/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "plarena.h" #include "seccomon.h" #include "secitem.h" #include "secport.h" #include "hasht.h" #include "pkcs11t.h" #include "blapi.h" #include "hasht.h" #include "secasn1.h" #include "secder.h" #include "lowpbe.h" #include "secoid.h" #include "alghmac.h" #include "softoken.h" #include "secerr.h" #include "pkcs11i.h" SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* how much a crypto encrypt/decryption may expand a buffer */ #define MAX_CRYPTO_EXPANSION 64 /* template for PKCS 5 PBE Parameter. This template has been expanded * based upon the additions in PKCS 12. This should eventually be moved * if RSA updates PKCS 5. */ static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) }, { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) }, { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) }, { 0 } }; static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) }, { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) }, { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) }, { 0 } }; /* PKCS5 v2 */ struct nsspkcs5V2PBEParameterStr { SECAlgorithmID keyParams; /* parameters of the key generation */ SECAlgorithmID algParams; /* parameters for the encryption or mac op */ }; typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter; static const SEC_ASN1Template NSSPKCS5V2PBES2ParameterTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(nsspkcs5V2PBEParameter) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(nsspkcs5V2PBEParameter, keyParams), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(nsspkcs5V2PBEParameter, algParams), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { 0 } }; static const SEC_ASN1Template NSSPKCS5V2PBEParameterTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) }, /* this is really a choice, but since we don't understand any other * choice, just inline it. */ { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) }, { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) }, { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, keyLength) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(NSSPKCS5PBEParameter, prfAlg), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { 0 } }; SECStatus nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest, unsigned char *src, int len) { void *ctx; unsigned int retLen; ctx = hashObj->create(); if (ctx == NULL) { return SECFailure; } hashObj->begin(ctx); hashObj->update(ctx, src, len); hashObj->end(ctx, dest, &retLen, hashObj->length); hashObj->destroy(ctx, PR_TRUE); return SECSuccess; } /* generate bits using any hash */ static SECItem * nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd, int iter, PRBool faulty3DES) { SECItem *hash = NULL, *pre_hash = NULL; SECStatus rv = SECFailure; if ((salt == NULL) || (pwd == NULL) || (iter < 0)) { return NULL; } hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); if ((hash != NULL) && (pre_hash != NULL)) { int i, ph_len; ph_len = hashObj->length; if ((salt->len + pwd->len) > hashObj->length) { ph_len = salt->len + pwd->len; } rv = SECFailure; /* allocate buffers */ hash->len = hashObj->length; hash->data = (unsigned char *)PORT_ZAlloc(hash->len); pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len); /* in pbeSHA1TripleDESCBC there was an allocation error that made * it into the caller. We do not want to propagate those errors * further, so we are doing it correctly, but reading the old method. */ if (faulty3DES) { pre_hash->len = ph_len; } else { pre_hash->len = salt->len + pwd->len; } /* preform hash */ if ((hash->data != NULL) && (pre_hash->data != NULL)) { rv = SECSuccess; /* check for 0 length password */ if (pwd->len > 0) { PORT_Memcpy(pre_hash->data, pwd->data, pwd->len); } if (salt->len > 0) { PORT_Memcpy((pre_hash->data + pwd->len), salt->data, salt->len); } for (i = 0; ((i < iter) && (rv == SECSuccess)); i++) { rv = nsspkcs5_HashBuf(hashObj, hash->data, pre_hash->data, pre_hash->len); if (rv != SECFailure) { pre_hash->len = hashObj->length; PORT_Memcpy(pre_hash->data, hash->data, hashObj->length); } } } } if (pre_hash != NULL) { SECITEM_ZfreeItem(pre_hash, PR_TRUE); } if ((rv != SECSuccess) && (hash != NULL)) { SECITEM_ZfreeItem(hash, PR_TRUE); hash = NULL; } return hash; } /* this bit generation routine is described in PKCS 12 and the proposed * extensions to PKCS 5. an initial hash is generated following the * instructions laid out in PKCS 5. If the number of bits generated is * insufficient, then the method discussed in the proposed extensions to * PKCS 5 in PKCS 12 are used. This extension makes use of the HMAC * function. And the P_Hash function from the TLS standard. */ static SECItem * nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param, SECItem *init_hash, unsigned int bytes_needed) { SECItem *ret_bits = NULL; int hash_size = 0; unsigned int i; unsigned int hash_iter; unsigned int dig_len; SECStatus rv = SECFailure; unsigned char *state = NULL; unsigned int state_len; HMACContext *cx = NULL; hash_size = hashObj->length; hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size; /* allocate return buffer */ ret_bits = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); if (ret_bits == NULL) return NULL; ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1); ret_bits->len = (hash_iter * hash_size); if (ret_bits->data == NULL) { PORT_Free(ret_bits); return NULL; } /* allocate intermediate hash buffer. 