1 files changed, 386 insertions, 7 deletions
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 7f7784847b..dd06a768b3 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.38 2024/01/27 16:26:25 tb Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.39 2024/01/27 17:14:33 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -59,14 +59,16 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/opensslconf.h>
+#include <openssl/asn1.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/objects.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 #include "evp_local.h"
+#include "hmac_local.h"
 /* Password based encryption (PBE) functions */
@@ -96,14 +98,12 @@ static const struct pbe_config pbe_outer[] = {
                .md_nid = NID_sha1,
                .keygen = PKCS5_PBE_keyivgen,
        },
-#ifndef OPENSSL_NO_HMAC
        {
                .pbe_nid = NID_id_pbkdf2,
                .cipher_nid = -1,
                .md_nid = -1,
                .keygen = PKCS5_v2_PBKDF2_keyivgen,
        },
-#endif
        {
                .pbe_nid = NID_pbe_WithSHA1And128BitRC4,
                .cipher_nid = NID_rc4,
@@ -140,14 +140,12 @@ static const struct pbe_config pbe_outer[] = {
                .md_nid = NID_sha1,
                .keygen = PKCS12_PBE_keyivgen,
        },
-#ifndef OPENSSL_NO_HMAC
        {
                .pbe_nid = NID_pbes2,
                .cipher_nid = -1,
                .md_nid = -1,
                .keygen = PKCS5_v2_PBE_keyivgen,
        },
-#endif
        {
                .pbe_nid = NID_pbeWithMD2AndRC2_CBC,
                .cipher_nid = NID_rc2_64_cbc,
@@ -341,6 +339,387 @@ EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
        return 1;
 }
+int
+PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
+{
+        EVP_MD_CTX ctx;
+        unsigned char md_tmp[EVP_MAX_MD_SIZE];
+        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+        int i;
+        PBEPARAM *pbe;
+        int saltlen, iter;
+        unsigned char *salt;
+        const unsigned char *pbuf;
+        int mdsize;
+        int rv = 0;
+        /* Extract useful info from parameter */
+        if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+            param->value.sequence == NULL) {
+                EVPerror(EVP_R_DECODE_ERROR);
+                return 0;
+        }
+        mdsize = EVP_MD_size(md);
+        if (mdsize < 0)
+                return 0;
+        pbuf = param->value.sequence->data;
+        if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
+                EVPerror(EVP_R_DECODE_ERROR);
+                return 0;
+        }
+        if (!pbe->iter)
+                iter = 1;
+        else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
+                EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        salt = pbe->salt->data;
+        saltlen = pbe->salt->length;
+        if (!pass)
+                passlen = 0;
+        else if (passlen == -1)
+                passlen = strlen(pass);
+        EVP_MD_CTX_init(&ctx);
+        if (!EVP_DigestInit_ex(&ctx, md, NULL))
+                goto err;
+        if (!EVP_DigestUpdate(&ctx, pass, passlen))
+                goto err;
+        if (!EVP_DigestUpdate(&ctx, salt, saltlen))
+                goto err;
+        if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
+                goto err;
+        for (i = 1; i < iter; i++) {
+                if (!EVP_DigestInit_ex(&ctx, md, NULL))
+                        goto err;
+                if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
+                        goto err;
+                if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
+                        goto err;
+        }
+        if ((size_t)EVP_CIPHER_key_length(cipher) > sizeof(md_tmp)) {
+                EVPerror(EVP_R_BAD_KEY_LENGTH);
+                goto err;
+        }
+        memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
+        if ((size_t)EVP_CIPHER_iv_length(cipher) > 16) {
+                EVPerror(EVP_R_IV_TOO_LARGE);
+                goto err;
+        }
+        memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
+            EVP_CIPHER_iv_length(cipher));
+        if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
+                goto err;
+        explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(iv, EVP_MAX_IV_LENGTH);
+        rv = 1;
+ err:
+        EVP_MD_CTX_cleanup(&ctx);
+        PBEPARAM_free(pbe);
+        return rv;
+}
+/*
+ * PKCS#5 v2.0 password based encryption key derivation function PBKDF2.
