]>
Commit | Line | Data |
---|---|---|
1 | /** | |
2 | * \file pkcs5.c | |
3 | * | |
4 | * \brief PKCS#5 functions | |
5 | * | |
6 | * \author Mathias Olsson <mathias@kompetensum.com> | |
7 | * | |
8 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved | |
9 | * SPDX-License-Identifier: GPL-2.0 | |
10 | * | |
11 | * This program is free software; you can redistribute it and/or modify | |
12 | * it under the terms of the GNU General Public License as published by | |
13 | * the Free Software Foundation; either version 2 of the License, or | |
14 | * (at your option) any later version. | |
15 | * | |
16 | * This program is distributed in the hope that it will be useful, | |
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | * GNU General Public License for more details. | |
20 | * | |
21 | * You should have received a copy of the GNU General Public License along | |
22 | * with this program; if not, write to the Free Software Foundation, Inc., | |
23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
24 | * | |
25 | * This file is part of mbed TLS (https://tls.mbed.org) | |
26 | */ | |
27 | /* | |
28 | * PKCS#5 includes PBKDF2 and more | |
29 | * | |
30 | * http://tools.ietf.org/html/rfc2898 (Specification) | |
31 | * http://tools.ietf.org/html/rfc6070 (Test vectors) | |
32 | */ | |
33 | ||
34 | #if !defined(MBEDTLS_CONFIG_FILE) | |
35 | #include "mbedtls/config.h" | |
36 | #else | |
37 | #include MBEDTLS_CONFIG_FILE | |
38 | #endif | |
39 | ||
40 | #if defined(MBEDTLS_PKCS5_C) | |
41 | ||
42 | #include "mbedtls/pkcs5.h" | |
43 | ||
44 | #if defined(MBEDTLS_ASN1_PARSE_C) | |
45 | #include "mbedtls/asn1.h" | |
46 | #include "mbedtls/cipher.h" | |
47 | #include "mbedtls/oid.h" | |
48 | #endif /* MBEDTLS_ASN1_PARSE_C */ | |
49 | ||
50 | #include <string.h> | |
51 | ||
52 | #if defined(MBEDTLS_PLATFORM_C) | |
53 | #include "mbedtls/platform.h" | |
54 | #else | |
55 | #include <stdio.h> | |
56 | #define mbedtls_printf printf | |
57 | #endif | |
58 | ||
59 | #if !defined(MBEDTLS_ASN1_PARSE_C) | |
60 | int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, | |
61 | const unsigned char *pwd, size_t pwdlen, | |
62 | const unsigned char *data, size_t datalen, | |
63 | unsigned char *output ) | |
64 | { | |
65 | ((void) pbe_params); | |
66 | ((void) mode); | |
67 | ((void) pwd); | |
68 | ((void) pwdlen); | |
69 | ((void) data); | |
70 | ((void) datalen); | |
71 | ((void) output); | |
72 | return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); | |
73 | } | |
74 | #else | |
75 | static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params, | |
76 | mbedtls_asn1_buf *salt, int *iterations, | |
77 | int *keylen, mbedtls_md_type_t *md_type ) | |
78 | { | |
79 | int ret; | |
80 | mbedtls_asn1_buf prf_alg_oid; | |
81 | unsigned char *p = params->p; | |
82 | const unsigned char *end = params->p + params->len; | |
83 | ||
84 | if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) | |
85 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + | |
86 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); | |
87 | /* | |
88 | * PBKDF2-params ::= SEQUENCE { | |
89 | * salt OCTET STRING, | |
90 | * iterationCount INTEGER, | |
91 | * keyLength INTEGER OPTIONAL | |
92 | * prf AlgorithmIdentifier DEFAULT algid-hmacWithSHA1 | |
93 | * } | |
94 | * | |
95 | */ | |
96 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) | |
97 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); | |
98 | ||
99 | salt->p = p; | |
100 | p += salt->len; | |
101 | ||
102 | if( ( ret = mbedtls_asn1_get_int( &p, end, iterations ) ) != 0 ) | |
103 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); | |
104 | ||
105 | if( p == end ) | |
106 | return( 0 ); | |
107 | ||
108 | if( ( ret = mbedtls_asn1_get_int( &p, end, keylen ) ) != 0 ) | |
109 | { | |
110 | if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) | |
111 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); | |
112 | } | |
113 | ||
114 | if( p == end ) | |
115 | return( 0 ); | |
116 | ||
117 | if( ( ret = mbedtls_asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 ) | |
118 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); | |
119 | ||
120 | if( mbedtls_oid_get_md_hmac( &prf_alg_oid, md_type ) != 0 ) | |
121 | return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); | |
122 | ||
123 | if( p != end ) | |
124 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + | |
125 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); | |
126 | ||
127 | return( 0 ); | |
128 | } | |
129 | ||
130 | int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, | |
131 | const unsigned char *pwd, size_t pwdlen, | |
132 | const unsigned char *data, size_t datalen, | |
133 | unsigned char *output ) | |
134 | { | |
135 | int ret, iterations = 0, keylen = 0; | |
136 | unsigned char *p, *end; | |