8 is for the 8 bytes of * data which are added based on iteration number */ if ((unsigned int)hash_size > pbe_param->salt.len) { state_len = hash_size; } else { state_len = pbe_param->salt.len; } state = (unsigned char *)PORT_ZAlloc(state_len); if (state == NULL) { rv = SECFailure; goto loser; } if (pbe_param->salt.len > 0) { PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len); } cx = HMAC_Create(hashObj, init_hash->data, init_hash->len, PR_TRUE); if (cx == NULL) { rv = SECFailure; goto loser; } for (i = 0; i < hash_iter; i++) { /* generate output bits */ HMAC_Begin(cx); HMAC_Update(cx, state, state_len); HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len); rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size), &dig_len, hash_size); if (rv != SECSuccess) goto loser; PORT_Assert((unsigned int)hash_size == dig_len); /* generate new state */ HMAC_Begin(cx); HMAC_Update(cx, state, state_len); rv = HMAC_Finish(cx, state, &state_len, state_len); if (rv != SECSuccess) goto loser; PORT_Assert(state_len == dig_len); } loser: if (state != NULL) PORT_ZFree(state, state_len); HMAC_Destroy(cx, PR_TRUE); if (rv != SECSuccess) { SECITEM_ZfreeItem(ret_bits, PR_TRUE); ret_bits = NULL; } return ret_bits; } /* generate bits for the key and iv determination. if enough bits * are not generated using PKCS 5, then we need to generate more bits * based on the extension proposed in PKCS 12 */ static SECItem * nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES) { SECItem *hash = NULL; SECItem *newHash = NULL; int bytes_needed; int bytes_available; bytes_needed = pbe_param->ivLen + pbe_param->keyLen; bytes_available = hashObj->length; hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem, pbe_param->iter, faulty3DES); if (hash == NULL) { return NULL; } if (bytes_needed <= bytes_available) { return hash; } newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed); if (hash != newHash) SECITEM_ZfreeItem(hash, PR_TRUE); return newHash; } /* * PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS */ static void do_xor(unsigned char *dest, unsigned char *src, int len) { /* use byt xor, not all platforms are happy about inaligned * integer fetches */ while (len--) { *dest = *dest ^ *src; dest++; src++; } } static SECStatus nsspkcs5_PBKDF2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt, int iterations, unsigned int i, unsigned char *T) { int j; HMACContext *cx = NULL; unsigned int hLen = hashobj->length; SECStatus rv = SECFailure; unsigned char *last = NULL; unsigned int lastLength = salt->len + 4; unsigned int lastBufLength; cx = HMAC_Create(hashobj, pwitem->data, pwitem->len, PR_FALSE); if (cx == NULL) { goto loser; } PORT_Memset(T, 0, hLen); lastBufLength = PR_MAX(lastLength, hLen); last = PORT_Alloc(lastBufLength); if (last == NULL) { goto loser; } PORT_Memcpy(last, salt->data, salt->len); last[salt->len] = (i >> 24) & 0xff; last[salt->len + 1] = (i >> 16) & 0xff; last[salt->len + 2] = (i >> 8) & 0xff; last[salt->len + 3] = i & 0xff; /* NOTE: we need at least one iteration to return success! */ for (j = 0; j < iterations; j++) { HMAC_Begin(cx); HMAC_Update(cx, last, lastLength); rv = HMAC_Finish(cx, last, &lastLength, hLen); if (rv != SECSuccess) { break; } do_xor(T, last, hLen); } loser: if (cx) { HMAC_Destroy(cx, PR_TRUE); } if (last) { PORT_ZFree(last, lastBufLength); } return rv; } static SECItem * nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem) { int iterations = pbe_param->iter; int bytesNeeded = pbe_param->keyLen; unsigned int dkLen = bytesNeeded; unsigned int hLen = hashobj->length; unsigned int nblocks = (dkLen + hLen - 1) / hLen; unsigned int i; unsigned char *rp; unsigned char *T = NULL; SECItem *result = NULL; SECItem *salt = &pbe_param->salt; SECStatus rv = SECFailure; result = SECITEM_AllocItem(NULL, NULL, nblocks * hLen); if (result == NULL) { return NULL; } T = PORT_Alloc(hLen); if (T == NULL) { goto loser; } for (i = 1, rp = result->data; i <= nblocks; i++, rp += hLen) { rv = nsspkcs5_PBKDF2_F(hashobj, pwitem, salt, iterations, i, T); if (rv != SECSuccess) { break; } PORT_Memcpy(rp, T, hLen); } loser: if (T) { PORT_ZFree(T, hLen); } if (rv != SECSuccess) { SECITEM_ZfreeItem(result, PR_TRUE); result = NULL; } else { result->len = dkLen; } return result; } #define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y)) #define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y)) /* * This is the extended PBE function defined by the final PKCS #12 spec. */ static SECItem * nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PBEBitGenID bitGenPurpose, unsigned int bytesNeeded) { PLArenaPool *arena = NULL; unsigned int SLen, PLen; unsigned int hashLength = hashObject->length; unsigned char *S, *P; SECItem *A = NULL, B, D, I; SECItem *salt = &pbe_param->salt; unsigned int c, i = 0; unsigned int hashLen; int iter; unsigned char *iterBuf; void *hash = NULL; unsigned int bufferLength; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { return NULL; } /* how many hash object lengths are needed */ c = (bytesNeeded + (hashLength - 1)) / hashLength; /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */ bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64); /* initialize our buffers */ D.len = bufferLength; /* B and