blob: ca740460b6643ec74c0d4df964e3f571898c20b4 [file] [log] [blame]
Paul Bakkerb0c19a42013-06-24 19:26:38 +02001/**
2 * \file pkcs5.c
3 *
4 * \brief PKCS#5 functions
5 *
6 * \author Mathias Olsson <mathias@kompetensum.com>
7 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +00008 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb0c19a42013-06-24 19:26:38 +02009 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +000010 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakkerb0c19a42013-06-24 19:26:38 +020011 *
Paul Bakkerb0c19a42013-06-24 19:26:38 +020012 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License along
23 * with this program; if not, write to the Free Software Foundation, Inc.,
24 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 */
26/*
27 * PKCS#5 includes PBKDF2 and more
28 *
29 * http://tools.ietf.org/html/rfc2898 (Specification)
30 * http://tools.ietf.org/html/rfc6070 (Test vectors)
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020033#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakkerb0c19a42013-06-24 19:26:38 +020034#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020035#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakkerb0c19a42013-06-24 19:26:38 +020038
39#if defined(POLARSSL_PKCS5_C)
40
41#include "polarssl/pkcs5.h"
Paul Bakker28144de2013-06-24 19:28:55 +020042#include "polarssl/asn1.h"
43#include "polarssl/cipher.h"
Paul Bakker9b5e8852013-06-28 16:12:50 +020044#include "polarssl/oid.h"
Paul Bakker28144de2013-06-24 19:28:55 +020045
Paul Bakker7dc4c442014-02-01 22:50:26 +010046#if defined(POLARSSL_PLATFORM_C)
47#include "polarssl/platform.h"
48#else
49#define polarssl_printf printf
50#endif
51
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020052static int pkcs5_parse_pbkdf2_params( const asn1_buf *params,
Paul Bakker28144de2013-06-24 19:28:55 +020053 asn1_buf *salt, int *iterations,
54 int *keylen, md_type_t *md_type )
55{
56 int ret;
Paul Bakker28144de2013-06-24 19:28:55 +020057 asn1_buf prf_alg_oid;
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020058 unsigned char *p = params->p;
Paul Bakkerf8d018a2013-06-29 12:16:17 +020059 const unsigned char *end = params->p + params->len;
Paul Bakker28144de2013-06-24 19:28:55 +020060
Paul Bakkerf8d018a2013-06-29 12:16:17 +020061 if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
62 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
63 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker28144de2013-06-24 19:28:55 +020064 /*
65 * PBKDF2-params ::= SEQUENCE {
66 * salt OCTET STRING,
67 * iterationCount INTEGER,
68 * keyLength INTEGER OPTIONAL
69 * prf AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
70 * }
71 *
72 */
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020073 if( ( ret = asn1_get_tag( &p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +020074 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
75
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020076 salt->p = p;
77 p += salt->len;
Paul Bakker28144de2013-06-24 19:28:55 +020078
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020079 if( ( ret = asn1_get_int( &p, end, iterations ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +020080 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
81
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020082 if( p == end )
Paul Bakker28144de2013-06-24 19:28:55 +020083 return( 0 );
84
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020085 if( ( ret = asn1_get_int( &p, end, keylen ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +020086 {
87 if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
88 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
89 }
90
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020091 if( p == end )
Paul Bakker28144de2013-06-24 19:28:55 +020092 return( 0 );
93
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +020094 if( ( ret = asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +020095 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
96
