blob: a36352916c25fb04216e7c9beac0f6b913aef066 [file] [log] [blame]
Paul Bakkerb0c19a42013-06-24 19:26:38 +02001/**
2 * \file pkcs5.c
3 *
4 * \brief PKCS#5 functions
5 *
6 * \author Mathias Olsson <mathias@kompetensum.com>
7 *
8 * Copyright (C) 2006-2013, Brainspark B.V.
9 *
10 * This file is part of PolarSSL (http://www.polarssl.org)
11 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
12 *
13 * All rights reserved.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License along
26 * with this program; if not, write to the Free Software Foundation, Inc.,
27 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 */
29/*
30 * PKCS#5 includes PBKDF2 and more
31 *
32 * http://tools.ietf.org/html/rfc2898 (Specification)
33 * http://tools.ietf.org/html/rfc6070 (Test vectors)
34 */
35
36#include "polarssl/config.h"
37
38#if defined(POLARSSL_PKCS5_C)
39
40#include "polarssl/pkcs5.h"
Paul Bakker28144de2013-06-24 19:28:55 +020041#include "polarssl/asn1.h"
42#include "polarssl/cipher.h"
Paul Bakker9b5e8852013-06-28 16:12:50 +020043#include "polarssl/oid.h"
Paul Bakker28144de2013-06-24 19:28:55 +020044
Paul Bakkerf8d018a2013-06-29 12:16:17 +020045static int pkcs5_parse_pbkdf2_params( asn1_buf *params,
Paul Bakker28144de2013-06-24 19:28:55 +020046 asn1_buf *salt, int *iterations,
47 int *keylen, md_type_t *md_type )
48{
49 int ret;
Paul Bakker28144de2013-06-24 19:28:55 +020050 asn1_buf prf_alg_oid;
Paul Bakkerf8d018a2013-06-29 12:16:17 +020051 unsigned char **p = &params->p;
52 const unsigned char *end = params->p + params->len;
Paul Bakker28144de2013-06-24 19:28:55 +020053
Paul Bakkerf8d018a2013-06-29 12:16:17 +020054 if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
55 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
56 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker28144de2013-06-24 19:28:55 +020057 /*
58 * PBKDF2-params ::= SEQUENCE {
59 * salt OCTET STRING,
60 * iterationCount INTEGER,
61 * keyLength INTEGER OPTIONAL
62 * prf AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
63 * }
64 *
65 */
Paul Bakker28144de2013-06-24 19:28:55 +020066 if( ( ret = asn1_get_tag( p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 )
67 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
68
69 salt->p = *p;
70 *p += salt->len;
71
72 if( ( ret = asn1_get_int( p, end, iterations ) ) != 0 )
73 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
74
75 if( *p == end )
76 return( 0 );
77
78 if( ( ret = asn1_get_int( p, end, keylen ) ) != 0 )
79 {
80 if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
81 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
82 }
83
84 if( *p == end )
85 return( 0 );
86
Paul Bakkerf8d018a2013-06-29 12:16:17 +020087 if( ( ret = asn1_get_alg_null( p, end, &prf_alg_oid ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +020088 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
89
90 if( !OID_CMP( OID_HMAC_SHA1, &prf_alg_oid ) )
91 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
92
93 *md_type = POLARSSL_MD_SHA1;
94
95 if( *p != end )
96 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
97 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
98
99 return( 0 );
100}
101
102int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
103 const unsigned char *pwd, size_t pwdlen,
104 const unsigned char *data, size_t datalen,
105 unsigned char *output )
106{
107 int ret, iterations = 0, keylen = 0;
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200108 unsigned char *p, *end;
109 asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
110 asn1_buf salt;
Paul Bakker28144de2013-06-24 19:28:55 +0200111 md_type_t md_type = POLARSSL_MD_SHA1;
112 unsigned char key[32], iv[32];
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200113 size_t olen = 0;
Paul Bakker28144de2013-06-24 19:28:55 +0200114 const md_info_t *md_info;
115 const cipher_info_t *cipher_info;
