
1420Sstevel@tonic-gate /* Now the key derivation function itself. This is a bit evil because
1430Sstevel@tonic-gate * it has to check the ASN1 parameters are valid: and there are quite a
1440Sstevel@tonic-gate * few of them...
1450Sstevel@tonic-gate */
1460Sstevel@tonic-gate
PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX * ctx,const char * pass,int passlen,ASN1_TYPE * param,const EVP_CIPHER * c,const EVP_MD * md,int en_de)1470Sstevel@tonic-gate int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
1480Sstevel@tonic-gate ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md,
1490Sstevel@tonic-gate int en_de)
1500Sstevel@tonic-gate {
151*2139Sjp161948 unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
152*2139Sjp161948 const unsigned char *pbuf;
153*2139Sjp161948 int saltlen, iter, plen;
154*2139Sjp161948 unsigned int keylen;
1550Sstevel@tonic-gate PBE2PARAM *pbe2 = NULL;
1560Sstevel@tonic-gate const EVP_CIPHER *cipher;
1570Sstevel@tonic-gate PBKDF2PARAM *kdf = NULL;
1580Sstevel@tonic-gate
159*2139Sjp161948 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
160*2139Sjp161948 param->value.sequence == NULL) {
161*2139Sjp161948 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
162*2139Sjp161948 return 0;
163*2139Sjp161948 }
164*2139Sjp161948
1650Sstevel@tonic-gate pbuf = param->value.sequence->data;
1660Sstevel@tonic-gate plen = param->value.sequence->length;
167*2139Sjp161948 if(!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
1680Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
1690Sstevel@tonic-gate return 0;
1700Sstevel@tonic-gate }
1710Sstevel@tonic-gate
1720Sstevel@tonic-gate /* See if we recognise the key derivation function */
1730Sstevel@tonic-gate
1740Sstevel@tonic-gate if(OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
1750Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
1760Sstevel@tonic-gate EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
1770Sstevel@tonic-gate goto err;
1780Sstevel@tonic-gate }
1790Sstevel@tonic-gate
1800Sstevel@tonic-gate /* lets see if we recognise the encryption algorithm.
1810Sstevel@tonic-gate */
1820Sstevel@tonic-gate
1830Sstevel@tonic-gate cipher = EVP_get_cipherbyname(
1840Sstevel@tonic-gate OBJ_nid2sn(OBJ_obj2nid(pbe2->encryption->algorithm)));
1850Sstevel@tonic-gate
1860Sstevel@tonic-gate if(!cipher) {
1870Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
1880Sstevel@tonic-gate EVP_R_UNSUPPORTED_CIPHER);
1890Sstevel@tonic-gate goto err;
1900Sstevel@tonic-gate }
1910Sstevel@tonic-gate
1920Sstevel@tonic-gate /* Fixup cipher based on AlgorithmIdentifier */
1930Sstevel@tonic-gate EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de);
1940Sstevel@tonic-gate if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
1950Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
1960Sstevel@tonic-gate EVP_R_CIPHER_PARAMETER_ERROR);
1970Sstevel@tonic-gate goto err;
1980Sstevel@tonic-gate }
1990Sstevel@tonic-gate keylen = EVP_CIPHER_CTX_key_length(ctx);
2000Sstevel@tonic-gate OPENSSL_assert(keylen <= sizeof key);
2010Sstevel@tonic-gate
2020Sstevel@tonic-gate /* Now decode key derivation function */
2030Sstevel@tonic-gate
2040Sstevel@tonic-gate pbuf = pbe2->keyfunc->parameter->value.sequence->data;
2050Sstevel@tonic-gate plen = pbe2->keyfunc->parameter->value.sequence->length;
2060Sstevel@tonic-gate if(!pbe2->keyfunc->parameter ||
2070Sstevel@tonic-gate (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
2080Sstevel@tonic-gate !(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
2090Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
2100Sstevel@tonic-gate goto err;
2110Sstevel@tonic-gate }
2120Sstevel@tonic-gate
2130Sstevel@tonic-gate PBE2PARAM_free(pbe2);
2140Sstevel@tonic-gate pbe2 = NULL;
2150Sstevel@tonic-gate
2160Sstevel@tonic-gate /* Now check the parameters of the kdf */
2170Sstevel@tonic-gate
218*2139Sjp161948 if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
2190Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
2200Sstevel@tonic-gate EVP_R_UNSUPPORTED_KEYLENGTH);
2210Sstevel@tonic-gate goto err;
2220Sstevel@tonic-gate }
2230Sstevel@tonic-gate
2240Sstevel@tonic-gate if(kdf->prf && (OBJ_obj2nid(kdf->prf->algorithm) != NID_hmacWithSHA1)) {
2250Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
2260Sstevel@tonic-gate goto err;
2270Sstevel@tonic-gate }
2280Sstevel@tonic-gate
2290Sstevel@tonic-gate if(kdf->salt->type != V_ASN1_OCTET_STRING) {
2300Sstevel@tonic-gate EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
2310Sstevel@tonic-gate EVP_R_UNSUPPORTED_SALT_TYPE);
2320Sstevel@tonic-gate goto err;
2330Sstevel@tonic-gate }
2340Sstevel@tonic-gate
2350Sstevel@tonic-gate /* it seems that its all OK */
2360Sstevel@tonic-gate salt = kdf->salt->value.octet_string->data;
2370Sstevel@tonic-gate saltlen = kdf->salt->value.octet_string->length;
2380Sstevel@tonic-gate iter = ASN1_INTEGER_get(kdf->iter);
2390Sstevel@tonic-gate PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
2400Sstevel@tonic-gate EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
2410Sstevel@tonic-gate OPENSSL_cleanse(key, keylen);
2420Sstevel@tonic-gate PBKDF2PARAM_free(kdf);
2430Sstevel@tonic-gate return 1;
2440Sstevel@tonic-gate
2450Sstevel@tonic-gate err:
2460Sstevel@tonic-gate PBE2PARAM_free(pbe2);
2470Sstevel@tonic-gate PBKDF2PARAM_free(kdf);
2480Sstevel@tonic-gate return 0;
2490Sstevel@tonic-gate }
2500Sstevel@tonic-gate
2510Sstevel@tonic-gate #ifdef DEBUG_PKCS5V2
h__dump(const unsigned char * p,int len)2520Sstevel@tonic-gate static void h__dump (const unsigned char *p, int len)
2530Sstevel@tonic-gate {
2540Sstevel@tonic-gate for (; len --; p++) fprintf(stderr, "%02X ", *p);
2550Sstevel@tonic-gate fprintf(stderr, "\n");
2560Sstevel@tonic-gate }
2570Sstevel@tonic-gate #endif
2580Sstevel@tonic-gate #endif
259