97 if( !OID_CMP( OID_HMAC_SHA1, &prf_alg_oid ) )
98 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
99
100 *md_type = POLARSSL_MD_SHA1;
101
Manuel Pégourié-Gonnardedc3ab22014-06-12 17:08:27 +0200102 if( p != end )
Paul Bakker28144de2013-06-24 19:28:55 +0200103 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
104 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
105
106 return( 0 );
107}
108
109int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
110 const unsigned char *pwd, size_t pwdlen,
111 const unsigned char *data, size_t datalen,
112 unsigned char *output )
113{
114 int ret, iterations = 0, keylen = 0;
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200115 unsigned char *p, *end;
116 asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
117 asn1_buf salt;
Paul Bakker28144de2013-06-24 19:28:55 +0200118 md_type_t md_type = POLARSSL_MD_SHA1;
119 unsigned char key[32], iv[32];
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200120 size_t olen = 0;
Paul Bakker28144de2013-06-24 19:28:55 +0200121 const md_info_t *md_info;
122 const cipher_info_t *cipher_info;
123 md_context_t md_ctx;
Paul Bakker9b5e8852013-06-28 16:12:50 +0200124 cipher_type_t cipher_alg;
Paul Bakker28144de2013-06-24 19:28:55 +0200125 cipher_context_t cipher_ctx;
126
127 p = pbe_params->p;
128 end = p + pbe_params->len;
129
130 /*
131 * PBES2-params ::= SEQUENCE {
132 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
133 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
134 * }
135 */
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200136 if( pbe_params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
137 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
138 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
139
140 if( ( ret = asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +0200141 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
Paul Bakker28144de2013-06-24 19:28:55 +0200142
143 // Only PBKDF2 supported at the moment
144 //
145 if( !OID_CMP( OID_PKCS5_PBKDF2, &kdf_alg_oid ) )
146 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
147
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200148 if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
Paul Bakker28144de2013-06-24 19:28:55 +0200149 &salt, &iterations, &keylen,
150 &md_type ) ) != 0 )
151 {
152 return( ret );
153 }
154
155 md_info = md_info_from_type( md_type );
156 if( md_info == NULL )
157 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
158
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200159 if( ( ret = asn1_get_alg( &p, end, &enc_scheme_oid,
160 &enc_scheme_params ) ) != 0 )
161 {
Paul Bakker28144de2013-06-24 19:28:55 +0200162 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200163 }
Paul Bakker28144de2013-06-24 19:28:55 +0200164
Paul Bakker66d5d072014-06-17 16:39:18 +0200165 if( oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +0200166 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
167
Paul Bakker9b5e8852013-06-28 16:12:50 +0200168 cipher_info = cipher_info_from_type( cipher_alg );
Paul Bakker28144de2013-06-24 19:28:55 +0200169 if( cipher_info == NULL )
170 return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
171
Manuel Pégourié-Gonnard66aca932014-06-12 13:14:55 +0200172 /*
173 * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
174 * since it is optional and we don't know if it was set or not
175 */
Paul Bakker28144de2013-06-24 19:28:55 +0200176 keylen = cipher_info->key_length / 8;
177
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200178 if( enc_scheme_params.tag != ASN1_OCTET_STRING ||
179 enc_scheme_params.len != cipher_info->iv_size )
180 {
Paul Bakker28144de2013-06-24 19:28:55 +0200181 return( POLARSSL_ERR_PKCS5_INVALID_FORMAT );
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200182 }
Paul Bakker28144de2013-06-24 19:28:55 +0200183
Paul Bakker84bbeb52014-07-01 14:53:22 +0200184 md_init( &md_ctx );
185 cipher_init( &cipher_ctx );
186
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200187 memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