D are the same length, use one alloc go get both */ D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2); B.len = D.len; B.data = D.data + D.len; /* if all goes well, A will be returned, so don't use our temp arena */ A = SECITEM_AllocItem(NULL, NULL, c * hashLength); if (A == NULL) { goto loser; } SLen = NSSPBE_ROUNDUP(salt->len, bufferLength); PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength); I.len = SLen + PLen; I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len); if (I.data == NULL) { goto loser; } /* S & P are only used to initialize I */ S = I.data; P = S + SLen; PORT_Memset(D.data, (char)bitGenPurpose, D.len); if (SLen) { for (i = 0; i < SLen; i += salt->len) { PORT_Memcpy(S + i, salt->data, NSSPBE_MIN(SLen - i, salt->len)); } } if (PLen) { for (i = 0; i < PLen; i += pwitem->len) { PORT_Memcpy(P + i, pwitem->data, NSSPBE_MIN(PLen - i, pwitem->len)); } } iterBuf = (unsigned char *)PORT_ArenaZAlloc(arena, hashLength); if (iterBuf == NULL) { goto loser; } hash = hashObject->create(); if (!hash) { goto loser; } /* calculate the PBE now */ for (i = 0; i < c; i++) { int Bidx; /* must be signed or the for loop won't terminate */ unsigned int k, j; unsigned char *Ai = A->data + i * hashLength; for (iter = 0; iter < pbe_param->iter; iter++) { hashObject->begin(hash); if (iter) { hashObject->update(hash, iterBuf, hashLen); } else { hashObject->update(hash, D.data, D.len); hashObject->update(hash, I.data, I.len); } hashObject->end(hash, iterBuf, &hashLen, hashObject->length); if (hashLen != hashObject->length) { break; } } PORT_Memcpy(Ai, iterBuf, hashLength); for (Bidx = 0; Bidx < (int)B.len; Bidx += hashLength) { PORT_Memcpy(B.data + Bidx, iterBuf, NSSPBE_MIN(B.len - Bidx, hashLength)); } k = I.len / B.len; for (j = 0; j < k; j++) { unsigned int q, carryBit; unsigned char *Ij = I.data + j * B.len; /* (Ij = Ij+B+1) */ for (Bidx = (B.len - 1), q = 1, carryBit = 0; Bidx >= 0; Bidx--, q = 0) { q += (unsigned int)Ij[Bidx]; q += (unsigned int)B.data[Bidx]; q += carryBit; carryBit = (q > 0xff); Ij[Bidx] = (unsigned char)(q & 0xff); } } } loser: if (hash) { hashObject->destroy(hash, PR_TRUE); } if (arena) { PORT_FreeArena(arena, PR_TRUE); } if (A) { /* if i != c, then we didn't complete the loop above and must of failed * somwhere along the way */ if (i != c) { SECITEM_ZfreeItem(A, PR_TRUE); A = NULL; } else { A->len = bytesNeeded; } } return A; } struct KDFCacheItemStr { SECItem *hash; SECItem *salt; SECItem *pwItem; HASH_HashType hashType; int iterations; int keyLen; }; typedef struct KDFCacheItemStr KDFCacheItem; /* Bug 1606992 - Cache the hash result for the common case that we're * asked to repeatedly compute the key for the same password item, * hash, iterations and salt. */ #define KDF2_CACHE_COUNT 150 static struct { PZLock *lock; struct { KDFCacheItem common; int ivLen; PRBool faulty3DES; } cacheKDF1; struct { KDFCacheItem common[KDF2_CACHE_COUNT]; int next; } cacheKDF2; } PBECache; void sftk_PBELockInit(void) { if (!PBECache.lock) { PBECache.lock = PZ_NewLock(nssIPBECacheLock); } } static void sftk_clearPBECommonCacheItemsLocked(KDFCacheItem *item) { if (item->hash) { SECITEM_ZfreeItem(item->hash, PR_TRUE); item->hash = NULL; } if (item->salt) { SECITEM_ZfreeItem(item->salt, PR_TRUE); item->salt = NULL; } if (item->pwItem) { SECITEM_ZfreeItem(item->pwItem, PR_TRUE); item->pwItem = NULL; } } static void sftk_setPBECommonCacheItemsKDFLocked(KDFCacheItem *cacheItem, const SECItem *hash, const NSSPKCS5PBEParameter *pbe_param, const SECItem *pwItem) { cacheItem->hash = SECITEM_DupItem(hash); cacheItem->hashType = pbe_param->hashType; cacheItem->iterations = pbe_param->iter; cacheItem->keyLen = pbe_param->keyLen; cacheItem->salt = SECITEM_DupItem(&pbe_param->salt); cacheItem->pwItem = SECITEM_DupItem(pwItem); } static void sftk_setPBECacheKDF2(const SECItem *hash, const NSSPKCS5PBEParameter *pbe_param, const SECItem *pwItem) { PZ_Lock(PBECache.lock); KDFCacheItem *next = &PBECache.cacheKDF2.common[PBECache.cacheKDF2.next]; sftk_clearPBECommonCacheItemsLocked(next); sftk_setPBECommonCacheItemsKDFLocked(next, hash, pbe_param, pwItem); PBECache.cacheKDF2.next++; if (PBECache.cacheKDF2.next >= KDF2_CACHE_COUNT) { PBECache.cacheKDF2.next = 0; } PZ_Unlock(PBECache.lock); } static void sftk_setPBECacheKDF1(const SECItem *hash, const NSSPKCS5PBEParameter *pbe_param, const SECItem *pwItem, PRBool faulty3DES) { PZ_Lock(PBECache.lock); sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF1.common); sftk_setPBECommonCacheItemsKDFLocked(&PBECache.cacheKDF1.common, hash, pbe_param, pwItem); PBECache.cacheKDF1.faulty3DES = faulty3DES; PBECache.cacheKDF1.ivLen = pbe_param->ivLen; PZ_Unlock(PBECache.lock); } static PRBool sftk_comparePBECommonCacheItemLocked(const KDFCacheItem *cacheItem, const NSSPKCS5PBEParameter *pbe_param, const SECItem *pwItem) { return (cacheItem->hash && cacheItem->salt && cacheItem->pwItem && pbe_param->hashType == cacheItem->hashType && pbe_param->iter == cacheItem->iterations && pbe_param->keyLen == cacheItem->keyLen && SECITEM_ItemsAreEqual(&pbe_param->salt, cacheItem->salt) && SECITEM_ItemsAreEqual(pwItem, cacheItem->pwItem)); } static SECItem * sftk_getPBECacheKDF2(const NSSPKCS5PBEParameter *pbe_param, const SECItem *pwItem) { SECItem *result = NULL; int i; PZ_Lock(PBECache.lock); for (i = 0; i < KDF2_CACHE_COUNT; i++) { const