1 /**
2 * \file pkcs5.c
3 *
4 * \brief PKCS#5 functions
5 *
6 * \author Mathias Olsson <mathias@kompetensum.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 */
11 /*
12 * PKCS#5 includes PBKDF2 and more
13 *
14 * http://tools.ietf.org/html/rfc2898 (Specification)
15 * http://tools.ietf.org/html/rfc6070 (Test vectors)
16 */
17
18 #include "common.h"
19
20 #if defined(MBEDTLS_PKCS5_C)
21
22 #include "mbedtls/pkcs5.h"
23 #include "mbedtls/error.h"
24
25 #if defined(MBEDTLS_ASN1_PARSE_C)
26 #include "mbedtls/asn1.h"
27 #include "mbedtls/cipher.h"
28 #include "mbedtls/oid.h"
29 #endif /* MBEDTLS_ASN1_PARSE_C */
30
31 #include <string.h>
32
33 #include "mbedtls/platform.h"
34
35 #include "psa_util_internal.h"
36
37 #if defined(MBEDTLS_ASN1_PARSE_C)
pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf * params,mbedtls_asn1_buf * salt,int * iterations,int * keylen,mbedtls_md_type_t * md_type)38 static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
39 mbedtls_asn1_buf *salt, int *iterations,
40 int *keylen, mbedtls_md_type_t *md_type)
41 {
42 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
43 mbedtls_asn1_buf prf_alg_oid;
44 unsigned char *p = params->p;
45 const unsigned char *end = params->p + params->len;
46
47 if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
48 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
49 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
50 }
51 /*
52 * PBKDF2-params ::= SEQUENCE {
53 * salt OCTET STRING,
54 * iterationCount INTEGER,
55 * keyLength INTEGER OPTIONAL
56 * prf AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
57 * }
58 *
59 */
60 if ((ret = mbedtls_asn1_get_tag(&p, end, &salt->len,
61 MBEDTLS_ASN1_OCTET_STRING)) != 0) {
62 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
63 }
64
65 salt->p = p;
66 p += salt->len;
67
68 if ((ret = mbedtls_asn1_get_int(&p, end, iterations)) != 0) {
69 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
70 }
71
72 if (p == end) {
73 return 0;
74 }
75
76 if ((ret = mbedtls_asn1_get_int(&p, end, keylen)) != 0) {
77 if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
78 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
79 }
80 }
81
82 if (p == end) {
83 return 0;
84 }
85
86 if ((ret = mbedtls_asn1_get_alg_null(&p, end, &prf_alg_oid)) != 0) {
87 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
88 }
89
90 if (mbedtls_oid_get_md_hmac(&prf_alg_oid, md_type) != 0) {
91 return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
92 }
93
94 if (p != end) {
95 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
96 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
97 }
98
99 return 0;
100 }
101
102 #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
103 int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
104 const unsigned char *pwd, size_t pwdlen,
105 const unsigned char *data, size_t datalen,
106 unsigned char *output, size_t output_size,
107 size_t *output_len);
108 #endif
109
110 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf * pbe_params,int mode,const unsigned char * pwd,size_t pwdlen,const unsigned char * data,size_t datalen,unsigned char * output)111 int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
112 const unsigned char *pwd, size_t pwdlen,
113 const unsigned char *data, size_t datalen,
114 unsigned char *output)
115 {
116 size_t output_len = 0;
117
118 /* We assume caller of the function is providing a big enough output buffer
119 * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
120 * for the output size actually being correct.
121 */
122 return mbedtls_pkcs5_pbes2_ext(pbe_params, mode, pwd, pwdlen, data,
123 datalen, output, SIZE_MAX, &output_len);
124 }
125 #endif
126
mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf * pbe_params,int mode,const unsigned char * pwd,size_t pwdlen,const unsigned char * data,size_t datalen,unsigned char * output,size_t output_size,size_t * output_len)127 int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
128 const unsigned char *pwd, size_t pwdlen,
129 const unsigned char *data, size_t datalen,
130 unsigned char *output, size_t output_size,
131 size_t *output_len)
132 {
133 int ret, iterations = 0, keylen = 0;
134 unsigned char *p, *end;
135 mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
136 mbedtls_asn1_buf salt;
137 mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
138 unsigned char key[32], iv[32];
139 const mbedtls_cipher_info_t *cipher_info;
140 mbedtls_cipher_type_t cipher_alg;
141 mbedtls_cipher_context_t cipher_ctx;
142 unsigned int padlen = 0;
143
144 p = pbe_params->p;
145 end = p + pbe_params->len;
146
147 /*
148 * PBES2-params ::= SEQUENCE {
149 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
150 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
151 * }
152 */
153 if (pbe_params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
154 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
155 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
156 }
157
158 if ((ret = mbedtls_asn1_get_alg(&p, end, &kdf_alg_oid,