116 md_context_t md_ctx;
Paul Bakker9b5e8852013-06-28 16:12:50 +0200117 cipher_type_t cipher_alg;
Paul Bakker28144de2013-06-24 19:28:55 +0200118 cipher_context_t cipher_ctx;
119
120 p = pbe_params->p;
121 end = p + pbe_params->len;
122
123 /*
124 * PBES2-params ::= SEQUENCE {
125 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
126 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
127 * }
128 */
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200129 if( pbe_params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
130 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
131 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
132
133 if( ( ret = asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +0200134 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
Paul Bakker28144de2013-06-24 19:28:55 +0200135
136 // Only PBKDF2 supported at the moment
137 //
138 if( !OID_CMP( OID_PKCS5_PBKDF2, &kdf_alg_oid ) )
139 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
140
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200141 if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
Paul Bakker28144de2013-06-24 19:28:55 +0200142 &salt, &iterations, &keylen,
143 &md_type ) ) != 0 )
144 {
145 return( ret );
146 }
147
148 md_info = md_info_from_type( md_type );
149 if( md_info == NULL )
150 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
151
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200152 if( ( ret = asn1_get_alg( &p, end, &enc_scheme_oid, &enc_scheme_params ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +0200153 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
Paul Bakker28144de2013-06-24 19:28:55 +0200154
Paul Bakker9b5e8852013-06-28 16:12:50 +0200155 if ( oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +0200156 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
157
Paul Bakker9b5e8852013-06-28 16:12:50 +0200158 cipher_info = cipher_info_from_type( cipher_alg );
Paul Bakker28144de2013-06-24 19:28:55 +0200159 if( cipher_info == NULL )
160 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
161
162 keylen = cipher_info->key_length / 8;
163
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200164 if( enc_scheme_params.tag != ASN1_OCTET_STRING ||
165 enc_scheme_params.len != cipher_info->iv_size )
166 {
Paul Bakker28144de2013-06-24 19:28:55 +0200167 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT );
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200168 }
Paul Bakker28144de2013-06-24 19:28:55 +0200169
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200170 memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
Paul Bakker28144de2013-06-24 19:28:55 +0200171
172 if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
173 return( ret );
174
175 if( ( ret = cipher_init_ctx( &cipher_ctx, cipher_info ) ) != 0 )
176 return( ret );
177
178 if ( ( ret = pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
179 iterations, keylen, key ) ) != 0 )
180 {
181 return( ret );
182 }
183
184 if( ( ret = cipher_setkey( &cipher_ctx, key, keylen, mode ) ) != 0 )
185 return( ret );
186
187 if( ( ret = cipher_reset( &cipher_ctx, iv ) ) != 0 )
188 return( ret );
189
190 if( ( ret = cipher_update( &cipher_ctx, data, datalen,
191 output, &olen ) ) != 0 )
192 {
193 return( ret );
194 }
195
196 if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
197 return( POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH );
198
199 return( 0 );
200}
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200201
202int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password,
203 size_t plen, const unsigned char *salt, size_t slen,
204 unsigned int iteration_count,
205 uint32_t key_length, unsigned char *output )
206{
207 int ret, j;
208 unsigned int i;
209 unsigned char md1[POLARSSL_MD_MAX_SIZE];
210 unsigned char work[POLARSSL_MD_MAX_SIZE];
211 unsigned char md_size = md_get_size( ctx->md_info );