KDFCacheItem *cacheItem = &PBECache.cacheKDF2.common[i]; if (sftk_comparePBECommonCacheItemLocked(cacheItem, pbe_param, pwItem)) { result = SECITEM_DupItem(cacheItem->hash); break; } } PZ_Unlock(PBECache.lock); return result; } static SECItem * sftk_getPBECacheKDF1(const NSSPKCS5PBEParameter *pbe_param, const SECItem *pwItem, PRBool faulty3DES) { SECItem *result = NULL; const KDFCacheItem *cacheItem = &PBECache.cacheKDF1.common; PZ_Lock(PBECache.lock); if (sftk_comparePBECommonCacheItemLocked(cacheItem, pbe_param, pwItem) && PBECache.cacheKDF1.faulty3DES == faulty3DES && PBECache.cacheKDF1.ivLen == pbe_param->ivLen) { result = SECITEM_DupItem(cacheItem->hash); } PZ_Unlock(PBECache.lock); return result; } void sftk_PBELockShutdown(void) { int i; if (PBECache.lock) { PZ_DestroyLock(PBECache.lock); PBECache.lock = 0; } sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF1.common); for (i = 0; i < KDF2_CACHE_COUNT; i++) { sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF2.common[i]); } PBECache.cacheKDF2.next = 0; } /* * generate key as per PKCS 5 */ SECItem * nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, SECItem *iv, PRBool faulty3DES) { SECItem *hash = NULL, *key = NULL; const SECHashObject *hashObj; PRBool getIV = PR_FALSE; if ((pbe_param == NULL) || (pwitem == NULL)) { return NULL; } key = SECITEM_AllocItem(NULL, NULL, pbe_param->keyLen); if (key == NULL) { return NULL; } if (iv && (pbe_param->ivLen) && (iv->data == NULL)) { getIV = PR_TRUE; iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen); if (iv->data == NULL) { goto loser; } iv->len = pbe_param->ivLen; } hashObj = HASH_GetRawHashObject(pbe_param->hashType); switch (pbe_param->pbeType) { case NSSPKCS5_PBKDF1: hash = sftk_getPBECacheKDF1(pbe_param, pwitem, faulty3DES); if (!hash) { hash = nsspkcs5_PBKDF1Extended(hashObj, pbe_param, pwitem, faulty3DES); sftk_setPBECacheKDF1(hash, pbe_param, pwitem, faulty3DES); } if (hash == NULL) { goto loser; } PORT_Assert(hash->len >= key->len + (getIV ? iv->len : 0)); if (getIV) { PORT_Memcpy(iv->data, hash->data + (hash->len - iv->len), iv->len); } break; case NSSPKCS5_PBKDF2: hash = sftk_getPBECacheKDF2(pbe_param, pwitem); if (!hash) { hash = nsspkcs5_PBKDF2(hashObj, pbe_param, pwitem); sftk_setPBECacheKDF2(hash, pbe_param, pwitem); } if (getIV) { PORT_Memcpy(iv->data, pbe_param->ivData, iv->len); } break; case NSSPKCS5_PKCS12_V2: if (getIV) { hash = nsspkcs5_PKCS12PBE(hashObj, pbe_param, pwitem, pbeBitGenCipherIV, iv->len); if (hash == NULL) { goto loser; } PORT_Memcpy(iv->data, hash->data, iv->len); SECITEM_ZfreeItem(hash, PR_TRUE); hash = NULL; } hash = nsspkcs5_PKCS12PBE(hashObj, pbe_param, pwitem, pbe_param->keyID, key->len); default: break; } if (hash == NULL) { goto loser; } PORT_Memcpy(key->data, hash->data, key->len); SECITEM_ZfreeItem(hash, PR_TRUE); return key; loser: if (getIV && iv->data) { PORT_ZFree(iv->data, iv->len); iv->data = NULL; } SECITEM_ZfreeItem(key, PR_TRUE); return NULL; } #define MAX_IV_LENGTH 64 /* get a random IV into the parameters */ static SECStatus nsspkcs5_SetIVParam(NSSPKCS5PBEParameter *pbe_param, int ivLen) { SECStatus rv; SECItem derIV; SECItem iv; SECItem *dummy = NULL; unsigned char ivData[MAX_IV_LENGTH]; PORT_Assert(ivLen <= MAX_IV_LENGTH); /* Because of a bug in the decode section, the IV's not are expected * to be der encoded, but still need to parse as if they were der data. * because we want to be compatible with existing versions of nss that * have that bug, create an IV that looks like der data. That still * leaves 14 bytes of entropy in the IV */ rv = RNG_GenerateGlobalRandomBytes(ivData, ivLen - 2); if (rv != SECSuccess) { return SECFailure; } derIV.data = NULL; derIV.len = 0; iv.data = ivData; iv.len = ivLen - 2; dummy = SEC_ASN1EncodeItem(pbe_param->poolp, &derIV, &iv, SEC_ASN1_GET(SEC_OctetStringTemplate)); if (dummy == NULL) { return SECFailure; } pbe_param->ivData = derIV.data; pbe_param->ivLen = derIV.len; PORT_Assert(pbe_param->ivLen == ivLen); return SECSuccess; } static SECStatus nsspkcs5_FillInParam(SECOidTag algorithm, HASH_HashType hashType, NSSPKCS5PBEParameter *pbe_param) { PRBool skipType = PR_FALSE; SECStatus rv; pbe_param->keyLen = 5; pbe_param->ivLen = 8; pbe_param->hashType = hashType; pbe_param->pbeType = NSSPKCS5_PBKDF1; pbe_param->encAlg = SEC_OID_RC2_CBC; pbe_param->is2KeyDES = PR_FALSE; switch (algorithm) { /* DES3 Algorithms */ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: pbe_param->is2KeyDES = PR_TRUE; pbe_param->pbeType = NSSPKCS5_PKCS12_V2; pbe_param->keyLen = 16; pbe_param->encAlg = SEC_OID_DES_EDE3_CBC; break; case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: pbe_param->pbeType = NSSPKCS5_PKCS12_V2; pbe_param->keyLen = 24; pbe_param->encAlg = SEC_OID_DES_EDE3_CBC; break; case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: pbe_param->keyLen = 24; pbe_param->encAlg = SEC_OID_DES_EDE3_CBC; break; /* DES Algorithms */ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: pbe_param->hashType = HASH_AlgMD2; goto finish_des; case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: pbe_param->hashType = HASH_AlgMD5; /* fall through */ case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: finish_des: pbe_param->keyLen = 8; pbe_param->encAlg = SEC_OID_DES_CBC; break; #ifndef NSS_DISABLE_DEPRECATED_RC2 /* RC2 