+ */
+int
+PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
+    int saltlen, int iter, const EVP_MD *digest, int keylen, unsigned char *out)
+{
+        unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
+        int cplen, j, k, tkeylen, mdlen;
+        unsigned long i = 1;
+        HMAC_CTX hctx_tpl, hctx;
+        mdlen = EVP_MD_size(digest);
+        if (mdlen < 0)
+                return 0;
+        HMAC_CTX_init(&hctx_tpl);
+        p = out;
+        tkeylen = keylen;
+        if (!pass)
+                passlen = 0;
+        else if (passlen == -1)
+                passlen = strlen(pass);
+        if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
+                HMAC_CTX_cleanup(&hctx_tpl);
+                return 0;
+        }
+        while (tkeylen) {
+                if (tkeylen > mdlen)
+                        cplen = mdlen;
+                else
+                        cplen = tkeylen;
+                /*
+                 * We are unlikely to ever use more than 256 blocks (5120 bits!)
+                 * but just in case...
+                 */
+                itmp[0] = (unsigned char)((i >> 24) & 0xff);
+                itmp[1] = (unsigned char)((i >> 16) & 0xff);
+                itmp[2] = (unsigned char)((i >> 8) & 0xff);
+                itmp[3] = (unsigned char)(i & 0xff);
+                if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
+                        HMAC_CTX_cleanup(&hctx_tpl);
+                        return 0;
+                }
+                if (!HMAC_Update(&hctx, salt, saltlen) ||
+                    !HMAC_Update(&hctx, itmp, 4) ||
+                    !HMAC_Final(&hctx, digtmp, NULL)) {
+                        HMAC_CTX_cleanup(&hctx_tpl);
+                        HMAC_CTX_cleanup(&hctx);
+                        return 0;
+                }
+                HMAC_CTX_cleanup(&hctx);
+                memcpy(p, digtmp, cplen);
+                for (j = 1; j < iter; j++) {
+                        if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
+                                HMAC_CTX_cleanup(&hctx_tpl);
+                                return 0;
+                        }
+                        if (!HMAC_Update(&hctx, digtmp, mdlen) ||
+                            !HMAC_Final(&hctx, digtmp, NULL)) {
+                                HMAC_CTX_cleanup(&hctx_tpl);
+                                HMAC_CTX_cleanup(&hctx);
+                                return 0;
+                        }
+                        HMAC_CTX_cleanup(&hctx);
+                        for (k = 0; k < cplen; k++)
+                                p[k] ^= digtmp[k];
+                }
+                tkeylen -= cplen;
+                i++;
+                p += cplen;
+        }
+        HMAC_CTX_cleanup(&hctx_tpl);
+        return 1;
+}
+int
+PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, const unsigned char *salt,
+    int saltlen, int iter, int keylen, unsigned char *out)
+{
+        return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
+            EVP_sha1(), keylen, out);
+}
+/*
+ * Now the key derivation function itself. This is a bit evil because
+ * it has to check the ASN1 parameters are valid: and there are quite a
+ * few of them...
