xref: /onnv-gate/usr/src/common/openssl/crypto/evp/p5_crpt2.c (revision 0:68f95e015346)
1*0Sstevel@tonic-gate /* p5_crpt2.c */
2*0Sstevel@tonic-gate /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3*0Sstevel@tonic-gate  * project 1999.
4*0Sstevel@tonic-gate  */
5*0Sstevel@tonic-gate /* ====================================================================
6*0Sstevel@tonic-gate  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7*0Sstevel@tonic-gate  *
8*0Sstevel@tonic-gate  * Redistribution and use in source and binary forms, with or without
9*0Sstevel@tonic-gate  * modification, are permitted provided that the following conditions
10*0Sstevel@tonic-gate  * are met:
11*0Sstevel@tonic-gate  *
12*0Sstevel@tonic-gate  * 1. Redistributions of source code must retain the above copyright
13*0Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer.
14*0Sstevel@tonic-gate  *
15*0Sstevel@tonic-gate  * 2. Redistributions in binary form must reproduce the above copyright
16*0Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer in
17*0Sstevel@tonic-gate  *    the documentation and/or other materials provided with the
18*0Sstevel@tonic-gate  *    distribution.
19*0Sstevel@tonic-gate  *
20*0Sstevel@tonic-gate  * 3. All advertising materials mentioning features or use of this
21*0Sstevel@tonic-gate  *    software must display the following acknowledgment:
22*0Sstevel@tonic-gate  *    "This product includes software developed by the OpenSSL Project
23*0Sstevel@tonic-gate  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24*0Sstevel@tonic-gate  *
25*0Sstevel@tonic-gate  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26*0Sstevel@tonic-gate  *    endorse or promote products derived from this software without
27*0Sstevel@tonic-gate  *    prior written permission. For written permission, please contact
28*0Sstevel@tonic-gate  *    licensing@OpenSSL.org.
29*0Sstevel@tonic-gate  *
30*0Sstevel@tonic-gate  * 5. Products derived from this software may not be called "OpenSSL"
31*0Sstevel@tonic-gate  *    nor may "OpenSSL" appear in their names without prior written
32*0Sstevel@tonic-gate  *    permission of the OpenSSL Project.
33*0Sstevel@tonic-gate  *
34*0Sstevel@tonic-gate  * 6. Redistributions of any form whatsoever must retain the following
35*0Sstevel@tonic-gate  *    acknowledgment:
36*0Sstevel@tonic-gate  *    "This product includes software developed by the OpenSSL Project
37*0Sstevel@tonic-gate  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38*0Sstevel@tonic-gate  *
39*0Sstevel@tonic-gate  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40*0Sstevel@tonic-gate  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41*0Sstevel@tonic-gate  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42*0Sstevel@tonic-gate  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43*0Sstevel@tonic-gate  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44*0Sstevel@tonic-gate  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45*0Sstevel@tonic-gate  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46*0Sstevel@tonic-gate  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47*0Sstevel@tonic-gate  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48*0Sstevel@tonic-gate  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49*0Sstevel@tonic-gate  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50*0Sstevel@tonic-gate  * OF THE POSSIBILITY OF SUCH DAMAGE.
51*0Sstevel@tonic-gate  * ====================================================================
52*0Sstevel@tonic-gate  *
53*0Sstevel@tonic-gate  * This product includes cryptographic software written by Eric Young
54*0Sstevel@tonic-gate  * (eay@cryptsoft.com).  This product includes software written by Tim
55*0Sstevel@tonic-gate  * Hudson (tjh@cryptsoft.com).