137 | mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params; | |
138 | mbedtls_asn1_buf salt; | |
139 | mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1; | |
140 | unsigned char key[32], iv[32]; | |
141 | size_t olen = 0; | |
142 | const mbedtls_md_info_t *md_info; | |
143 | const mbedtls_cipher_info_t *cipher_info; | |
144 | mbedtls_md_context_t md_ctx; | |
145 | mbedtls_cipher_type_t cipher_alg; | |
146 | mbedtls_cipher_context_t cipher_ctx; | |
147 | ||
148 | p = pbe_params->p; | |
149 | end = p + pbe_params->len; | |
150 | ||
151 | /* | |
152 | * PBES2-params ::= SEQUENCE { | |
153 | * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, | |
154 | * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} | |
155 | * } | |
156 | */ | |
157 | if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) | |
158 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + | |
159 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); | |
160 | ||
161 | if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 ) | |
162 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); | |
163 | ||
164 | // Only PBKDF2 supported at the moment | |
165 | // | |
166 | if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid ) != 0 ) | |
167 | return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); | |
168 | ||
169 | if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params, | |
170 | &salt, &iterations, &keylen, | |
171 | &md_type ) ) != 0 ) | |
172 | { | |
173 | return( ret ); | |
174 | } | |
175 | ||
176 | md_info = mbedtls_md_info_from_type( md_type ); | |
177 | if( md_info == NULL ) | |
178 | return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); | |
179 | ||
180 | if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid, | |
181 | &enc_scheme_params ) ) != 0 ) | |
182 | { | |
183 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); | |
184 | } | |
185 | ||
186 | if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 ) | |
187 | return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); | |
188 | ||
189 | cipher_info = mbedtls_cipher_info_from_type( cipher_alg ); | |
190 | if( cipher_info == NULL ) | |
191 | return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); | |
192 | ||
193 | /* | |
194 | * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored | |
195 | * since it is optional and we don't know if it was set or not | |
196 | */ | |
197 | keylen = cipher_info->key_bitlen / 8; | |
198 | ||
199 | if( enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING || | |
200 | enc_scheme_params.len != cipher_info->iv_size ) | |
201 | { | |
202 | return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT ); | |
203 | } | |
204 | ||
205 | mbedtls_md_init( &md_ctx ); | |
206 | mbedtls_cipher_init( &cipher_ctx ); | |
207 | ||
208 | memcpy( iv, enc_scheme_params.p, enc_scheme_params.len ); | |
209 | ||
210 | if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) | |
211 | goto exit; | |
212 | ||
213 | if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len, | |
214 | iterations, keylen, key ) ) != 0 ) | |
215 | { | |
216 | goto exit; | |
217 | } | |
218 | ||
219 | if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 ) | |
220 | goto exit; | |
221 | ||
222 | if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 ) | |
223 | goto exit; | |
224 | ||
225 | if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len, | |
226 | data, datalen, output, &olen ) ) != 0 ) | |
227 | ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH; | |
228 | ||
229 | exit: | |
230 | mbedtls_md_free( &md_ctx ); | |
231 | mbedtls_cipher_free( &cipher_ctx ); | |
232 | ||
233 | return( ret ); | |
234 | } | |
235 | #endif /* MBEDTLS_ASN1_PARSE_C */ | |
236 | ||
237 | int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password, | |
238 | size_t plen, const unsigned char *salt, size_t slen, | |
239 | unsigned int iteration_count, | |
240 | uint32_t key_length, unsigned char *output ) | |
241 | { | |
242 | int ret, j; | |
243 | unsigned int i; | |
244 | unsigned char md1[MBEDTLS_MD_MAX_SIZE]; | |
245 | unsigned char work[MBEDTLS_MD_MAX_SIZE]; | |
246 | unsigned char md_size = mbedtls_md_get_size( ctx->md_info ); | |
247 | size_t use_len; | |
248 | unsigned char *out_p = output; | |
249 | unsigned char counter[4]; | |
250 | ||
251 | memset( counter, 0, 4 ); | |
252 | counter[3] = 1; | |
253 | ||
254 | #if UINT_MAX > 0xFFFFFFFF | |
255 | if( iteration_count > 0xFFFFFFFF ) | |
256 | return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA ); | |
257 | #endif | |
258 | ||
259 | while( key_length ) | |
260 | { | |
261 | // U1 ends up in work | |
262 | // | |
263 | if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 ) | |
264 | return( ret ); | |
265 | ||
266 | if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 ) | |