212 size_t use_len;
213 unsigned char *out_p = output;
214 unsigned char counter[4];
215
216 memset( counter, 0, 4 );
217 counter[3] = 1;
218
219 if( iteration_count > 0xFFFFFFFF )
220 return( POLARSSL_ERR_PKCS5_BAD_INPUT_DATA );
221
222 while( key_length )
223 {
224 // U1 ends up in work
225 //
226 if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
227 return( ret );
228
229 if( ( ret = md_hmac_update( ctx, salt, slen ) ) != 0 )
230 return( ret );
231
232 if( ( ret = md_hmac_update( ctx, counter, 4 ) ) != 0 )
233 return( ret );
234
235 if( ( ret = md_hmac_finish( ctx, work ) ) != 0 )
236 return( ret );
237
238 memcpy( md1, work, md_size );
239
240 for ( i = 1; i < iteration_count; i++ )
241 {
242 // U2 ends up in md1
243 //
244 if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
245 return( ret );
246
247 if( ( ret = md_hmac_update( ctx, md1, md_size ) ) != 0 )
248 return( ret );
249
250 if( ( ret = md_hmac_finish( ctx, md1 ) ) != 0 )
251 return( ret );
252
253 // U1 xor U2
254 //
255 for( j = 0; j < md_size; j++ )
256 work[j] ^= md1[j];
257 }
258
259 use_len = ( key_length < md_size ) ? key_length : md_size;
260 memcpy( out_p, work, use_len );
261
262 key_length -= use_len;
263 out_p += use_len;
264
265 for( i = 4; i > 0; i-- )
266 if( ++counter[i - 1] != 0 )
267 break;
268 }
269
270 return( 0 );
271}
272
273#if defined(POLARSSL_SELF_TEST)
274
275#include <stdio.h>
276
277#define MAX_TESTS 6
278
279size_t plen[MAX_TESTS] =
280 { 8, 8, 8, 8, 24, 9 };
281
282unsigned char password[MAX_TESTS][32] =
283{
284 "password",
285 "password",
286 "password",
287 "password",
288 "passwordPASSWORDpassword",
289 "pass\0word",
290};
291
292size_t slen[MAX_TESTS] =
293 { 4, 4, 4, 4, 36, 5 };
294
295unsigned char salt[MAX_TESTS][40] =
296{
297 "salt",
298 "salt",
299 "salt",
300 "salt",
301 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
302 "sa\0lt",
303};
304
305uint32_t it_cnt[MAX_TESTS] =
306 { 1, 2, 4096, 16777216, 4096, 4096 };
307
308uint32_t key_len[MAX_TESTS] =
309 { 20, 20, 20, 20, 25, 16 };
310
311
312unsigned char result_key[MAX_TESTS][32] =
313{
314 { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
315 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
316 0x2f, 0xe0, 0x37, 0xa6 },
317 { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
318 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
319 0xd8, 0xde, 0x89, 0x57 },
320 { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
321 0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
322 0x65, 0xa4, 0x29, 0xc1 },
323 { 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
324 0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
325 0x26, 0x34, 0xe9, 0x84 },
326 { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
327 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
328 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
329 0x38 },
330 { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
331 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
332};
333
334int pkcs5_self_test( int verbose )
335{
336 md_context_t sha1_ctx;
337 const md_info_t *info_sha1;
338 int ret, i;
339 unsigned char key[64];
340
341 info_sha1 = md_info_from_type( POLARSSL_MD_SHA1 );
342 if( info_sha1 == NULL )
343 return( 1 );
344
345 if( ( ret = md_init_ctx( &sha1_ctx, info_sha1 ) ) != 0 )
346 return( 1 );
347
348 for( i = 0; i < MAX_TESTS; i++ )
349 {
350 printf( " PBKDF2 (SHA1) #%d: ", i );
351
352 ret = pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
353 slen[i], it_cnt[i], key_len[i], key );
354 if( ret != 0 ||
355 memcmp( result_key[i], key, key_len[i] ) != 0 )
356 {
357 if( verbose != 0 )
358 printf( "failed\n" );
359
360 return( 1 );
361 }
362
363 if( verbose != 0 )
364 printf( "passed\n" );
365 }
366
367 printf( "\n" );
368
369 return( 0 );
370}
371
372#endif /* POLARSSL_SELF_TEST */
373
374#endif /* POLARSSL_PKCS5_C */