56*0Sstevel@tonic-gate  *
57*0Sstevel@tonic-gate  */
58*0Sstevel@tonic-gate #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
59*0Sstevel@tonic-gate #include <stdio.h>
60*0Sstevel@tonic-gate #include <stdlib.h>
61*0Sstevel@tonic-gate #include "cryptlib.h"
62*0Sstevel@tonic-gate #include <openssl/x509.h>
63*0Sstevel@tonic-gate #include <openssl/evp.h>
64*0Sstevel@tonic-gate #include <openssl/hmac.h>
65*0Sstevel@tonic-gate 
66*0Sstevel@tonic-gate /* set this to print out info about the keygen algorithm */
67*0Sstevel@tonic-gate /* #define DEBUG_PKCS5V2 */
68*0Sstevel@tonic-gate 
69*0Sstevel@tonic-gate #ifdef DEBUG_PKCS5V2
70*0Sstevel@tonic-gate 	static void h__dump (const unsigned char *p, int len);
71*0Sstevel@tonic-gate #endif
72*0Sstevel@tonic-gate 
73*0Sstevel@tonic-gate /* This is an implementation of PKCS#5 v2.0 password based encryption key
74*0Sstevel@tonic-gate  * derivation function PBKDF2 using the only currently defined function HMAC
75*0Sstevel@tonic-gate  * with SHA1. Verified against test vectors posted by Peter Gutmann
76*0Sstevel@tonic-gate  * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
77*0Sstevel@tonic-gate  */
78*0Sstevel@tonic-gate 
79*0Sstevel@tonic-gate int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
80*0Sstevel@tonic-gate 			   unsigned char *salt, int saltlen, int iter,
81*0Sstevel@tonic-gate 			   int keylen, unsigned char *out)
82*0Sstevel@tonic-gate {
83*0Sstevel@tonic-gate 	unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4];
84*0Sstevel@tonic-gate 	int cplen, j, k, tkeylen;
85*0Sstevel@tonic-gate 	unsigned long i = 1;
86*0Sstevel@tonic-gate 	HMAC_CTX hctx;
87*0Sstevel@tonic-gate 
88*0Sstevel@tonic-gate 	HMAC_CTX_init(&hctx);
89*0Sstevel@tonic-gate 	p = out;
90*0Sstevel@tonic-gate 	tkeylen = keylen;
91*0Sstevel@tonic-gate 	if(!pass) passlen = 0;
92*0Sstevel@tonic-gate 	else if(passlen == -1) passlen = strlen(pass);
93*0Sstevel@tonic-gate 	while(tkeylen) {
94*0Sstevel@tonic-gate 		if(tkeylen > SHA_DIGEST_LENGTH) cplen = SHA_DIGEST_LENGTH;
95*0Sstevel@tonic-gate 		else cplen = tkeylen;
96*0Sstevel@tonic-gate 		/* We are unlikely to ever use more than 256 blocks (5120 bits!)
97*0Sstevel@tonic-gate 		 * but just in case...
98*0Sstevel@tonic-gate 		 */
99*0Sstevel@tonic-gate 		itmp[0] = (unsigned char)((i >> 24) & 0xff);
100*0Sstevel@tonic-gate 		itmp[1] = (unsigned char)((i >> 16) & 0xff);
101*0Sstevel@tonic-gate 		itmp[2] = (unsigned char)((i >> 8) & 0xff);
102*0Sstevel@tonic-gate 		itmp[3] = (unsigned char)(i & 0xff);
103*0Sstevel@tonic-gate 		HMAC_Init_ex(&hctx, pass, passlen, EVP_sha1(), NULL);
104*0Sstevel@tonic-gate 		HMAC_Update(&hctx, salt, saltlen);
105*0Sstevel@tonic-gate 		HMAC_Update(&hctx, itmp, 4);
106*0Sstevel@tonic-gate 		HMAC_Final(&hctx, digtmp, NULL);
107*0Sstevel@tonic-gate 		memcpy(p, digtmp, cplen);
108*0Sstevel@tonic-gate 		for(j = 1; j < iter; j++) {
109*0Sstevel@tonic-gate 			HMAC(EVP_sha1(), pass, passlen,
110*0Sstevel@tonic-gate 				 digtmp, SHA_DIGEST_LENGTH, digtmp, NULL);
111*0Sstevel@tonic-gate 			for(k = 0; k < cplen; k++) p[k] ^= digtmp[k];