+ */
+int
+PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
+{
+        const unsigned char *pbuf;
+        int plen;
+        PBE2PARAM *pbe2 = NULL;
+        const EVP_CIPHER *cipher;
+        int rv = 0;
+        if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+            param->value.sequence == NULL) {
+                EVPerror(EVP_R_DECODE_ERROR);
+                goto err;
+        }
+        pbuf = param->value.sequence->data;
+        plen = param->value.sequence->length;
+        if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
+                EVPerror(EVP_R_DECODE_ERROR);
+                goto err;
+        }
+        /* See if we recognise the key derivation function */
+        if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
+                EVPerror(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
+                goto err;
+        }
+        /* Let's see if we recognise the encryption algorithm.  */
+        cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
+        if (!cipher) {
+                EVPerror(EVP_R_UNSUPPORTED_CIPHER);
+                goto err;
+        }
+        /* Fixup cipher based on AlgorithmIdentifier */
+        if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
+                goto err;
+        if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
+                EVPerror(EVP_R_CIPHER_PARAMETER_ERROR);
+                goto err;
+        }
+        rv = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
+            pbe2->keyfunc->parameter, c, md, en_de);
+ err:
+        PBE2PARAM_free(pbe2);
+        return rv;
+}
+int
+PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
+{
+        unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
+        const unsigned char *pbuf;
+        int saltlen, iter, plen;
+        int rv = 0;
+        unsigned int keylen = 0;
+        int prf_nid, hmac_md_nid;
+        PBKDF2PARAM *kdf = NULL;
+        const EVP_MD *prfmd;
+        if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
+                EVPerror(EVP_R_NO_CIPHER_SET);
+                return 0;
+        }
+        keylen = EVP_CIPHER_CTX_key_length(ctx);
+        if (keylen > sizeof key) {
+                EVPerror(EVP_R_BAD_KEY_LENGTH);
+                return 0;
+        }
+        /* Decode parameter */
+        if (!param || (param->type != V_ASN1_SEQUENCE)) {
+                EVPerror(EVP_R_DECODE_ERROR);
+                return 0;
+        }
+        pbuf = param->value.sequence->data;
+        plen = param->value.sequence->length;
+        if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+                EVPerror(EVP_R_DECODE_ERROR);
+                return 0;
+        }
+        /* Now check the parameters of the kdf */
+        if (kdf->keylength &&
+            (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
+                EVPerror(EVP_R_UNSUPPORTED_KEYLENGTH);
+                goto err;
+        }
+        if (kdf->prf)
+                prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
+        else
+                prf_nid = NID_hmacWithSHA1;
+        if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
+                EVPerror(EVP_R_UNSUPPORTED_PRF);
+                goto err;
+        }
+        prfmd = EVP_get_digestbynid(hmac_md_nid);
+        if (prfmd == NULL) {
+                EVPerror(EVP_R_UNSUPPORTED_PRF);
+                goto err;
+        }
+        if (kdf->salt->type != V_ASN1_OCTET_STRING) {
+                EVPerror(EVP_R_UNSUPPORTED_SALT_TYPE);
+                goto err;
+        }
+        /* it seems that its all OK */
+        salt = kdf->salt->value.octet_string->data;
+        saltlen = kdf->salt->value.octet_string->length;
+        if ((iter = ASN1_INTEGER_get(kdf->iter)) <= 0) {
+                EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
+                goto err;
+        }
+        if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