Algorithms */ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: pbe_param->keyLen = 16; /* fall through */ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: pbe_param->pbeType = NSSPKCS5_PKCS12_V2; break; case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: pbe_param->keyLen = 16; /* fall through */ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: break; #endif /* RC4 algorithms */ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: skipType = PR_TRUE; /* fall through */ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: pbe_param->keyLen = 16; /* fall through */ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: if (!skipType) { pbe_param->pbeType = NSSPKCS5_PKCS12_V2; } /* fall through */ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: pbe_param->ivLen = 0; pbe_param->encAlg = SEC_OID_RC4; break; case SEC_OID_PKCS5_PBKDF2: case SEC_OID_PKCS5_PBES2: case SEC_OID_PKCS5_PBMAC1: /* everything else will be filled in by the template */ pbe_param->ivLen = 0; pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = SEC_OID_PKCS5_PBKDF2; pbe_param->keyLen = 0; /* needs to be set by caller after return */ break; /* AES uses PBKDF2 */ case SEC_OID_AES_128_CBC: rv = nsspkcs5_SetIVParam(pbe_param, 16); if (rv != SECSuccess) { return rv; } pbe_param->ivLen = 16; pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = algorithm; pbe_param->keyLen = 128 / 8; break; case SEC_OID_AES_192_CBC: rv = nsspkcs5_SetIVParam(pbe_param, 16); if (rv != SECSuccess) { return rv; } pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = algorithm; pbe_param->keyLen = 192 / 8; break; case SEC_OID_AES_256_CBC: rv = nsspkcs5_SetIVParam(pbe_param, 16); if (rv != SECSuccess) { return rv; } pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = algorithm; pbe_param->keyLen = 256 / 8; break; case SEC_OID_AES_128_KEY_WRAP: pbe_param->ivLen = 0; pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = algorithm; pbe_param->keyLen = 128 / 8; break; case SEC_OID_AES_192_KEY_WRAP: pbe_param->ivLen = 0; pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = algorithm; pbe_param->keyLen = 192 / 8; break; case SEC_OID_AES_256_KEY_WRAP: pbe_param->ivLen = 0; pbe_param->pbeType = NSSPKCS5_PBKDF2; pbe_param->encAlg = algorithm; pbe_param->keyLen = 256 / 8; break; default: return SECFailure; } if (pbe_param->pbeType == NSSPKCS5_PBKDF2) { SECOidTag prfAlg = HASH_HMACOidFromHash(pbe_param->hashType); if (prfAlg == SEC_OID_UNKNOWN) { return SECFailure; } rv = SECOID_SetAlgorithmID(pbe_param->poolp, &pbe_param->prfAlg, prfAlg, NULL); if (rv != SECSuccess) { return rv; } } return SECSuccess; } /* decode the algid and generate a PKCS 5 parameter from it */ NSSPKCS5PBEParameter * nsspkcs5_NewParam(SECOidTag alg, HASH_HashType hashType, SECItem *salt, int iterationCount) { PLArenaPool *arena = NULL; NSSPKCS5PBEParameter *pbe_param = NULL; SECStatus rv = SECFailure; arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (arena == NULL) return NULL; /* allocate memory for the parameter */ pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena, sizeof(NSSPKCS5PBEParameter)); if (pbe_param == NULL) { goto loser; } pbe_param->poolp = arena; rv = nsspkcs5_FillInParam(alg, hashType, pbe_param); if (rv != SECSuccess) { goto loser; } pbe_param->iter = iterationCount; if (salt) { rv = SECITEM_CopyItem(arena, &pbe_param->salt, salt); } /* default key gen */ pbe_param->keyID = pbeBitGenCipherKey; loser: if (rv != SECSuccess) { PORT_FreeArena(arena, PR_TRUE); pbe_param = NULL; } return pbe_param; } /* * find the hash type needed to implement a specific HMAC. * OID definitions are from pkcs 5 v2.0 and 2.1 */ HASH_HashType HASH_FromHMACOid(SECOidTag hmac) { switch (hmac) { case SEC_OID_HMAC_SHA1: return HASH_AlgSHA1; case SEC_OID_HMAC_SHA256: return HASH_AlgSHA256; case SEC_OID_HMAC_SHA384: return HASH_AlgSHA384; case SEC_OID_HMAC_SHA512: return HASH_AlgSHA512; case SEC_OID_HMAC_SHA224: default: break; } return HASH_AlgNULL; } SECOidTag HASH_HMACOidFromHash(HASH_HashType hashType) { switch (hashType) { case HASH_AlgSHA1: return SEC_OID_HMAC_SHA1; case HASH_AlgSHA256: return SEC_OID_HMAC_SHA256; case HASH_AlgSHA384: return SEC_OID_HMAC_SHA384; case HASH_AlgSHA512: return SEC_OID_HMAC_SHA512; case HASH_AlgSHA224: return SEC_OID_HMAC_SHA224; case HASH_AlgMD2: case HASH_AlgMD5: case HASH_AlgTOTAL: default: break; } return SEC_OID_UNKNOWN; } /* decode the algid and generate a PKCS 5 parameter from it */ NSSPKCS5PBEParameter * nsspkcs5_AlgidToParam(SECAlgorithmID *algid) { NSSPKCS5PBEParameter *pbe_param = NULL; nsspkcs5V2PBEParameter pbev2_param; SECOidTag algorithm; SECStatus rv = SECFailure; if (algid == NULL) { return NULL; } algorithm = SECOID_GetAlgorithmTag(algid); if (algorithm == SEC_OID_UNKNOWN) { goto loser; } pbe_param = nsspkcs5_NewParam(algorithm, HASH_AlgSHA1, NULL, 1); if (pbe_param == NULL) { goto loser; } /* decode parameter */ rv = SECFailure; switch (pbe_param->pbeType) { case NSSPKCS5_PBKDF1: rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, NSSPKCS5PBEParameterTemplate, &algid->parameters); break; case NSSPKCS5_PKCS12_V2: rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters); break; case NSSPKCS5_PBKDF2: PORT_Memset(&pbev2_param, 0, sizeof(pbev2_param)); /* just the PBE */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, NSSPKCS5V2PBEParameterTemplate, &algid->parameters); } else { /* PBE data an others */ rv = SEC_ASN1DecodeItem(pbe_param->poolp, &pbev2_param, NSSPKCS5V2PBES2ParameterTemplate, &algid->parameters); if (rv != SECSuccess) { break; } pbe_param->encAlg = SECOID_GetAlgorithmTag(&pbev2_param.algParams); rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, NSSPKCS5V2PBEParameterTemplate, &pbev2_param.keyParams.parameters); if (rv != SECSuccess) { break; } pbe_param->keyLen = DER_GetInteger(&pbe_param->keyLength); } /* we we are encrypting, save any iv's */ if (algorithm == SEC_OID_PKCS5_PBES2) { pbe_param->ivLen = pbev2_param.algParams.parameters.len; pbe_param->ivData = pbev2_param.algParams.parameters.data; } pbe_param->hashType = HASH_FromHMACOid(SECOID_GetAlgorithmTag(&pbe_param->prfAlg)); if (pbe_param->hashType == HASH_AlgNULL) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); rv = SECFailure; } break; } loser: PORT_Memset(&pbev2_param, 0, sizeof(pbev2_param)); if (rv == SECSuccess) { pbe_param->iter = DER_GetInteger(&pbe_param->iteration); } else { nsspkcs5_DestroyPBEParameter(pbe_param); pbe_param = NULL; } return pbe_param; } /* destroy a pbe parameter. it assumes that the parameter was * generated using the appropriate create function and therefor * contains an arena pool. */ void nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param) { if (pbe_param != NULL) { PORT_FreeArena(pbe_param->poolp, PR_TRUE); } } /* crypto routines */ /* perform DES encryption and decryption. these routines are called * by nsspkcs5_CipherData. In the case of an error, NULL is returned. */ static SECItem * sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, PRBool encrypt) { SECItem *dest; SECItem *dup_src; CK_RV crv = CKR_DEVICE_ERROR; int error; SECStatus rv = SECFailure; DESContext *ctxt; unsigned int pad; if ((src == NULL) || (key == NULL) || (iv == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } dup_src = SECITEM_DupItem(src); if (dup_src == NULL) { return NULL; } if (encrypt != PR_FALSE) { void *dummy; dummy = CBC_PadBuffer(NULL, dup_src->data, dup_src->len, &dup_src->len, DES_BLOCK_SIZE); if (dummy == NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); return NULL; } dup_src->data = (unsigned char *)dummy; } dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION); if (dest == NULL) { goto loser; } ctxt = DES_CreateContext(key->data, iv->data, (triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC), encrypt); if (ctxt == NULL) { goto loser; } rv = (encrypt ? DES_Encrypt : DES_Decrypt)( ctxt, dest->data, &dest->len, dest->len, dup_src->data, dup_src->len); crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; error = PORT_GetError(); /* remove padding */ if ((encrypt == PR_FALSE) && (rv == SECSuccess)) { crv = sftk_CheckCBCPadding(dest->data, dest->len, DES_BLOCK_SIZE, &pad); dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len); PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD)); } DES_DestroyContext(ctxt, PR_TRUE); loser: if (crv != CKR_OK) { if (dest != NULL) { SECITEM_ZfreeItem(dest, PR_TRUE); } dest = NULL; } if (dup_src != NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); } return dest; } /* perform aes encryption/decryption if an error occurs, NULL is returned */ static SECItem * sec_pkcs5_aes(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, PRBool encrypt) { SECItem *dest; SECItem *dup_src; CK_RV crv = CKR_DEVICE_ERROR; int error; SECStatus rv = SECFailure; AESContext *ctxt; unsigned int pad; if ((src == NULL) || (key == NULL) || (iv == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } dup_src = SECITEM_DupItem(src); if (dup_src == NULL) { return NULL; } if (encrypt != PR_FALSE) { void *dummy; dummy = CBC_PadBuffer(NULL, dup_src->data, dup_src->len, &dup_src->len, AES_BLOCK_SIZE); if (dummy == NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); return NULL; } dup_src->data = (unsigned char *)dummy; } dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION); if (dest == NULL) { goto loser; } ctxt = AES_CreateContext(key->data, iv->data, NSS_AES_CBC, encrypt, key->len, AES_BLOCK_SIZE); if (ctxt == NULL) { goto loser; } rv = (encrypt ? AES_Encrypt : AES_Decrypt)( ctxt, dest->data, &dest->len, dest->len, dup_src->data, dup_src->len); crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; error = PORT_GetError(); /* remove padding */ if ((encrypt == PR_FALSE) && (rv == SECSuccess)) { crv = sftk_CheckCBCPadding(dest->data, dest->len, AES_BLOCK_SIZE, &pad); dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len); PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD)); } AES_DestroyContext(ctxt, PR_TRUE); loser: if (crv != CKR_OK) { if (dest != NULL) { SECITEM_ZfreeItem(dest, PR_TRUE); } dest = NULL; } if (dup_src != NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); } return dest; } /* perform aes encryption/decryption if an error occurs, NULL is returned */ static SECItem * sec_pkcs5_aes_key_wrap(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, PRBool encrypt) { SECItem *dest; SECItem *dup_src; CK_RV crv = CKR_DEVICE_ERROR; int error; SECStatus rv = SECFailure; AESKeyWrapContext *ctxt; unsigned int pad; if ((src == NULL) || (key == NULL) || (iv == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } dup_src = SECITEM_DupItem(src); if (dup_src == NULL) { return NULL; } if (encrypt != PR_FALSE) { void *dummy; dummy = CBC_PadBuffer(NULL, dup_src->data, dup_src->len, &dup_src->len, AES_BLOCK_SIZE); if (dummy == NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); return NULL; } dup_src->data = (unsigned char *)dummy; } dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION); if (dest == NULL) { goto loser; } ctxt = AESKeyWrap_CreateContext(key->data, iv->data, encrypt, key->len); if (ctxt == NULL) { goto loser; } rv = (encrypt ? AESKeyWrap_Encrypt : AESKeyWrap_Decrypt)( ctxt, dest->data, &dest->len, dest->len, dup_src->data, dup_src->len); crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; error = PORT_GetError(); /* remove padding */ if ((encrypt == PR_FALSE) && (rv == SECSuccess)) { crv = sftk_CheckCBCPadding(dest->data, dest->len, AES_BLOCK_SIZE, &pad); dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len); PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD)); } AESKeyWrap_DestroyContext(ctxt, PR_TRUE); loser: if (crv != CKR_OK) { if (dest != NULL) { SECITEM_ZfreeItem(dest, PR_TRUE); } dest = NULL; } if (dup_src != NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); } return dest; } #ifndef NSS_DISABLE_DEPRECATED_RC2 /* perform rc2 encryption/decryption if an error occurs, NULL is returned */ static SECItem * sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy, PRBool encrypt) { SECItem *dest; SECItem *dup_src; SECStatus rv = SECFailure; int pad; if ((src == NULL) || (key == NULL) || (iv == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } dup_src = SECITEM_DupItem(src); if (dup_src == NULL) { return NULL; } if (encrypt != PR_FALSE) { void *v; v = CBC_PadBuffer(NULL, dup_src->data, dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */); if (v == NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); return NULL; } dup_src->data = (unsigned char *)v; } dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); if (dest != NULL) { dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64); if (dest->data != NULL) { RC2Context *ctxt; ctxt = RC2_CreateContext(key->data, key->len, iv->data, NSS_RC2_CBC, key->len); if (ctxt != NULL) { rv = (encrypt ? RC2_Encrypt : RC2_Decrypt)( ctxt, dest->data, &dest->len, dup_src->len + 64, dup_src->data, dup_src->len); /* assumes 8 byte blocks -- remove padding */ if ((rv == SECSuccess) && (encrypt != PR_TRUE)) { pad = dest->data[dest->len - 1]; if ((pad > 0) && (pad <= 8)) { if (dest->data[dest->len - pad] != pad) { PORT_SetError(SEC_ERROR_BAD_PASSWORD); rv = SECFailure; } else { dest->len -= pad; } } else { PORT_SetError(SEC_ERROR_BAD_PASSWORD); rv = SECFailure; } } } } } if ((rv != SECSuccess) && (dest != NULL)) { SECITEM_ZfreeItem(dest, PR_TRUE); dest = NULL; } if (dup_src != NULL) { SECITEM_ZfreeItem(dup_src, PR_TRUE); } return dest; } #endif /* NSS_DISABLE_DEPRECATED_RC2 */ /* perform rc4 encryption and decryption */ static SECItem * sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op, PRBool encrypt) { SECItem *dest; SECStatus rv = SECFailure; if ((src == NULL) || (key == NULL) || (iv == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); if (dest != NULL) { dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) * (src->len + 64)); if (dest->data != NULL) { RC4Context *ctxt; ctxt = RC4_CreateContext(key->data, key->len); if (ctxt) { rv = (encrypt ? RC4_Encrypt : RC4_Decrypt)( ctxt, dest->data, &dest->len, src->len + 64, src->data, src->len); RC4_DestroyContext(ctxt, PR_TRUE); } } } if ((rv != SECSuccess) && (dest)) { SECITEM_ZfreeItem(dest, PR_TRUE); dest = NULL; } return dest; } /* function pointer template for crypto functions */ typedef SECItem *(*pkcs5_crypto_func)(SECItem *key, SECItem *iv, SECItem *src, PRBool op1, PRBool op2); /* performs the cipher operation on the src and returns the result. * if an error occurs, NULL is returned. * * a null length password is allowed. this corresponds to encrypting * the data with ust the salt. */ /* change this to use PKCS 11? */ SECItem * nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, SECItem *src, PRBool encrypt, PRBool *update) { SECItem *key = NULL, iv; SECItem *dest = NULL; PRBool tripleDES = PR_TRUE; pkcs5_crypto_func cryptof; iv.data = NULL; if (update) { *update = PR_FALSE; } if ((pwitem == NULL) || (src == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } /* get key, and iv */ key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE); if (key == NULL) { return NULL; } switch (pbe_param->encAlg) { /* PKCS 5 v2 only */ case SEC_OID_AES_128_KEY_WRAP: case SEC_OID_AES_192_KEY_WRAP: case SEC_OID_AES_256_KEY_WRAP: cryptof = sec_pkcs5_aes_key_wrap; break; case SEC_OID_AES_128_CBC: case SEC_OID_AES_192_CBC: case SEC_OID_AES_256_CBC: cryptof = sec_pkcs5_aes; break; case SEC_OID_DES_EDE3_CBC: cryptof = sec_pkcs5_des; tripleDES = PR_TRUE; break; case SEC_OID_DES_CBC: cryptof = sec_pkcs5_des; tripleDES = PR_FALSE; break; #ifndef NSS_DISABLE_DEPRECATED_RC2 case SEC_OID_RC2_CBC: cryptof = sec_pkcs5_rc2; break; #endif case SEC_OID_RC4: cryptof = sec_pkcs5_rc4; break; default: cryptof = NULL; break; } if (cryptof == NULL) { goto loser; } dest = (*cryptof)(key, &iv, src, tripleDES, encrypt); /* * it's possible for some keys and keydb's to claim to * be triple des when they're really des. In this case * we simply try des. If des works we set the update flag * so the key db knows it needs to update all