1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 1999-2004. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/pkcs8.h> 57 58 #include <limits.h> 59 #include <string.h> 60 61 #include <openssl/bytestring.h> 62 #include <openssl/cipher.h> 63 #include <openssl/err.h> 64 #include <openssl/mem.h> 65 #include <openssl/nid.h> 66 #include <openssl/rand.h> 67 68 #include "internal.h" 69 #include "../internal.h" 70 71 72 // 1.2.840.113549.1.5.12 73 static const uint8_t kPBKDF2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 74 0x0d, 0x01, 0x05, 0x0c}; 75 76 // 1.2.840.113549.1.5.13 77 static const uint8_t kPBES2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 78 0x0d, 0x01, 0x05, 0x0d}; 79 80 // 1.2.840.113549.2.7 81 static const uint8_t kHMACWithSHA1[] = {0x2a, 0x86, 0x48, 0x86, 82 0xf7, 0x0d, 0x02, 0x07}; 83 84 static const struct { 85 uint8_t oid[9]; 86 uint8_t oid_len; 87 int nid; 88 const EVP_CIPHER *(*cipher_func)(void); 89 } kCipherOIDs[] = { 90 // 1.2.840.113549.3.2 91 {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x02}, 92 8, 93 NID_rc2_cbc, 94 &EVP_rc2_cbc}, 95 // 1.2.840.113549.3.7 96 {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07}, 97 8, 98 NID_des_ede3_cbc, 99 &EVP_des_ede3_cbc}, 100 // 2.16.840.1.101.3.4.1.2 101 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02}, 102 9, 103 NID_aes_128_cbc, 104 &EVP_aes_128_cbc}, 105 // 2.16.840.1.101.3.4.1.22 106 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16}, 107 9, 108 NID_aes_192_cbc, 109 &EVP_aes_192_cbc}, 110 // 2.16.840.1.101.3.4.1.42 111 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a}, 112 9, 113 NID_aes_256_cbc, 114 &EVP_aes_256_cbc}, 115 }; 116 117 static const EVP_CIPHER *cbs_to_cipher(const CBS *cbs) { 118 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherOIDs); i++) { 119 if (CBS_mem_equal(cbs, kCipherOIDs[i].oid, kCipherOIDs[i].oid_len)) { 120 return kCipherOIDs[i].cipher_func(); 121 } 122 } 123 124 return NULL; 125 } 126 127 static int add_cipher_oid(CBB *out, int nid) { 128 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherOIDs); i++) { 129 if (kCipherOIDs[i].nid == nid) { 130 CBB child; 131 return CBB_add_asn1(out, &child, CBS_ASN1_OBJECT) && 132 CBB_add_bytes(&child, kCipherOIDs[i].oid, 133 kCipherOIDs[i].oid_len) && 134 CBB_flush(out); 135 } 136 } 137 138 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER); 139 return 0; 140 } 141 142 static int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 143 unsigned iterations, const char *pass, 144 size_t pass_len, const uint8_t *salt, 145 size_t salt_len, const uint8_t *iv, 146 size_t iv_len, int enc) { 147 if (iv_len != EVP_CIPHER_iv_length(cipher)) { 148 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ERROR_SETTING_CIPHER_PARAMS); 149 return 0; 150 } 151 152 uint8_t key[EVP_MAX_KEY_LENGTH]; 153 int ret = PKCS5_PBKDF2_HMAC_SHA1(pass, pass_len, salt, salt_len, iterations, 154 EVP_CIPHER_key_length(cipher), key) && 155 EVP_CipherInit_ex(ctx, cipher, NULL /* engine */, key, iv, enc); 156 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); 157 return ret; 158 } 159 160 int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, 161 const EVP_CIPHER *cipher, unsigned iterations, 162 const char *pass, size_t pass_len, 163 const uint8_t *salt, size_t salt_len) { 164 int cipher_nid = EVP_CIPHER_nid(cipher); 165 if (cipher_nid == NID_undef) { 166 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER); 167 return 0; 168 } 169 170 // Generate a random IV. 171 uint8_t iv[EVP_MAX_IV_LENGTH]; 172 if (!RAND_bytes(iv, EVP_CIPHER_iv_length(cipher))) { 173 return 0; 174 } 175 176 // See RFC 2898, appendix A. 177 CBB algorithm, oid, param, kdf, kdf_oid, kdf_param, salt_cbb, cipher_cbb, 178 iv_cbb; 179 if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) || 180 !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || 181 !CBB_add_bytes(&oid, kPBES2, sizeof(kPBES2)) || 182 !CBB_add_asn1(&algorithm, ¶m, CBS_ASN1_SEQUENCE) || 183 !CBB_add_asn1(¶m, &kdf, CBS_ASN1_SEQUENCE) || 184 !CBB_add_asn1(&kdf, &kdf_oid, CBS_ASN1_OBJECT) || 185 !CBB_add_bytes(&kdf_oid, kPBKDF2, sizeof(kPBKDF2)) || 186 !CBB_add_asn1(&kdf, &kdf_param, CBS_ASN1_SEQUENCE) || 187 !CBB_add_asn1(&kdf_param, &salt_cbb, CBS_ASN1_OCTETSTRING) || 188 !CBB_add_bytes(&salt_cbb, salt, salt_len) || 189 !CBB_add_asn1_uint64(&kdf_param, iterations) || 190 // Specify a key length for RC2. 