267 | return( ret ); | |
268 | ||
269 | if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 ) | |
270 | return( ret ); | |
271 | ||
272 | if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 ) | |
273 | return( ret ); | |
274 | ||
275 | memcpy( md1, work, md_size ); | |
276 | ||
277 | for( i = 1; i < iteration_count; i++ ) | |
278 | { | |
279 | // U2 ends up in md1 | |
280 | // | |
281 | if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 ) | |
282 | return( ret ); | |
283 | ||
284 | if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 ) | |
285 | return( ret ); | |
286 | ||
287 | if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 ) | |
288 | return( ret ); | |
289 | ||
290 | // U1 xor U2 | |
291 | // | |
292 | for( j = 0; j < md_size; j++ ) | |
293 | work[j] ^= md1[j]; | |
294 | } | |
295 | ||
296 | use_len = ( key_length < md_size ) ? key_length : md_size; | |
297 | memcpy( out_p, work, use_len ); | |
298 | ||
299 | key_length -= (uint32_t) use_len; | |
300 | out_p += use_len; | |
301 | ||
302 | for( i = 4; i > 0; i-- ) | |
303 | if( ++counter[i - 1] != 0 ) | |
304 | break; | |
305 | } | |
306 | ||
307 | return( 0 ); | |
308 | } | |
309 | ||
310 | #if defined(MBEDTLS_SELF_TEST) | |
311 | ||
312 | #if !defined(MBEDTLS_SHA1_C) | |
313 | int mbedtls_pkcs5_self_test( int verbose ) | |
314 | { | |
315 | if( verbose != 0 ) | |
316 | mbedtls_printf( " PBKDF2 (SHA1): skipped\n\n" ); | |
317 | ||
318 | return( 0 ); | |
319 | } | |
320 | #else | |
321 | ||
322 | #define MAX_TESTS 6 | |
323 | ||
324 | static const size_t plen[MAX_TESTS] = | |
325 | { 8, 8, 8, 24, 9 }; | |
326 | ||
327 | static const unsigned char password[MAX_TESTS][32] = | |
328 | { | |
329 | "password", | |
330 | "password", | |
331 | "password", | |
332 | "passwordPASSWORDpassword", | |
333 | "pass\0word", | |
334 | }; | |
335 | ||
336 | static const size_t slen[MAX_TESTS] = | |
337 | { 4, 4, 4, 36, 5 }; | |
338 | ||
339 | static const unsigned char salt[MAX_TESTS][40] = | |
340 | { | |
341 | "salt", | |
342 | "salt", | |
343 | "salt", | |
344 | "saltSALTsaltSALTsaltSALTsaltSALTsalt", | |
345 | "sa\0lt", | |
346 | }; | |
347 | ||
348 | static const uint32_t it_cnt[MAX_TESTS] = | |
349 | { 1, 2, 4096, 4096, 4096 }; | |
350 | ||
351 | static const uint32_t key_len[MAX_TESTS] = | |
352 | { 20, 20, 20, 25, 16 }; | |
353 | ||
354 | static const unsigned char result_key[MAX_TESTS][32] = | |
355 | { | |
356 | { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71, | |
357 | 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06, | |
358 | 0x2f, 0xe0, 0x37, 0xa6 }, | |
359 | { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c, | |
360 | 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0, | |
361 | 0xd8, 0xde, 0x89, 0x57 }, | |
362 | { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a, | |
363 | 0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0, | |
364 | 0x65, 0xa4, 0x29, 0xc1 }, | |
365 | { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, | |
366 | 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a, | |
367 | 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, | |
368 | 0x38 }, | |
369 | { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d, | |
370 | 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 }, | |
371 | }; | |
372 | ||
373 | int mbedtls_pkcs5_self_test( int verbose ) | |
374 | { | |
375 | mbedtls_md_context_t sha1_ctx; | |
376 | const mbedtls_md_info_t *info_sha1; | |
377 | int ret, i; | |
378 | unsigned char key[64]; | |
379 | ||
380 | mbedtls_md_init( &sha1_ctx ); | |
381 | ||
382 | info_sha1 = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ); | |
383 | if( info_sha1 == NULL ) | |
384 | { | |
385 | ret = 1; | |
386 | goto exit; | |
387 | } | |
388 | ||
389 | if( ( ret = mbedtls_md_setup( &sha1_ctx, info_sha1, 1 ) ) != 0 ) | |
390 | { | |
391 | ret = 1; | |
392 | goto exit; | |
393 | } | |
394 | ||
395 | for( i = 0; i < MAX_TESTS; i++ ) | |
396 | { | |
397 | if( verbose != 0 ) | |
398 | mbedtls_printf( " PBKDF2 (SHA1) #%d: ", i ); | |
399 | ||
400 | ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i], | |
401 | slen[i], it_cnt[i], key_len[i], key ); | |
402 | if( ret != 0 || | |
403 | memcmp( result_key[i], key, key_len[i] ) != 0 ) | |
404 | { | |
405 | if( verbose != 0 ) | |
406 | mbedtls_printf( "failed\n" ); | |
407 | ||
408 | ret = 1; | |
409 | goto exit; | |
410 | } | |
411 | ||
412 | if( verbose != 0 ) | |
413 | mbedtls_printf( "passed\n" ); | |
414 | } | |
415 | ||
416 | if( verbose != 0 ) | |
417 | mbedtls_printf( "\n" ); | |
418 | ||
419 | exit: | |
420 | mbedtls_md_free( &sha1_ctx ); | |
421 | ||
422 | return( ret ); | |
423 | } | |
424 | #endif /* MBEDTLS_SHA1_C */ | |
425 | ||
426 | #endif /* MBEDTLS_SELF_TEST */ | |
427 | ||
428 | #endif /* MBEDTLS_PKCS5_C */ |