sync with OpenBSD -current

lib/libcrypto/evp/evp_pbe.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.34 2023/12/18 13:12:43 tb Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.40 2024/01/27 17:20:20 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -59,14 +59,16 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/opensslconf.h>
-
+#include <openssl/asn1.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/objects.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 
 #include "evp_local.h"
+#include "hmac_local.h"
 
 /* Password based encryption (PBE) functions */
 
@@ -96,14 +98,12 @@ static const struct pbe_config pbe_outer[] = {
 		.md_nid = NID_sha1,
 		.keygen = PKCS5_PBE_keyivgen,
 	},
-#ifndef OPENSSL_NO_HMAC
 	{
 		.pbe_nid = NID_id_pbkdf2,
 		.cipher_nid = -1,
 		.md_nid = -1,
 		.keygen = PKCS5_v2_PBKDF2_keyivgen,
 	},
-#endif
 	{
 		.pbe_nid = NID_pbe_WithSHA1And128BitRC4,
 		.cipher_nid = NID_rc4,
@@ -140,14 +140,12 @@ static const struct pbe_config pbe_outer[] = {
 		.md_nid = NID_sha1,
 		.keygen = PKCS12_PBE_keyivgen,
 	},
-#ifndef OPENSSL_NO_HMAC
 	{
 		.pbe_nid = NID_pbes2,
 		.cipher_nid = -1,
 		.md_nid = -1,
 		.keygen = PKCS5_v2_PBE_keyivgen,
 	},
-#endif
 	{
 		.pbe_nid = NID_pbeWithMD2AndRC2_CBC,
 		.cipher_nid = NID_rc2_64_cbc,
@@ -216,6 +214,36 @@ static const struct pbe_config pbe_prf[] = {
 		.cipher_nid = -1,
 		.md_nid = NID_id_tc26_gost3411_2012_512,
 	},
+	{
+		.pbe_nid = NID_hmacWithSHA512_224,
+		.cipher_nid = -1,
+		.md_nid = NID_sha512_224,
+	},
+	{
+		.pbe_nid = NID_hmacWithSHA512_256,
+		.cipher_nid = -1,
+		.md_nid = NID_sha512_256,
+	},
+	{
+		.pbe_nid = NID_hmac_sha3_224,
+		.cipher_nid = -1,
+		.md_nid = NID_sha3_224,
+	},
+	{
+		.pbe_nid = NID_hmac_sha3_256,
+		.cipher_nid = -1,
+		.md_nid = NID_sha3_256,
+	},
+	{
+		.pbe_nid = NID_hmac_sha3_384,
+		.cipher_nid = -1,
+		.md_nid = NID_sha3_384,
+	},
+	{
+		.pbe_nid = NID_hmac_sha3_512,
+		.cipher_nid = -1,
+		.md_nid = NID_sha3_512,
+	},
 };
 
 #define N_PBE_PRF (sizeof(pbe_prf) / sizeof(pbe_prf[0]))
@@ -311,6 +339,391 @@ EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 	return 1;
 }
 