+            keylen, key))
+                goto err;
+        rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
+ err:
+        explicit_bzero(key, keylen);
+        PBKDF2PARAM_free(kdf);
+        return rv;
+}
+void
+PKCS12_PBE_add(void)
+{
+}
+LCRYPTO_ALIAS(PKCS12_PBE_add);
+int
+PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
+{
+        PBEPARAM *pbe;
+        int saltlen, iter, ret;
+        unsigned char *salt;
+        const unsigned char *pbuf;
+        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+        /* Extract useful info from parameter */
+        if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+            param->value.sequence == NULL) {
+                PKCS12error(PKCS12_R_DECODE_ERROR);
+                return 0;
+        }
+        pbuf = param->value.sequence->data;
+        if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
+                PKCS12error(PKCS12_R_DECODE_ERROR);
+                return 0;
+        }
+        if (!pbe->iter)
+                iter = 1;
+        else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
+                PKCS12error(PKCS12_R_DECODE_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        salt = pbe->salt->data;
+        saltlen = pbe->salt->length;
+        if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+            iter, EVP_CIPHER_key_length(cipher), key, md)) {
+                PKCS12error(PKCS12_R_KEY_GEN_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
+            iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
+                PKCS12error(PKCS12_R_IV_GEN_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        PBEPARAM_free(pbe);
+        ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(iv, EVP_MAX_IV_LENGTH);
+        return ret;
+}
+LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
 /*
 * XXX - remove the functions below in the next major bump
 */

diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c index 7f7784847b..dd06a768b3 100644 --- a/src/lib/libcrypto/evp/evp_pbe.c +++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_pbe.c,v 1.38 2024/01/27 16:26:25 tb Exp $ */	1	/* $OpenBSD: evp_pbe.c,v 1.39 2024/01/27 17:14:33 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -59,14 +59,16 @@
59	#include <stdio.h>	59	#include <stdio.h>
60	#include <string.h>	60	#include <string.h>
61		61
62	#include <openssl/opensslconf.h>	62	#include <openssl/asn1.h>
63
64	#include <openssl/err.h>	63	#include <openssl/err.h>
65	#include <openssl/evp.h>	64	#include <openssl/evp.h>
		65	#include <openssl/hmac.h>
		66	#include <openssl/objects.h>
66	#include <openssl/pkcs12.h>	67	#include <openssl/pkcs12.h>
67	#include <openssl/x509.h>	68	#include <openssl/x509.h>
68		69
69	#include "evp_local.h"	70	#include "evp_local.h"
		71	#include "hmac_local.h"
70		72
71	/* Password based encryption (PBE) functions */	73	/* Password based encryption (PBE) functions */
72		74
@@ -96,14 +98,12 @@ static const struct pbe_config pbe_outer[] = {
96	.md_nid = NID_sha1,	98	.md_nid = NID_sha1,
97	.keygen = PKCS5_PBE_keyivgen,	99	.keygen = PKCS5_PBE_keyivgen,
98	},	100	},
99	#ifndef OPENSSL_NO_HMAC
100	{	101	{
101	.pbe_nid = NID_id_pbkdf2,	102	.pbe_nid = NID_id_pbkdf2,
102	.cipher_nid = -1,	103	.cipher_nid = -1,
103	.md_nid = -1,	104	.md_nid = -1,
104	.keygen = PKCS5_v2_PBKDF2_keyivgen,	105	.keygen = PKCS5_v2_PBKDF2_keyivgen,
105	},	106	},
106	#endif
107	{	107	{
108	.pbe_nid = NID_pbe_WithSHA1And128BitRC4,	108	.pbe_nid = NID_pbe_WithSHA1And128BitRC4,
109	.cipher_nid = NID_rc4,	109	.cipher_nid = NID_rc4,
@@ -140,14 +140,12 @@ static const struct pbe_config pbe_outer[] = {
140	.md_nid = NID_sha1,	140	.md_nid = NID_sha1,
141	.keygen = PKCS12_PBE_keyivgen,	141	.keygen = PKCS12_PBE_keyivgen,
142	},	142	},
143	#ifndef OPENSSL_NO_HMAC
144	{	143	{
145	.pbe_nid = NID_pbes2,	144	.pbe_nid = NID_pbes2,
146	.cipher_nid = -1,	145	.cipher_nid = -1,
147	.md_nid = -1,	146	.md_nid = -1,
148	.keygen = PKCS5_v2_PBE_keyivgen,	147	.keygen = PKCS5_v2_PBE_keyivgen,