Paul Bakker28144de2013-06-24 19:28:55 +0200188
189 if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
Paul Bakker46320832013-07-03 14:01:52 +0200190 goto exit;
Paul Bakker28144de2013-06-24 19:28:55 +0200191
Paul Bakker66d5d072014-06-17 16:39:18 +0200192 if( ( ret = pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
193 iterations, keylen, key ) ) != 0 )
Paul Bakker28144de2013-06-24 19:28:55 +0200194 {
Paul Bakker46320832013-07-03 14:01:52 +0200195 goto exit;
Paul Bakker28144de2013-06-24 19:28:55 +0200196 }
197
Paul Bakker46320832013-07-03 14:01:52 +0200198 if( ( ret = cipher_init_ctx( &cipher_ctx, cipher_info ) ) != 0 )
199 goto exit;
200
Manuel Pégourié-Gonnarddd0f57f2013-09-16 11:47:43 +0200201 if( ( ret = cipher_setkey( &cipher_ctx, key, 8 * keylen, mode ) ) != 0 )
Paul Bakker46320832013-07-03 14:01:52 +0200202 goto exit;
Paul Bakker28144de2013-06-24 19:28:55 +0200203
Manuel Pégourié-Gonnard90dac902014-06-12 17:04:24 +0200204 if( ( ret = cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len,
205 data, datalen, output, &olen ) ) != 0 )
Paul Bakker46320832013-07-03 14:01:52 +0200206 ret = POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH;
Paul Bakker28144de2013-06-24 19:28:55 +0200207
Paul Bakker46320832013-07-03 14:01:52 +0200208exit:
Paul Bakker84bbeb52014-07-01 14:53:22 +0200209 md_free( &md_ctx );
210 cipher_free( &cipher_ctx );
Paul Bakker46320832013-07-03 14:01:52 +0200211
212 return( ret );
Paul Bakker28144de2013-06-24 19:28:55 +0200213}
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200214
215int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password,
216 size_t plen, const unsigned char *salt, size_t slen,
217 unsigned int iteration_count,
218 uint32_t key_length, unsigned char *output )
219{
220 int ret, j;
221 unsigned int i;
222 unsigned char md1[POLARSSL_MD_MAX_SIZE];
223 unsigned char work[POLARSSL_MD_MAX_SIZE];
224 unsigned char md_size = md_get_size( ctx->md_info );
225 size_t use_len;
226 unsigned char *out_p = output;
227 unsigned char counter[4];
228
229 memset( counter, 0, 4 );
230 counter[3] = 1;
231
232 if( iteration_count > 0xFFFFFFFF )
233 return( POLARSSL_ERR_PKCS5_BAD_INPUT_DATA );
234
235 while( key_length )
236 {
237 // U1 ends up in work
238 //
239 if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
240 return( ret );
241
242 if( ( ret = md_hmac_update( ctx, salt, slen ) ) != 0 )
243 return( ret );
244
245 if( ( ret = md_hmac_update( ctx, counter, 4 ) ) != 0 )
246 return( ret );
247
248 if( ( ret = md_hmac_finish( ctx, work ) ) != 0 )
249 return( ret );
250
251 memcpy( md1, work, md_size );
252
Paul Bakker66d5d072014-06-17 16:39:18 +0200253 for( i = 1; i < iteration_count; i++ )
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200254 {
255 // U2 ends up in md1
256 //
257 if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
258 return( ret );
259
260 if( ( ret = md_hmac_update( ctx, md1, md_size ) ) != 0 )
261 return( ret );
262
263 if( ( ret = md_hmac_finish( ctx, md1 ) ) != 0 )
264 return( ret );
265
266 // U1 xor U2
267 //
268 for( j = 0; j < md_size; j++ )
269 work[j] ^= md1[j];
270 }
271
272 use_len = ( key_length < md_size ) ? key_length : md_size;
273 memcpy( out_p, work, use_len );
274
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200275 key_length -= (uint32_t) use_len;
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200276 out_p += use_len;
277
278 for( i = 4; i > 0; i-- )
279 if( ++counter[i - 1] != 0 )
280 break;
281 }
282
283 return( 0 );
284}
285
286#if defined(POLARSSL_SELF_TEST)
287
Manuel Pégourié-Gonnard2a8afa92014-06-12 12:00:44 +0200288#if !defined(POLARSSL_SHA1_C)
289int pkcs5_self_test( int verbose )
290{
291 if( verbose != 0 )
292 polarssl_printf( " PBKDF2 (SHA1): skipped\n\n" );
293
294 return( 0 );
295}
296#else
297
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200298#include <stdio.h>
299
300#define MAX_TESTS 6
301
302size_t plen[MAX_TESTS] =
303 { 8, 8, 8, 8, 24, 9 };
304
305unsigned char password[MAX_TESTS][32] =