112*0Sstevel@tonic-gate 		}
113*0Sstevel@tonic-gate 		tkeylen-= cplen;
114*0Sstevel@tonic-gate 		i++;
115*0Sstevel@tonic-gate 		p+= cplen;
116*0Sstevel@tonic-gate 	}
117*0Sstevel@tonic-gate 	HMAC_CTX_cleanup(&hctx);
118*0Sstevel@tonic-gate #ifdef DEBUG_PKCS5V2
119*0Sstevel@tonic-gate 	fprintf(stderr, "Password:\n");
120*0Sstevel@tonic-gate 	h__dump (pass, passlen);
121*0Sstevel@tonic-gate 	fprintf(stderr, "Salt:\n");
122*0Sstevel@tonic-gate 	h__dump (salt, saltlen);
123*0Sstevel@tonic-gate 	fprintf(stderr, "Iteration count %d\n", iter);
124*0Sstevel@tonic-gate 	fprintf(stderr, "Key:\n");
125*0Sstevel@tonic-gate 	h__dump (out, keylen);
126*0Sstevel@tonic-gate #endif
127*0Sstevel@tonic-gate 	return 1;
128*0Sstevel@tonic-gate }
129*0Sstevel@tonic-gate 
130*0Sstevel@tonic-gate #ifdef DO_TEST
131*0Sstevel@tonic-gate main()
132*0Sstevel@tonic-gate {
133*0Sstevel@tonic-gate 	unsigned char out[4];
134*0Sstevel@tonic-gate 	unsigned char salt[] = {0x12, 0x34, 0x56, 0x78};
135*0Sstevel@tonic-gate 	PKCS5_PBKDF2_HMAC_SHA1("password", -1, salt, 4, 5, 4, out);
136*0Sstevel@tonic-gate 	fprintf(stderr, "Out %02X %02X %02X %02X\n",
137*0Sstevel@tonic-gate 					 out[0], out[1], out[2], out[3]);
138*0Sstevel@tonic-gate }
139*0Sstevel@tonic-gate 
140*0Sstevel@tonic-gate #endif
141*0Sstevel@tonic-gate 
142*0Sstevel@tonic-gate /* Now the key derivation function itself. This is a bit evil because
143*0Sstevel@tonic-gate  * it has to check the ASN1 parameters are valid: and there are quite a
144*0Sstevel@tonic-gate  * few of them...
145*0Sstevel@tonic-gate  */
146*0Sstevel@tonic-gate 
147*0Sstevel@tonic-gate int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
148*0Sstevel@tonic-gate                          ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md,
149*0Sstevel@tonic-gate                          int en_de)
150*0Sstevel@tonic-gate {
151*0Sstevel@tonic-gate 	unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
152*0Sstevel@tonic-gate 	int saltlen, keylen, iter, plen;
153*0Sstevel@tonic-gate 	PBE2PARAM *pbe2 = NULL;
154*0Sstevel@tonic-gate 	const EVP_CIPHER *cipher;
155*0Sstevel@tonic-gate 	PBKDF2PARAM *kdf = NULL;
156*0Sstevel@tonic-gate 
157*0Sstevel@tonic-gate 	pbuf = param->value.sequence->data;
158*0Sstevel@tonic-gate 	plen = param->value.sequence->length;
159*0Sstevel@tonic-gate 	if(!param || (param->type != V_ASN1_SEQUENCE) ||
160*0Sstevel@tonic-gate 				   !(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
161*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
162*0Sstevel@tonic-gate 		return 0;
163*0Sstevel@tonic-gate 	}
164*0Sstevel@tonic-gate 
165*0Sstevel@tonic-gate 	/* See if we recognise the key derivation function */
166*0Sstevel@tonic-gate 
167*0Sstevel@tonic-gate 	if(OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
168*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
169*0Sstevel@tonic-gate 				EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
170*0Sstevel@tonic-gate 		goto err;
171*0Sstevel@tonic-gate 	}
172*0Sstevel@tonic-gate 
173*0Sstevel@tonic-gate 	/* lets see if we recognise the encryption algorithm.