149	},	148	},
150	#endif
151	{	149	{
152	.pbe_nid = NID_pbeWithMD2AndRC2_CBC,	150	.pbe_nid = NID_pbeWithMD2AndRC2_CBC,
153	.cipher_nid = NID_rc2_64_cbc,	151	.cipher_nid = NID_rc2_64_cbc,
@@ -341,6 +339,387 @@ EVP_PBE_CipherInit(ASN1_OBJECT pbe_obj, const char pass, int passlen,
341	return 1;	339	return 1;
342	}	340	}
343		341
		342	int
		343	PKCS5_PBE_keyivgen(EVP_CIPHER_CTX cctx, const char pass, int passlen,
		344	ASN1_TYPE param, const EVP_CIPHER cipher, const EVP_MD *md, int en_de)
		345	{
		346	EVP_MD_CTX ctx;
		347	unsigned char md_tmp[EVP_MAX_MD_SIZE];
		348	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
		349	int i;
		350	PBEPARAM *pbe;
		351	int saltlen, iter;
		352	unsigned char *salt;
		353	const unsigned char *pbuf;
		354	int mdsize;
		355	int rv = 0;
		356
		357	/* Extract useful info from parameter */
		358	if (param == NULL \|\| param->type != V_ASN1_SEQUENCE \|\|
		359	param->value.sequence == NULL) {
		360	EVPerror(EVP_R_DECODE_ERROR);
		361	return 0;
		362	}
		363
		364	mdsize = EVP_MD_size(md);
		365	if (mdsize < 0)
		366	return 0;
		367
		368	pbuf = param->value.sequence->data;
		369	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
		370	EVPerror(EVP_R_DECODE_ERROR);
		371	return 0;
		372	}
		373
		374	if (!pbe->iter)
		375	iter = 1;
		376	else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
		377	EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
		378	PBEPARAM_free(pbe);
		379	return 0;
		380	}
		381	salt = pbe->salt->data;
		382	saltlen = pbe->salt->length;
		383
		384	if (!pass)
		385	passlen = 0;
		386	else if (passlen == -1)
		387	passlen = strlen(pass);
		388
		389	EVP_MD_CTX_init(&ctx);
		390
		391	if (!EVP_DigestInit_ex(&ctx, md, NULL))
		392	goto err;
		393	if (!EVP_DigestUpdate(&ctx, pass, passlen))
		394	goto err;
		395	if (!EVP_DigestUpdate(&ctx, salt, saltlen))
		396	goto err;
		397	if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
		398	goto err;
		399	for (i = 1; i < iter; i++) {
		400	if (!EVP_DigestInit_ex(&ctx, md, NULL))
		401	goto err;
		402	if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
		403	goto err;
		404	if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
		405	goto err;
		406	}
		407	if ((size_t)EVP_CIPHER_key_length(cipher) > sizeof(md_tmp)) {
		408	EVPerror(EVP_R_BAD_KEY_LENGTH);
		409	goto err;
		410	}
		411	memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
		412	if ((size_t)EVP_CIPHER_iv_length(cipher) > 16) {
		413	EVPerror(EVP_R_IV_TOO_LARGE);
		414	goto err;
		415	}
		416	memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
		417	EVP_CIPHER_iv_length(cipher));
		418	if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
		419	goto err;
		420	explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
		421	explicit_bzero(key, EVP_MAX_KEY_LENGTH);
		422	explicit_bzero(iv, EVP_MAX_IV_LENGTH);
		423
		424	rv = 1;
		425	err:
		426	EVP_MD_CTX_cleanup(&ctx);
		427	PBEPARAM_free(pbe);
		428
		429	return rv;
		430	}
		431
		432	/*
		433	* PKCS#5 v2.0 password based encryption key derivation function PBKDF2.
		434	*/
		435
		436	int
		437	PKCS5_PBKDF2_HMAC(const char pass, int passlen, const unsigned char salt,
		438	int saltlen, int iter, const EVP_MD digest, int keylen, unsigned char out)
		439	{
		440	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
		441	int cplen, j, k, tkeylen, mdlen;
		442	unsigned long i = 1;
		443	HMAC_CTX hctx_tpl, hctx;
		444
		445	mdlen = EVP_MD_size(digest);
		446	if (mdlen < 0)
		447	return 0;
		448
		449	HMAC_CTX_init(&hctx_tpl);
		450	p = out;
		451	tkeylen = keylen;
		452	if (!pass)
		453	passlen = 0;
		454	else if (passlen == -1)
		455	passlen = strlen(pass);
		456	if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
		457	HMAC_CTX_cleanup(&hctx_tpl);
		458	return 0;
		459	}
		460	while (tkeylen) {
		461	if (tkeylen > mdlen)
		462	cplen = mdlen;
		463	else
		464	cplen = tkeylen;
		465	/*
		466	* We are unlikely to ever use more than 256 blocks (5120 bits!)