159 &kdf_alg_params)) != 0) {
160 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
161 }
162
163 // Only PBKDF2 supported at the moment
164 //
165 if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid) != 0) {
166 return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
167 }
168
169 if ((ret = pkcs5_parse_pbkdf2_params(&kdf_alg_params,
170 &salt, &iterations, &keylen,
171 &md_type)) != 0) {
172 return ret;
173 }
174
175 if ((ret = mbedtls_asn1_get_alg(&p, end, &enc_scheme_oid,
176 &enc_scheme_params)) != 0) {
177 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
178 }
179
180 if (mbedtls_oid_get_cipher_alg(&enc_scheme_oid, &cipher_alg) != 0) {
181 return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
182 }
183
184 cipher_info = mbedtls_cipher_info_from_type(cipher_alg);
185 if (cipher_info == NULL) {
186 return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
187 }
188
189 /*
190 * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
191 * since it is optional and we don't know if it was set or not
192 */
193 keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
194
195 if (enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
196 enc_scheme_params.len != mbedtls_cipher_info_get_iv_size(cipher_info)) {
197 return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
198 }
199
200 if (mode == MBEDTLS_PKCS5_DECRYPT) {
201 if (output_size < datalen) {
202 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
203 }
204 }
205
206 if (mode == MBEDTLS_PKCS5_ENCRYPT) {
207 padlen = cipher_info->block_size - (datalen % cipher_info->block_size);
208 if (output_size < (datalen + padlen)) {
209 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
210 }
211 }
212
213 mbedtls_cipher_init(&cipher_ctx);
214
215 memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
216
217 if ((ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, pwd, pwdlen, salt.p,
218 salt.len, iterations, keylen,
219 key)) != 0) {
220 goto exit;
221 }
222
223 if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
224 goto exit;
225 }
226
227 if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
228 (mbedtls_operation_t) mode)) != 0) {
229 goto exit;
230 }
231
232 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
233 /* PKCS5 uses CBC with PKCS7 padding (which is the same as
234 * "PKCS5 padding" except that it's typically only called PKCS5
235 * with 64-bit-block ciphers).
236 */
237 mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
238 #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
239 /* For historical reasons, when decrypting, this function works when
240 * decrypting even when support for PKCS7 padding is disabled. In this
241 * case, it ignores the padding, and so will never report a
242 * password mismatch.
243 */
244 if (mode == MBEDTLS_DECRYPT) {
245 padding = MBEDTLS_PADDING_NONE;
246 }
247 #endif
248 if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
249 goto exit;
250 }
251 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
252 if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
253 data, datalen, output, output_len)) != 0) {
254 ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
255 }
256
257 exit:
258 mbedtls_cipher_free(&cipher_ctx);
259
260 return ret;
261 }
262 #endif /* MBEDTLS_ASN1_PARSE_C */
263
pkcs5_pbkdf2_hmac(mbedtls_md_context_t * ctx,const unsigned char * password,size_t plen,const unsigned char * salt,size_t slen,unsigned int iteration_count,uint32_t key_length,unsigned char * output)264 static int pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
265 const unsigned char *password,
266 size_t plen, const unsigned char *salt, size_t slen,
267 unsigned int iteration_count,
268 uint32_t key_length, unsigned char *output)
269 {
270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
271 unsigned int i;
272 unsigned char md1[MBEDTLS_MD_MAX_SIZE];
273 unsigned char work[MBEDTLS_MD_MAX_SIZE];
274 unsigned char md_size = mbedtls_md_get_size(ctx->md_info);
275 size_t use_len;
276 unsigned char *out_p = output;
277 unsigned char counter[4];
278
279 memset(counter, 0, 4);
280 counter[3] = 1;
281
282 #if UINT_MAX > 0xFFFFFFFF
283 if (iteration_count > 0xFFFFFFFF) {
284 return MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA;
285 }
286 #endif
287
288 if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0) {
289 return ret;
290 }
291 while (key_length) {
292 // U1 ends up in work
293 //
294 if ((ret = mbedtls_md_hmac_update(ctx, salt, slen)) != 0) {
295 goto cleanup;
296 }
297
298 if ((ret = mbedtls_md_hmac_update(ctx, counter, 4)) != 0) {
299 goto cleanup;
300 }
301
302 if ((ret = mbedtls_md_hmac_finish(ctx, work)) != 0) {
303 goto cleanup;
304 }
305
306 if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
307 goto cleanup;
308 }
309
310 memcpy(md1, work, md_size);
311
312 for (i = 1; i < iteration_count; i++) {
313 // U2 ends up in md1
314 //
315 if ((ret = mbedtls_md_hmac_update(ctx, md1, md_size)) != 0) {
316 goto cleanup;
317 }
318
319 if ((ret = mbedtls_md_hmac_finish(ctx, md1)) != 0) {
320 goto cleanup;
321 }