it's entries. * The case can only happen on decrypted of a * SEC_OID_DES_EDE3_CBD. */ if ((pbe_param->encAlg == SEC_OID_DES_EDE3_CBC) && (dest == NULL) && (encrypt == PR_FALSE)) { dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt); if (update && (dest != NULL)) *update = PR_TRUE; } loser: if (key != NULL) { SECITEM_ZfreeItem(key, PR_TRUE); } if (iv.data != NULL) { SECITEM_ZfreeItem(&iv, PR_FALSE); } return dest; } /* creates a algorithm ID containing the PBE algorithm and appropriate * parameters. the required parameter is the algorithm. if salt is * not specified, it is generated randomly. if IV is specified, it overrides * the PKCS 5 generation of the IV. * * the returned SECAlgorithmID should be destroyed using * SECOID_DestroyAlgorithmID */ SECAlgorithmID * nsspkcs5_CreateAlgorithmID(PLArenaPool *arena, SECOidTag algorithm, NSSPKCS5PBEParameter *pbe_param) { SECAlgorithmID *algid, *ret_algid = NULL; SECItem der_param; nsspkcs5V2PBEParameter pkcs5v2_param; SECStatus rv = SECFailure; void *dummy = NULL; if (arena == NULL) { return NULL; } der_param.data = NULL; der_param.len = 0; /* generate the algorithm id */ algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID)); if (algid == NULL) { goto loser; } if (pbe_param->iteration.data == NULL) { dummy = SEC_ASN1EncodeInteger(pbe_param->poolp, &pbe_param->iteration, pbe_param->iter); if (dummy == NULL) { goto loser; } } switch (pbe_param->pbeType) { case NSSPKCS5_PBKDF1: dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param, NSSPKCS5PBEParameterTemplate); break; case NSSPKCS5_PKCS12_V2: dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param, NSSPKCS5PKCS12V2PBEParameterTemplate); break; case NSSPKCS5_PBKDF2: if (pbe_param->keyLength.data == NULL) { dummy = SEC_ASN1EncodeInteger(pbe_param->poolp, &pbe_param->keyLength, pbe_param->keyLen); if (dummy == NULL) { goto loser; } } PORT_Memset(&pkcs5v2_param, 0, sizeof(pkcs5v2_param)); dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param, NSSPKCS5V2PBEParameterTemplate); if (dummy == NULL) { break; } dummy = NULL; rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.keyParams, SEC_OID_PKCS5_PBKDF2, &der_param); if (rv != SECSuccess) { break; } der_param.data = pbe_param->ivData; der_param.len = pbe_param->ivLen; rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.algParams, pbe_param->encAlg, pbe_param->ivLen ? &der_param : NULL); if (rv != SECSuccess) { dummy = NULL; break; } der_param.data = NULL; der_param.len = 0; dummy = SEC_ASN1EncodeItem(arena, &der_param, &pkcs5v2_param, NSSPKCS5V2PBES2ParameterTemplate); /* If the algorithm was set to some encryption oid, set it * to PBES2 */ if ((algorithm != SEC_OID_PKCS5_PBKDF2) && (algorithm != SEC_OID_PKCS5_PBMAC1)) { algorithm = SEC_OID_PKCS5_PBES2; } break; default: break; } if (dummy == NULL) { goto loser; } rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param); if (rv != SECSuccess) { goto loser; } ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID)); if (ret_algid == NULL) { goto loser; } rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid); if (rv != SECSuccess) { SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE); ret_algid = NULL; } loser: return ret_algid; } #define TEST_KEY "pbkdf test key" SECStatus sftk_fips_pbkdf_PowerUpSelfTests(void) { SECItem *result; SECItem inKey; NSSPKCS5PBEParameter pbe_params; unsigned char iteration_count = 5; unsigned char keyLen = 64; char *inKeyData = TEST_KEY; static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; static const unsigned char pbkdf_known_answer[] = { 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37, 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90, 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa, 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1, 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66, 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5 }; sftk_PBELockInit(); inKey.data = (unsigned char *)inKeyData; inKey.len = sizeof(TEST_KEY) - 1; pbe_params.salt.data = (unsigned char *)saltData; pbe_params.salt.len = sizeof(saltData); /* the interation and keyLength are used as intermediate * values when decoding the Algorithm ID, set them for completeness, * but they are not used */ pbe_params.iteration.data = &iteration_count; pbe_params.iteration.len = 1; pbe_params.keyLength.data = &keyLen; pbe_params.keyLength.len = 1; /* pkcs5v2 stores the key in the AlgorithmID, so we don't need to * generate it here */ pbe_params.ivLen = 0; pbe_params.ivData = NULL; /* keyID is only used by pkcs12 extensions to pkcs5v1 */ pbe_params.keyID = pbeBitGenCipherKey; /* Algorithm is used by the decryption code after get get our key */ pbe_params.encAlg = SEC_OID_AES_256_CBC; /* these are the fields actually used in nsspkcs5_ComputeKeyAndIV * for NSSPKCS5_PBKDF2 */ pbe_params.iter = iteration_count; pbe_params.keyLen = keyLen; pbe_params.hashType = HASH_AlgSHA256; pbe_params.pbeType = NSSPKCS5_PBKDF2; pbe_params.is2KeyDES = PR_FALSE; result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE); if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) || (PORT_Memcmp(result->data, pbkdf_known_answer, sizeof(pbkdf_known_answer)) != 0)) { SECITEM_FreeItem(result, PR_TRUE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } SECITEM_FreeItem(result, PR_TRUE); return SECSuccess; }