		467	* but just in case...
		468	*/
		469	itmp[0] = (unsigned char)((i >> 24) & 0xff);
		470	itmp[1] = (unsigned char)((i >> 16) & 0xff);
		471	itmp[2] = (unsigned char)((i >> 8) & 0xff);
		472	itmp[3] = (unsigned char)(i & 0xff);
		473	if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
		474	HMAC_CTX_cleanup(&hctx_tpl);
		475	return 0;
		476	}
		477	if (!HMAC_Update(&hctx, salt, saltlen) \|\|
		478	!HMAC_Update(&hctx, itmp, 4) \|\|
		479	!HMAC_Final(&hctx, digtmp, NULL)) {
		480	HMAC_CTX_cleanup(&hctx_tpl);
		481	HMAC_CTX_cleanup(&hctx);
		482	return 0;
		483	}
		484	HMAC_CTX_cleanup(&hctx);
		485	memcpy(p, digtmp, cplen);
		486	for (j = 1; j < iter; j++) {
		487	if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
		488	HMAC_CTX_cleanup(&hctx_tpl);
		489	return 0;
		490	}
		491	if (!HMAC_Update(&hctx, digtmp, mdlen) \|\|
		492	!HMAC_Final(&hctx, digtmp, NULL)) {
		493	HMAC_CTX_cleanup(&hctx_tpl);
		494	HMAC_CTX_cleanup(&hctx);
		495	return 0;
		496	}
		497	HMAC_CTX_cleanup(&hctx);
		498	for (k = 0; k < cplen; k++)
		499	p[k] ^= digtmp[k];
		500	}
		501	tkeylen -= cplen;
		502	i++;
		503	p += cplen;
		504	}
		505	HMAC_CTX_cleanup(&hctx_tpl);
		506	return 1;
		507	}
		508
		509	int
		510	PKCS5_PBKDF2_HMAC_SHA1(const char pass, int passlen, const unsigned char salt,
		511	int saltlen, int iter, int keylen, unsigned char *out)
		512	{
		513	return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
		514	EVP_sha1(), keylen, out);
		515	}
		516
		517	/*
		518	* Now the key derivation function itself. This is a bit evil because
		519	* it has to check the ASN1 parameters are valid: and there are quite a
		520	* few of them...
		521	*/
		522
		523	int
		524	PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,
		525	ASN1_TYPE param, const EVP_CIPHER c, const EVP_MD *md, int en_de)
		526	{
		527	const unsigned char *pbuf;
		528	int plen;
		529	PBE2PARAM *pbe2 = NULL;
		530	const EVP_CIPHER *cipher;
		531
		532	int rv = 0;
		533
		534	if (param == NULL \|\| param->type != V_ASN1_SEQUENCE \|\|
		535	param->value.sequence == NULL) {
		536	EVPerror(EVP_R_DECODE_ERROR);
		537	goto err;
		538	}
		539
		540	pbuf = param->value.sequence->data;
		541	plen = param->value.sequence->length;
		542	if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
		543	EVPerror(EVP_R_DECODE_ERROR);
		544	goto err;
		545	}
		546
		547	/* See if we recognise the key derivation function */
		548
		549	if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
		550	EVPerror(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
		551	goto err;
		552	}
		553
		554	/* Let's see if we recognise the encryption algorithm. */
		555	cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
		556	if (!cipher) {
		557	EVPerror(EVP_R_UNSUPPORTED_CIPHER);
		558	goto err;
		559	}
		560
		561	/* Fixup cipher based on AlgorithmIdentifier */
		562	if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
		563	goto err;
		564	if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
		565	EVPerror(EVP_R_CIPHER_PARAMETER_ERROR);
		566	goto err;
		567	}
		568
		569	rv = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
		570	pbe2->keyfunc->parameter, c, md, en_de);
		571
		572	err:
		573	PBE2PARAM_free(pbe2);
		574
		575	return rv;