306{
307 "password",
308 "password",
309 "password",
310 "password",
311 "passwordPASSWORDpassword",
312 "pass\0word",
313};
314
315size_t slen[MAX_TESTS] =
316 { 4, 4, 4, 4, 36, 5 };
317
318unsigned char salt[MAX_TESTS][40] =
319{
320 "salt",
321 "salt",
322 "salt",
323 "salt",
324 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
325 "sa\0lt",
326};
327
328uint32_t it_cnt[MAX_TESTS] =
329 { 1, 2, 4096, 16777216, 4096, 4096 };
330
331uint32_t key_len[MAX_TESTS] =
332 { 20, 20, 20, 20, 25, 16 };
333
334
Paul Bakker9af723c2014-05-01 13:03:14 +0200335unsigned char result_key[MAX_TESTS][32] =
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200336{
337 { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
338 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
339 0x2f, 0xe0, 0x37, 0xa6 },
340 { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
341 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
342 0xd8, 0xde, 0x89, 0x57 },
343 { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
344 0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
345 0x65, 0xa4, 0x29, 0xc1 },
346 { 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
347 0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
348 0x26, 0x34, 0xe9, 0x84 },
349 { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
350 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
351 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
352 0x38 },
353 { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
354 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
355};
356
357int pkcs5_self_test( int verbose )
358{
359 md_context_t sha1_ctx;
360 const md_info_t *info_sha1;
361 int ret, i;
362 unsigned char key[64];
363
Paul Bakker84bbeb52014-07-01 14:53:22 +0200364 md_init( &sha1_ctx );
365
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200366 info_sha1 = md_info_from_type( POLARSSL_MD_SHA1 );
367 if( info_sha1 == NULL )
Paul Bakker84bbeb52014-07-01 14:53:22 +0200368 {
369 ret = 1;
370 goto exit;
371 }
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200372
373 if( ( ret = md_init_ctx( &sha1_ctx, info_sha1 ) ) != 0 )
Paul Bakker84bbeb52014-07-01 14:53:22 +0200374 {
375 ret = 1;
376 goto exit;
377 }
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200378
Manuel Pégourié-Gonnard13a1ef82014-03-27 20:12:44 +0100379 if( verbose != 0 )
Paul Bakkerc3f89aa2014-05-01 10:56:03 +0200380 polarssl_printf( " PBKDF2 note: test #3 may be slow!\n" );
Manuel Pégourié-Gonnard13a1ef82014-03-27 20:12:44 +0100381
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200382 for( i = 0; i < MAX_TESTS; i++ )
383 {
Manuel Pégourié-Gonnard13a1ef82014-03-27 20:12:44 +0100384 if( verbose != 0 )
385 polarssl_printf( " PBKDF2 (SHA1) #%d: ", i );
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200386
387 ret = pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
388 slen[i], it_cnt[i], key_len[i], key );
389 if( ret != 0 ||
390 memcmp( result_key[i], key, key_len[i] ) != 0 )
391 {
392 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100393 polarssl_printf( "failed\n" );
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200394
Paul Bakker84bbeb52014-07-01 14:53:22 +0200395 ret = 1;
396 goto exit;
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200397 }
398
399 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100400 polarssl_printf( "passed\n" );
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200401 }
402
Paul Bakker7dc4c442014-02-01 22:50:26 +0100403 polarssl_printf( "\n" );
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200404
Paul Bakker84bbeb52014-07-01 14:53:22 +0200405exit:
406 md_free( &sha1_ctx );
Paul Bakkerf8634852013-07-03 13:31:52 +0200407
Alfred Klomp1b4eda32014-07-14 22:07:34 +0200408 return( ret );
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200409}
Manuel Pégourié-Gonnard2a8afa92014-06-12 12:00:44 +0200410#endif /* POLARSSL_SHA1_C */
Paul Bakkerb0c19a42013-06-24 19:26:38 +0200411
412#endif /* POLARSSL_SELF_TEST */
413
414#endif /* POLARSSL_PKCS5_C */