+int
+PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
+{
+	EVP_MD_CTX ctx;
+	unsigned char md_tmp[EVP_MAX_MD_SIZE];
+	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+	int i;
+	PBEPARAM *pbe;
+	int saltlen, iter;
+	unsigned char *salt;
+	const unsigned char *pbuf;
+	int mdsize;
+	int ret = 0;
+
+	/* Extract useful info from parameter */
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		EVPerror(EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	mdsize = EVP_MD_size(md);
+	if (mdsize < 0)
+		return 0;
+
+	pbuf = param->value.sequence->data;
+	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
+		EVPerror(EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	if (!pbe->iter)
+		iter = 1;
+	else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
+		EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
+		PBEPARAM_free(pbe);
+		return 0;
+	}
+	salt = pbe->salt->data;
+	saltlen = pbe->salt->length;
+
+	if (!pass)
+		passlen = 0;
+	else if (passlen == -1)
+		passlen = strlen(pass);
+
+	EVP_MD_CTX_init(&ctx);
+
+	if (!EVP_DigestInit_ex(&ctx, md, NULL))
+		goto err;
+	if (!EVP_DigestUpdate(&ctx, pass, passlen))
+		goto err;
+	if (!EVP_DigestUpdate(&ctx, salt, saltlen))
+		goto err;
+	if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
+		goto err;
+	for (i = 1; i < iter; i++) {
+		if (!EVP_DigestInit_ex(&ctx, md, NULL))
+			goto err;
+		if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
+			goto err;
+		if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
+			goto err;
+	}
+	if ((size_t)EVP_CIPHER_key_length(cipher) > sizeof(md_tmp)) {
+		EVPerror(EVP_R_BAD_KEY_LENGTH);
+		goto err;
+	}
+	memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
+	if ((size_t)EVP_CIPHER_iv_length(cipher) > 16) {
+		EVPerror(EVP_R_IV_TOO_LARGE);
+		goto err;
+	}
+	memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
+	    EVP_CIPHER_iv_length(cipher));
+	if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
+		goto err;
+	explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
+	explicit_bzero(key, EVP_MAX_KEY_LENGTH);
+	explicit_bzero(iv, EVP_MAX_IV_LENGTH);
+
+	ret = 1;
+
+ err:
+	EVP_MD_CTX_cleanup(&ctx);
+	PBEPARAM_free(pbe);
+
+	return ret;
+}
+
+/*
+ * PKCS#5 v2.0 password based encryption key derivation function PBKDF2.
+ */
+
+int
+PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
+    int saltlen, int iter, const EVP_MD *digest, int keylen, unsigned char *out)
+{
+	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
+	int cplen, j, k, tkeylen, mdlen;
+	unsigned long i = 1;
+	HMAC_CTX hctx_tpl, hctx;
+
+	mdlen = EVP_MD_size(digest);
+	if (mdlen < 0)
+		return 0;
+
+	HMAC_CTX_init(&hctx_tpl);
+	p = out;
+	tkeylen = keylen;
+	if (!pass)
+		passlen = 0;
+	else if (passlen == -1)
+		passlen = strlen(pass);
+	if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
+		HMAC_CTX_cleanup(&hctx_tpl);
+		return 0;
+	}
+	while (tkeylen) {
+		if (tkeylen > mdlen)
+			cplen = mdlen;
+		else
+			cplen = tkeylen;
+		/*
+		 * We are unlikely to ever use more than 256 blocks (5120 bits!)
+		 * but just in case...
+		 */
+		itmp[0] = (unsigned char)((i >> 24) & 0xff);
+		itmp[1] = (unsigned char)((i >> 16) & 0xff);
+		itmp[2] = (unsigned char)((i >> 8) & 0xff);
+		itmp[3] = (unsigned char)(i & 0xff);
+		if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
+			HMAC_CTX_cleanup(&hctx_tpl);
+			return 0;
+		}
+		if (!HMAC_Update(&hctx, salt, saltlen) ||
+		    !HMAC_Update(&hctx, itmp, 4) ||
+		    !HMAC_Final(&hctx, digtmp, NULL)) {
+			HMAC_CTX_cleanup(&hctx_tpl);
+			HMAC_CTX_cleanup(&hctx);
+			return 0;
+		}
+		HMAC_CTX_cleanup(&hctx);
+		memcpy(p, digtmp, cplen);
+		for (j = 1; j < iter; j++) {
+			if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
+				HMAC_CTX_cleanup(&hctx_tpl);
+				return 0;
+			}
+			if (!HMAC_Update(&hctx, digtmp, mdlen) ||
+			    !HMAC_Final(&hctx, digtmp, NULL)) {
+				HMAC_CTX_cleanup(&hctx_tpl);
+				HMAC_CTX_cleanup(&hctx);
+				return 0;
+			}
+			HMAC_CTX_cleanup(&hctx);
+			for (k = 0; k < cplen; k++)
+				p[k] ^= digtmp[k];
+		}
+		tkeylen -= cplen;
+		i++;
+		p += cplen;
+	}
+	HMAC_CTX_cleanup(&hctx_tpl);
+	return 1;
+}
+
+int
+PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, const unsigned char *salt,
+    int saltlen, int iter, int keylen, unsigned char *out)
+{
+	return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
+	    EVP_sha1(), keylen, out);
+}
+
+/*
+ * Now the key derivation function itself. This is a bit evil because
+ * it has to check the ASN1 parameters are valid: and there are quite a
+ * few of them...
+ */
+
+int
+PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
+{
+	const unsigned char *pbuf;
+	int plen;
+	PBE2PARAM *pbe2 = NULL;
+	const EVP_CIPHER *cipher;
+	int ret = 0;
+
