PolarSSL v1.2.11
pkcs5.c
Go to the documentation of this file.
1 
29 /*
30  * PKCS#5 includes PBKDF2 and more
31  *
32  * http://tools.ietf.org/html/rfc2898 (Specification)
33  * http://tools.ietf.org/html/rfc6070 (Test vectors)
34  */
35 
36 #include "polarssl/config.h"
37 
38 #if defined(POLARSSL_PKCS5_C)
39 
40 #include "polarssl/pkcs5.h"
41 #include "polarssl/asn1.h"
42 #include "polarssl/cipher.h"
43 
44 #define OID_CMP(oid_str, oid_buf) \
45  ( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \
46  memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) == 0)
47 
48 static int pkcs5_parse_pbkdf2_params( unsigned char **p,
49  const unsigned char *end,
50  asn1_buf *salt, int *iterations,
51  int *keylen, md_type_t *md_type )
52 {
53  int ret;
54  size_t len = 0;
55  asn1_buf prf_alg_oid;
56 
57  /*
58  * PBKDF2-params ::= SEQUENCE {
59  * salt OCTET STRING,
60  * iterationCount INTEGER,
61  * keyLength INTEGER OPTIONAL
62  * prf AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
63  * }
64  *
65  */
66  if( ( ret = asn1_get_tag( p, end, &len,
67  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
68  {
69  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
70  }
71 
72  end = *p + len;
73 
74  if( ( ret = asn1_get_tag( p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 )
75  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
76 
77  salt->p = *p;
78  *p += salt->len;
79 
80  if( ( ret = asn1_get_int( p, end, iterations ) ) != 0 )
81  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
82 
83  if( *p == end )
84  return( 0 );
85 
86  if( ( ret = asn1_get_int( p, end, keylen ) ) != 0 )
87  {
89  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
90  }
91 
92  if( *p == end )
93  return( 0 );
94 
95  if( ( ret = asn1_get_tag( p, end, &prf_alg_oid.len, ASN1_OID ) ) != 0 )
96  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
97 
98  if( !OID_CMP( OID_HMAC_SHA1, &prf_alg_oid ) )
100 
101  *md_type = POLARSSL_MD_SHA1;
102 
103  if( *p != end )
106 
107  return( 0 );
108 }
109 
110 int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
111  const unsigned char *pwd, size_t pwdlen,
112  const unsigned char *data, size_t datalen,
113  unsigned char *output )
114 {
115  int ret, iterations = 0, keylen = 0;
116  unsigned char *p, *end, *end2;
117  asn1_buf kdf_alg_oid, enc_scheme_oid, salt;
118  md_type_t md_type = POLARSSL_MD_SHA1;
119  unsigned char key[32], iv[32];
120  size_t len = 0, olen = 0;
121  const md_info_t *md_info;
122  const cipher_info_t *cipher_info;
123  md_context_t md_ctx;
124  cipher_context_t cipher_ctx;
125 
126  p = pbe_params->p;
127  end = p + pbe_params->len;
128 
129  /*
130  * PBES2-params ::= SEQUENCE {
131  * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
132  * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
133  * }
134  */
135  if( ( ret = asn1_get_tag( &p, end, &len,
136  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
137  {
138  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
139  }
140 
141  if( ( ret = asn1_get_tag( &p, end, &len,
142  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
143  {
144  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
145  }
146 
147  end2 = p + len;
148 
149  if( ( ret = asn1_get_tag( &p, end2, &kdf_alg_oid.len, ASN1_OID ) ) != 0 )
150  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
151 
152  kdf_alg_oid.p = p;
153  p += kdf_alg_oid.len;
154 
155  // Only PBKDF2 supported at the moment
156  //
157  if( !OID_CMP( OID_PKCS5_PBKDF2, &kdf_alg_oid ) )
159 
160  if( ( ret = pkcs5_parse_pbkdf2_params( &p, end2,
161  &salt, &iterations, &keylen,
162  &md_type ) ) != 0 )
163  {
164  return( ret );
165  }
166 
167  md_info = md_info_from_type( md_type );
168  if( md_info == NULL )
170 
171  if( ( ret = asn1_get_tag( &p, end, &len,
172  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
173  {
174  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
175  }
176 
177  end2 = p + len;
178 
179  if( ( ret = asn1_get_tag( &p, end2, &enc_scheme_oid.len, ASN1_OID ) ) != 0 )
180  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
181 
182  enc_scheme_oid.p = p;
183  p += enc_scheme_oid.len;
184 
185 #if defined(POLARSSL_DES_C)
186  // Only DES-CBC and DES-EDE3-CBC supported at the moment
187  //
188  if( OID_CMP( OID_DES_EDE3_CBC, &enc_scheme_oid ) )
189  {
191  }
192  else if( OID_CMP( OID_DES_CBC, &enc_scheme_oid ) )
193  {
195  }
196  else
197 #endif /* POLARSSL_DES_C */
199 
200  if( cipher_info == NULL )
202 
203  keylen = cipher_info->key_length / 8;
204 
205  if( ( ret = asn1_get_tag( &p, end2, &len, ASN1_OCTET_STRING ) ) != 0 )
206  return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
207 
208  if( len != cipher_info->iv_size )
210 
211  memcpy( iv, p, len );
212 
213  if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
214  return( ret );
215 
216  if( ( ret = cipher_init_ctx( &cipher_ctx, cipher_info ) ) != 0 )