322
323 if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
324 goto cleanup;
325 }
326
327 // U1 xor U2
328 //
329 mbedtls_xor(work, work, md1, md_size);
330 }
331
332 use_len = (key_length < md_size) ? key_length : md_size;
333 memcpy(out_p, work, use_len);
334
335 key_length -= (uint32_t) use_len;
336 out_p += use_len;
337
338 for (i = 4; i > 0; i--) {
339 if (++counter[i - 1] != 0) {
340 break;
341 }
342 }
343 }
344
345 cleanup:
346 /* Zeroise buffers to clear sensitive data from memory. */
347 mbedtls_platform_zeroize(work, MBEDTLS_MD_MAX_SIZE);
348 mbedtls_platform_zeroize(md1, MBEDTLS_MD_MAX_SIZE);
349
350 return ret;
351 }
352
353 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t * ctx,const unsigned char * password,size_t plen,const unsigned char * salt,size_t slen,unsigned int iteration_count,uint32_t key_length,unsigned char * output)354 int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
355 const unsigned char *password,
356 size_t plen, const unsigned char *salt, size_t slen,
357 unsigned int iteration_count,
358 uint32_t key_length, unsigned char *output)
359 {
360 return pkcs5_pbkdf2_hmac(ctx, password, plen, salt, slen, iteration_count,
361 key_length, output);
362 }
363 #endif
364
mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_alg,const unsigned char * password,size_t plen,const unsigned char * salt,size_t slen,unsigned int iteration_count,uint32_t key_length,unsigned char * output)365 int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_alg,
366 const unsigned char *password,
367 size_t plen, const unsigned char *salt, size_t slen,
368 unsigned int iteration_count,
369 uint32_t key_length, unsigned char *output)
370 {
371 mbedtls_md_context_t md_ctx;
372 const mbedtls_md_info_t *md_info = NULL;
373 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
374
375 md_info = mbedtls_md_info_from_type(md_alg);
376 if (md_info == NULL) {
377 return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
378 }
379
380 mbedtls_md_init(&md_ctx);
381
382 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
383 goto exit;
384 }
385 ret = pkcs5_pbkdf2_hmac(&md_ctx, password, plen, salt, slen,
386 iteration_count, key_length, output);
387 exit:
388 mbedtls_md_free(&md_ctx);
389 return ret;
390 }
391
392 #if defined(MBEDTLS_SELF_TEST)
393
394 #if !defined(MBEDTLS_MD_CAN_SHA1)
mbedtls_pkcs5_self_test(int verbose)395 int mbedtls_pkcs5_self_test(int verbose)
396 {
397 if (verbose != 0) {
398 mbedtls_printf(" PBKDF2 (SHA1): skipped\n\n");
399 }
400
401 return 0;
402 }
403 #else
404
405 #define MAX_TESTS 6
406
407 static const size_t plen_test_data[MAX_TESTS] =
408 { 8, 8, 8, 24, 9 };
409
410 static const unsigned char password_test_data[MAX_TESTS][32] =
411 {
412 "password",
413 "password",
414 "password",
415 "passwordPASSWORDpassword",
416 "pass\0word",
417 };
418
419 static const size_t slen_test_data[MAX_TESTS] =
420 { 4, 4, 4, 36, 5 };
421
422 static const unsigned char salt_test_data[MAX_TESTS][40] =
423 {
424 "salt",
425 "salt",
426 "salt",
427 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
428 "sa\0lt",
429 };
430
431 static const uint32_t it_cnt_test_data[MAX_TESTS] =
432 { 1, 2, 4096, 4096, 4096 };
433
434 static const uint32_t key_len_test_data[MAX_TESTS] =
435 { 20, 20, 20, 25, 16 };
436
437 static const unsigned char result_key_test_data[MAX_TESTS][32] =
438 {
439 { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
440 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
441 0x2f, 0xe0, 0x37, 0xa6 },
442 { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
443 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
444 0xd8, 0xde, 0x89, 0x57 },
445 { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
446 0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
447 0x65, 0xa4, 0x29, 0xc1 },
448 { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
449 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
450 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
451 0x38 },
452 { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
453 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
454 };
455
mbedtls_pkcs5_self_test(int verbose)456 int mbedtls_pkcs5_self_test(int verbose)
457 {
458 int ret, i;
459 unsigned char key[64];
460
461 for (i = 0; i < MAX_TESTS; i++) {
462 if (verbose != 0) {
463 mbedtls_printf(" PBKDF2 (SHA1) #%d: ", i);
464 }
465
466 ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, password_test_data[i],
467 plen_test_data[i], salt_test_data[i],
468 slen_test_data[i], it_cnt_test_data[i],
469 key_len_test_data[i], key);
470 if (ret != 0 ||
471 memcmp(result_key_test_data[i], key, key_len_test_data[i]) != 0) {
472 if (verbose != 0) {
473 mbedtls_printf("failed\n");
474 }
475
476 ret = 1;
477 goto exit;
478 }
479
480 if (verbose != 0) {
481 mbedtls_printf("passed\n");
482 }
483 }
484
485 if (verbose != 0) {
486 mbedtls_printf("\n");
487 }
488
489 exit:
490 return ret;
491 }
492 #endif /* MBEDTLS_MD_CAN_SHA1 */
493
494 #endif /* MBEDTLS_SELF_TEST */
495
496 #endif /* MBEDTLS_PKCS5_C */
497