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		EVPerror(EVP_R_DECODE_ERROR);
+		goto err;
+	}
+
+	pbuf = param->value.sequence->data;
+	plen = param->value.sequence->length;
+	if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
+		EVPerror(EVP_R_DECODE_ERROR);
+		goto err;
+	}
+
+	/* See if we recognise the key derivation function */
+
+	if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
+		EVPerror(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
+		goto err;
+	}
+
+	/* Let's see if we recognise the encryption algorithm.  */
+	cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
+	if (!cipher) {
+		EVPerror(EVP_R_UNSUPPORTED_CIPHER);
+		goto err;
+	}
+
+	/* Fixup cipher based on AlgorithmIdentifier */
+	if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
+		goto err;
+	if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
+		EVPerror(EVP_R_CIPHER_PARAMETER_ERROR);
+		goto err;
+	}
+
+	ret = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
+	    pbe2->keyfunc->parameter, c, md, en_de);
+
+ err:
+	PBE2PARAM_free(pbe2);
+
+	return ret;
+}
+
+int
+PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
+{
+	unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
+	const unsigned char *pbuf;
+	int saltlen, iter, plen;
+	unsigned int keylen = 0;
+	int prf_nid, hmac_md_nid;
+	PBKDF2PARAM *kdf = NULL;
+	const EVP_MD *prfmd;
+	int ret = 0;
+
+	if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
+		EVPerror(EVP_R_NO_CIPHER_SET);
+		return 0;
+	}
+	keylen = EVP_CIPHER_CTX_key_length(ctx);
+	if (keylen > sizeof key) {
+		EVPerror(EVP_R_BAD_KEY_LENGTH);
+		return 0;
+	}
+
+	/* Decode parameter */
+
+	if (!param || (param->type != V_ASN1_SEQUENCE)) {
+		EVPerror(EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	pbuf = param->value.sequence->data;
+	plen = param->value.sequence->length;
+
+	if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+		EVPerror(EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	/* Now check the parameters of the kdf */
+
+	if (kdf->keylength &&
+	    (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
+		EVPerror(EVP_R_UNSUPPORTED_KEYLENGTH);
+		goto err;
+	}
+
+	if (kdf->prf)
+		prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
+	else
+		prf_nid = NID_hmacWithSHA1;
+
+	if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
+		EVPerror(EVP_R_UNSUPPORTED_PRF);
+		goto err;
+	}
+
+	prfmd = EVP_get_digestbynid(hmac_md_nid);
+	if (prfmd == NULL) {
+		EVPerror(EVP_R_UNSUPPORTED_PRF);
+		goto err;
+	}
+
+	if (kdf->salt->type != V_ASN1_OCTET_STRING) {
+		EVPerror(EVP_R_UNSUPPORTED_SALT_TYPE);
+		goto err;
+	}
+
+	/* it seems that its all OK */
+	salt = kdf->salt->value.octet_string->data;
+	saltlen = kdf->salt->value.octet_string->length;
+	if ((iter = ASN1_INTEGER_get(kdf->iter)) <= 0) {
+		EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
+		goto err;
+	}
+	if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
+	    keylen, key))
+		goto err;
+
+	ret = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
+
+ err:
+	explicit_bzero(key, keylen);
+	PBKDF2PARAM_free(kdf);
+
+	return ret;
+}
+
+void
+PKCS12_PBE_add(void)
+{
+}
+LCRYPTO_ALIAS(PKCS12_PBE_add);
+
+int
+PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
+{
+	PBEPARAM *pbe;
+	int saltlen, iter, ret;
+	unsigned char *salt;
+	const unsigned char *pbuf;
+	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+
+	/* Extract useful info from parameter */
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		PKCS12error(PKCS12_R_DECODE_ERROR);
+		return 0;
+	}
+
+	pbuf = param->value.sequence->data;
+	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
+		PKCS12error(PKCS12_R_DECODE_ERROR);
+		return 0;
+	}
+
+	if (!pbe->iter)
+		iter = 1;
+	else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
+		PKCS12error(PKCS12_R_DECODE_ERROR);
+		PBEPARAM_free(pbe);
+		return 0;
+	}
+	salt = pbe->salt->data;
+	saltlen = pbe->salt->length;
+	if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+	    iter, EVP_CIPHER_key_length(cipher), key, md)) {
+		PKCS12error(PKCS12_R_KEY_GEN_ERROR);
+		PBEPARAM_free(pbe);
+		return 0;
+	}
+	if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
+	    iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
+		PKCS12error(PKCS12_R_IV_GEN_ERROR);
+		PBEPARAM_free(pbe);
+		return 0;
+	}
+	PBEPARAM_free(pbe);
+	ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
+	explicit_bzero(key, EVP_MAX_KEY_LENGTH);
+	explicit_bzero(iv, EVP_MAX_IV_LENGTH);
+	return ret;
+}
+LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
+
+/*
+ * XXX - remove the functions below in the next major bump
+ */
+
 int
 EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
     EVP_PBE_KEYGEN *keygen)
@@ -331,3 +744,8 @@ void
 EVP_PBE_cleanup(void)
 {
 }
+
+void
+PKCS5_PBE_add(void)
+{
+}