174*0Sstevel@tonic-gate 	 */
175*0Sstevel@tonic-gate 
176*0Sstevel@tonic-gate 	cipher = EVP_get_cipherbyname(
177*0Sstevel@tonic-gate 			OBJ_nid2sn(OBJ_obj2nid(pbe2->encryption->algorithm)));
178*0Sstevel@tonic-gate 
179*0Sstevel@tonic-gate 	if(!cipher) {
180*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
181*0Sstevel@tonic-gate 						EVP_R_UNSUPPORTED_CIPHER);
182*0Sstevel@tonic-gate 		goto err;
183*0Sstevel@tonic-gate 	}
184*0Sstevel@tonic-gate 
185*0Sstevel@tonic-gate 	/* Fixup cipher based on AlgorithmIdentifier */
186*0Sstevel@tonic-gate 	EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de);
187*0Sstevel@tonic-gate 	if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
188*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
189*0Sstevel@tonic-gate 					EVP_R_CIPHER_PARAMETER_ERROR);
190*0Sstevel@tonic-gate 		goto err;
191*0Sstevel@tonic-gate 	}
192*0Sstevel@tonic-gate 	keylen = EVP_CIPHER_CTX_key_length(ctx);
193*0Sstevel@tonic-gate 	OPENSSL_assert(keylen <= sizeof key);
194*0Sstevel@tonic-gate 
195*0Sstevel@tonic-gate 	/* Now decode key derivation function */
196*0Sstevel@tonic-gate 
197*0Sstevel@tonic-gate 	pbuf = pbe2->keyfunc->parameter->value.sequence->data;
198*0Sstevel@tonic-gate 	plen = pbe2->keyfunc->parameter->value.sequence->length;
199*0Sstevel@tonic-gate 	if(!pbe2->keyfunc->parameter ||
200*0Sstevel@tonic-gate 		 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
201*0Sstevel@tonic-gate 				!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
202*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
203*0Sstevel@tonic-gate 		goto err;
204*0Sstevel@tonic-gate 	}
205*0Sstevel@tonic-gate 
206*0Sstevel@tonic-gate 	PBE2PARAM_free(pbe2);
207*0Sstevel@tonic-gate 	pbe2 = NULL;
208*0Sstevel@tonic-gate 
209*0Sstevel@tonic-gate 	/* Now check the parameters of the kdf */
210*0Sstevel@tonic-gate 
211*0Sstevel@tonic-gate 	if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != keylen)){
212*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
213*0Sstevel@tonic-gate 						EVP_R_UNSUPPORTED_KEYLENGTH);
214*0Sstevel@tonic-gate 		goto err;
215*0Sstevel@tonic-gate 	}
216*0Sstevel@tonic-gate 
217*0Sstevel@tonic-gate 	if(kdf->prf && (OBJ_obj2nid(kdf->prf->algorithm) != NID_hmacWithSHA1)) {
218*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
219*0Sstevel@tonic-gate 		goto err;
220*0Sstevel@tonic-gate 	}
221*0Sstevel@tonic-gate 
222*0Sstevel@tonic-gate 	if(kdf->salt->type != V_ASN1_OCTET_STRING) {
223*0Sstevel@tonic-gate 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
224*0Sstevel@tonic-gate 						EVP_R_UNSUPPORTED_SALT_TYPE);
225*0Sstevel@tonic-gate 		goto err;
226*0Sstevel@tonic-gate 	}
227*0Sstevel@tonic-gate 
228*0Sstevel@tonic-gate 	/* it seems that its all OK */
229*0Sstevel@tonic-gate 	salt = kdf->salt->value.octet_string->data;
230*0Sstevel@tonic-gate 	saltlen = kdf->salt->value.octet_string->length;
231*0Sstevel@tonic-gate 	iter = ASN1_INTEGER_get(kdf->iter);
232*0Sstevel@tonic-gate 	PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
233*0Sstevel@tonic-gate 	EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
234*0Sstevel@tonic-gate 	OPENSSL_cleanse(key, keylen);
235*0Sstevel@tonic-gate 	PBKDF2PARAM_free(kdf);
236*0Sstevel@tonic-gate 	return 1;
237*0Sstevel@tonic-gate 
238*0Sstevel@tonic-gate 	err:
239*0Sstevel@tonic-gate 	PBE2PARAM_free(pbe2);
240*0Sstevel@tonic-gate 	PBKDF2PARAM_free(kdf);
241*0Sstevel@tonic-gate 	return 0;
242*0Sstevel@tonic-gate }
243*0Sstevel@tonic-gate 
244*0Sstevel@tonic-gate #ifdef DEBUG_PKCS5V2
245*0Sstevel@tonic-gate static void h__dump (const unsigned char *p, int len)
246*0Sstevel@tonic-gate {
247*0Sstevel@tonic-gate         for (; len --; p++) fprintf(stderr, "%02X ", *p);
248*0Sstevel@tonic-gate         fprintf(stderr, "\n");
249*0Sstevel@tonic-gate }
250*0Sstevel@tonic-gate #endif
251*0Sstevel@tonic-gate #endif
252