2 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
11 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
17 #include <openssl/rand.h>
18 #include <openssl/evp.h>
20 #include "crmf_local.h"
22 /* explicit #includes not strictly needed since implied by the above: */
23 #include <openssl/asn1t.h>
24 #include <openssl/crmf.h>
25 #include <openssl/err.h>
26 #include <openssl/evp.h>
27 #include <openssl/params.h>
28 #include <openssl/core_names.h>
31 * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
32 * |slen| SHOULD be at least 8 (16 is common)
33 * |owfnid| e.g., NID_sha256
34 * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
35 * |macnid| e.g., NID_hmac_sha1
36 * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
38 OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
39 int owfnid, size_t itercnt,
42 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
43 unsigned char *salt = NULL;
45 if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
49 * salt contains a randomly generated value used in computing the key
50 * of the MAC process. The salt SHOULD be at least 8 octets (64
53 if ((salt = OPENSSL_malloc(slen)) == NULL)
55 if (RAND_bytes_ex(libctx, salt, (int)slen) <= 0) {
56 ERR_raise(ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM);
59 if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
63 * owf identifies the hash algorithm and associated parameters used to
64 * compute the key used in the MAC process. All implementations MUST
67 if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
68 ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
73 * iterationCount identifies the number of times the hash is applied
74 * during the key computation process. The iterationCount MUST be a
75 * minimum of 100. Many people suggest using values as high as 1000
76 * iterations as the minimum value. The trade off here is between
77 * protection of the password from attacks and the time spent by the
78 * server processing all of the different iterations in deriving
79 * passwords. Hashing is generally considered a cheap operation but
80 * this may not be true with all hash functions in the future.
83 ERR_raise(ERR_LIB_CRMF, CRMF_R_ITERATIONCOUNT_BELOW_100);
86 if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
87 ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
91 if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
92 ERR_raise(ERR_LIB_CRMF, CRMF_R_CRMFERROR);
97 * mac identifies the algorithm and associated parameters of the MAC
98 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
99 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
101 if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
102 ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
110 OSSL_CRMF_PBMPARAMETER_free(pbm);
115 * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
116 * |pbmp| identifies the algorithms, salt to use
117 * |msg| message to apply the PBM for
118 * |msglen| length of the message
120 * |seclen| length of the key
121 * |mac| pointer to the computed mac, will be set on success
122 * |maclen| if not NULL, will set variable to the length of the mac on success
123 * returns 1 on success, 0 on error
125 /* TODO try to combine with other MAC calculations in the libray */
126 int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
127 const OSSL_CRMF_PBMPARAMETER *pbmp,
128 const unsigned char *msg, size_t msglen,
129 const unsigned char *sec, size_t seclen,
130 unsigned char **out, size_t *outlen)
132 int mac_nid, hmac_md_nid = NID_undef;
135 EVP_MD_CTX *ctx = NULL;
136 unsigned char basekey[EVP_MAX_MD_SIZE];
137 unsigned int bklen = EVP_MAX_MD_SIZE;
139 unsigned char *mac_res = 0;
142 EVP_MAC_CTX *mctx = NULL;
143 OSSL_PARAM macparams[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
145 if (out == NULL || pbmp == NULL || pbmp->mac == NULL
146 || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
147 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
150 if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
154 * owf identifies the hash algorithm and associated parameters used to
155 * compute the key used in the MAC process. All implementations MUST
158 mdname = OBJ_nid2sn(OBJ_obj2nid(pbmp->owf->algorithm));
159 if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) {
160 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
164 if ((ctx = EVP_MD_CTX_new()) == NULL)
167 /* compute the basekey of the salted secret */
168 if (!EVP_DigestInit_ex(ctx, owf, NULL))
170 /* first the secret */
171 if (!EVP_DigestUpdate(ctx, sec, seclen))
174 if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
176 if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
178 if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
179 || iterations < 100 /* min from RFC */
180 || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
181 ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
185 /* the first iteration was already done above */
186 while (--iterations > 0) {
187 if (!EVP_DigestInit_ex(ctx, owf, NULL))
189 if (!EVP_DigestUpdate(ctx, basekey, bklen))
191 if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
196 * mac identifies the algorithm and associated parameters of the MAC
197 * function to be used. All implementations MUST support HMAC-SHA1 [HMAC].
198 * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
200 mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
202 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
203 || (mdname = OBJ_nid2sn(hmac_md_nid)) == NULL) {
204 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
208 macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
210 if ((mac = EVP_MAC_fetch(libctx, "HMAC", propq)) == NULL
211 || (mctx = EVP_MAC_CTX_new(mac)) == NULL
212 || !EVP_MAC_CTX_set_params(mctx, macparams)
213 || !EVP_MAC_init(mctx, basekey, bklen, macparams)
214 || !EVP_MAC_update(mctx, msg, msglen)
215 || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE))
221 OPENSSL_cleanse(basekey, bklen);
222 EVP_MAC_CTX_free(mctx);
225 EVP_MD_CTX_free(ctx);
232 OPENSSL_free(mac_res);
234 if (pbmp != NULL && pbmp->mac != NULL) {
237 if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
238 ERR_add_error_data(1, buf);