191 (cipher_nid == NID_rc2_cbc && 192 !CBB_add_asn1_uint64(&kdf_param, EVP_CIPHER_key_length(cipher))) || 193 // Omit the PRF. We use the default hmacWithSHA1. 194 !CBB_add_asn1(¶m, &cipher_cbb, CBS_ASN1_SEQUENCE) || 195 !add_cipher_oid(&cipher_cbb, cipher_nid) || 196 // RFC 2898 says RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and 197 // IV, but OpenSSL always uses an OCTET STRING IV, so we do the same. 198 !CBB_add_asn1(&cipher_cbb, &iv_cbb, CBS_ASN1_OCTETSTRING) || 199 !CBB_add_bytes(&iv_cbb, iv, EVP_CIPHER_iv_length(cipher)) || 200 !CBB_flush(out)) { 201 return 0; 202 } 203 204 return pkcs5_pbe2_cipher_init(ctx, cipher, iterations, pass, pass_len, salt, 205 salt_len, iv, EVP_CIPHER_iv_length(cipher), 206 1 /* encrypt */); 207 } 208 209 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, 210 const char *pass, size_t pass_len, CBS *param) { 211 CBS pbe_param, kdf, kdf_obj, enc_scheme, enc_obj; 212 if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) || 213 CBS_len(param) != 0 || 214 !CBS_get_asn1(&pbe_param, &kdf, CBS_ASN1_SEQUENCE) || 215 !CBS_get_asn1(&pbe_param, &enc_scheme, CBS_ASN1_SEQUENCE) || 216 CBS_len(&pbe_param) != 0 || 217 !CBS_get_asn1(&kdf, &kdf_obj, CBS_ASN1_OBJECT) || 218 !CBS_get_asn1(&enc_scheme, &enc_obj, CBS_ASN1_OBJECT)) { 219 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 220 return 0; 221 } 222 223 // Only PBKDF2 is supported. 224 if (!CBS_mem_equal(&kdf_obj, kPBKDF2, sizeof(kPBKDF2))) { 225 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION); 226 return 0; 227 } 228 229 // See if we recognise the encryption algorithm. 230 const EVP_CIPHER *cipher = cbs_to_cipher(&enc_obj); 231 if (cipher == NULL) { 232 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER); 233 return 0; 234 } 235 236 // Parse the KDF parameters. See RFC 8018, appendix A.2. 237 CBS pbkdf2_params, salt; 238 uint64_t iterations; 239 if (!CBS_get_asn1(&kdf, &pbkdf2_params, CBS_ASN1_SEQUENCE) || 240 CBS_len(&kdf) != 0 || 241 !CBS_get_asn1(&pbkdf2_params, &salt, CBS_ASN1_OCTETSTRING) || 242 !CBS_get_asn1_uint64(&pbkdf2_params, &iterations)) { 243 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 244 return 0; 245 } 246 247 if (iterations == 0 || iterations > UINT_MAX) { 248 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT); 249 return 0; 250 } 251 252 // The optional keyLength parameter, if present, must match the key length of 253 // the cipher. 254 if (CBS_peek_asn1_tag(&pbkdf2_params, CBS_ASN1_INTEGER)) { 255 uint64_t key_len; 256 if (!CBS_get_asn1_uint64(&pbkdf2_params, &key_len)) { 257 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 258 return 0; 259 } 260 261 if (key_len != EVP_CIPHER_key_length(cipher)) { 262 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_KEYLENGTH); 263 return 0; 264 } 265 } 266 267 if (CBS_len(&pbkdf2_params) != 0) { 268 CBS alg_id, prf; 269 if (!CBS_get_asn1(&pbkdf2_params, &alg_id, CBS_ASN1_SEQUENCE) || 270 !CBS_get_asn1(&alg_id, &prf, CBS_ASN1_OBJECT) || 271 CBS_len(&pbkdf2_params) != 0) { 272 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 273 return 0; 274 } 275 276 // We only support hmacWithSHA1. It is the DEFAULT, so DER requires it be 277 // omitted, but we match OpenSSL in tolerating it being present. 278 if (!CBS_mem_equal(&prf, kHMACWithSHA1, sizeof(kHMACWithSHA1))) { 279 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRF); 280 return 0; 281 } 282 283 // hmacWithSHA1 has a NULL parameter. 284 CBS null; 285 if (!CBS_get_asn1(&alg_id, &null, CBS_ASN1_NULL) || 286 CBS_len(&null) != 0 || 287 CBS_len(&alg_id) != 0) { 288 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 289 return 0; 290 } 291 } 292 293 // Parse the encryption scheme parameters. Note OpenSSL does not match the 294 // specification. Per RFC 2898, this should depend on the encryption scheme. 295 // In particular, RC2-CBC uses a SEQUENCE with version and IV. We align with 296 // OpenSSL. 297 CBS iv; 298 if (!CBS_get_asn1(&enc_scheme, &iv, CBS_ASN1_OCTETSTRING) || 299 CBS_len(&enc_scheme) != 0) { 300 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRF); 301 return 0; 302 } 303 304 return pkcs5_pbe2_cipher_init(ctx, cipher, (unsigned)iterations, pass, 305 pass_len, CBS_data(&salt), CBS_len(&salt), 306 CBS_data(&iv), CBS_len(&iv), 0 /* decrypt */); 307 } 308