217  return( ret );
218 
219  if ( ( ret = pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
220  iterations, keylen, key ) ) != 0 )
221  {
222  return( ret );
223  }
224 
225  if( ( ret = cipher_setkey( &cipher_ctx, key, keylen, mode ) ) != 0 )
226  return( ret );
227 
228  if( ( ret = cipher_reset( &cipher_ctx, iv ) ) != 0 )
229  return( ret );
230 
231  if( ( ret = cipher_update( &cipher_ctx, data, datalen,
232  output, &olen ) ) != 0 )
233  {
234  return( ret );
235  }
236 
237  if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
239 
240  return( 0 );
241 }
242 
243 int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password,
244  size_t plen, const unsigned char *salt, size_t slen,
245  unsigned int iteration_count,
246  uint32_t key_length, unsigned char *output )
247 {
248  int ret, j;
249  unsigned int i;
250  unsigned char md1[POLARSSL_MD_MAX_SIZE];
251  unsigned char work[POLARSSL_MD_MAX_SIZE];
252  unsigned char md_size = md_get_size( ctx->md_info );
253  size_t use_len;
254  unsigned char *out_p = output;
255  unsigned char counter[4];
256 
257  memset( counter, 0, 4 );
258  counter[3] = 1;
259 
260  if( iteration_count > 0xFFFFFFFF )
262 
263  while( key_length )
264  {
265  // U1 ends up in work
266  //
267  if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
268  return( ret );
269 
270  if( ( ret = md_hmac_update( ctx, salt, slen ) ) != 0 )
271  return( ret );
272 
273  if( ( ret = md_hmac_update( ctx, counter, 4 ) ) != 0 )
274  return( ret );
275 
276  if( ( ret = md_hmac_finish( ctx, work ) ) != 0 )
277  return( ret );
278 
279  memcpy( md1, work, md_size );
280 
281  for ( i = 1; i < iteration_count; i++ )
282  {
283  // U2 ends up in md1
284  //
285  if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
286  return( ret );
287 
288  if( ( ret = md_hmac_update( ctx, md1, md_size ) ) != 0 )
289  return( ret );
290 
291  if( ( ret = md_hmac_finish( ctx, md1 ) ) != 0 )
292  return( ret );
293 
294  // U1 xor U2
295  //
296  for( j = 0; j < md_size; j++ )
297  work[j] ^= md1[j];
298  }
299 
300  use_len = ( key_length < md_size ) ? key_length : md_size;
301  memcpy( out_p, work, use_len );
302 
303  key_length -= use_len;
304  out_p += use_len;
305 
306  for( i = 4; i > 0; i-- )
307  if( ++counter[i - 1] != 0 )
308  break;
309  }
310 
311  return( 0 );
312 }
313 
314 #if defined(POLARSSL_SELF_TEST)
315 
316 #include <stdio.h>
317 
318 #define MAX_TESTS 6
319 
320 size_t plen[MAX_TESTS] =
321  { 8, 8, 8, 8, 24, 9 };
322 
323 unsigned char password[MAX_TESTS][32] =
324 {
325  "password",
326  "password",
327  "password",
328  "password",
329  "passwordPASSWORDpassword",
330  "pass\0word",
331 };
332 
333 size_t slen[MAX_TESTS] =
334  { 4, 4, 4, 4, 36, 5 };
335 
336 unsigned char salt[MAX_TESTS][40] =
337 {
338  "salt",
339  "salt",
340  "salt",
341  "salt",
342  "saltSALTsaltSALTsaltSALTsaltSALTsalt",
343  "sa\0lt",
344 };
345 
346 uint32_t it_cnt[MAX_TESTS] =
347  { 1, 2, 4096, 16777216, 4096, 4096 };
348 
349 uint32_t key_len[MAX_TESTS] =
350  { 20, 20, 20, 20, 25, 16 };
351 
352 
353 unsigned char result_key[MAX_TESTS][32] =
354 {
355  { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
356  0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
357  0x2f, 0xe0, 0x37, 0xa6 },
358  { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
359  0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
360  0xd8, 0xde, 0x89, 0x57 },
361  { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
362  0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
363  0x65, 0xa4, 0x29, 0xc1 },
364  { 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
365  0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
366  0x26, 0x34, 0xe9, 0x84 },
367  { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
368  0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
369  0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
370  0x38 },
371  { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
372  0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
373 };
374 
375 int pkcs5_self_test( int verbose )
376 {
377  md_context_t sha1_ctx;
378  const md_info_t *info_sha1;
379  int ret, i;
380  unsigned char key[64];
381 
382  info_sha1 = md_info_from_type( POLARSSL_MD_SHA1 );
383  if( info_sha1 == NULL )
384  return( 1 );
385 
386  if( ( ret = md_init_ctx( &sha1_ctx, info_sha1 ) ) != 0 )
387  return( 1 );
388 
389  for( i = 0; i < MAX_TESTS; i++ )
390  {
391  printf( " PBKDF2 (SHA1) #%d: ", i );
392 
393  ret = pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
394  slen[i], it_cnt[i], key_len[i], key );
395  if( ret != 0 ||
396  memcmp( result_key[i], key, key_len[i] ) != 0 )
397  {
398  if( verbose != 0 )
399  printf( "failed\n" );
400 
401  return( 1 );
402  }
403 
404  if( verbose != 0 )
405  printf( "passed\n" );
406  }
407 
408  printf( "\n" );
409 
410  return( 0 );
411 }
412 
413 #endif /* POLARSSL_SELF_TEST */
414 
415 #endif /* POLARSSL_PKCS5_C */