		576	}
		577
		578	int
		579	PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,
		580	ASN1_TYPE param, const EVP_CIPHER c, const EVP_MD *md, int en_de)
		581	{
		582	unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
		583	const unsigned char *pbuf;
		584	int saltlen, iter, plen;
		585	int rv = 0;
		586	unsigned int keylen = 0;
		587	int prf_nid, hmac_md_nid;
		588	PBKDF2PARAM *kdf = NULL;
		589	const EVP_MD *prfmd;
		590
		591	if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
		592	EVPerror(EVP_R_NO_CIPHER_SET);
		593	return 0;
		594	}
		595	keylen = EVP_CIPHER_CTX_key_length(ctx);
		596	if (keylen > sizeof key) {
		597	EVPerror(EVP_R_BAD_KEY_LENGTH);
		598	return 0;
		599	}
		600
		601	/* Decode parameter */
		602
		603	if (!param \|\| (param->type != V_ASN1_SEQUENCE)) {
		604	EVPerror(EVP_R_DECODE_ERROR);
		605	return 0;
		606	}
		607
		608	pbuf = param->value.sequence->data;
		609	plen = param->value.sequence->length;
		610
		611	if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
		612	EVPerror(EVP_R_DECODE_ERROR);
		613	return 0;
		614	}
		615
		616	/* Now check the parameters of the kdf */
		617
		618	if (kdf->keylength &&
		619	(ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
		620	EVPerror(EVP_R_UNSUPPORTED_KEYLENGTH);
		621	goto err;
		622	}
		623
		624	if (kdf->prf)
		625	prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
		626	else
		627	prf_nid = NID_hmacWithSHA1;
		628
		629	if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
		630	EVPerror(EVP_R_UNSUPPORTED_PRF);
		631	goto err;
		632	}
		633
		634	prfmd = EVP_get_digestbynid(hmac_md_nid);
		635	if (prfmd == NULL) {
		636	EVPerror(EVP_R_UNSUPPORTED_PRF);
		637	goto err;
		638	}
		639
		640	if (kdf->salt->type != V_ASN1_OCTET_STRING) {
		641	EVPerror(EVP_R_UNSUPPORTED_SALT_TYPE);
		642	goto err;
		643	}
		644
		645	/* it seems that its all OK */
		646	salt = kdf->salt->value.octet_string->data;
		647	saltlen = kdf->salt->value.octet_string->length;
		648	if ((iter = ASN1_INTEGER_get(kdf->iter)) <= 0) {
		649	EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
		650	goto err;
		651	}
		652	if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
		653	keylen, key))
		654	goto err;
		655
		656	rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
		657
		658	err:
		659	explicit_bzero(key, keylen);
		660	PBKDF2PARAM_free(kdf);
		661
		662	return rv;
		663	}
		664
		665	void
		666	PKCS12_PBE_add(void)
		667	{
		668	}
		669	LCRYPTO_ALIAS(PKCS12_PBE_add);
		670
		671	int
		672	PKCS12_PBE_keyivgen(EVP_CIPHER_CTX ctx, const char pass, int passlen,
		673	ASN1_TYPE param, const EVP_CIPHER cipher, const EVP_MD *md, int en_de)
		674	{
		675	PBEPARAM *pbe;
		676	int saltlen, iter, ret;
		677	unsigned char *salt;
		678	const unsigned char *pbuf;
		679	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
		680
		681	/* Extract useful info from parameter */
		682	if (param == NULL \|\| param->type != V_ASN1_SEQUENCE \|\|
		683	param->value.sequence == NULL) {
		684	PKCS12error(PKCS12_R_DECODE_ERROR);
		685	return 0;
		686	}
		687
		688	pbuf = param->value.sequence->data;
		689	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
		690	PKCS12error(PKCS12_R_DECODE_ERROR);
		691	return 0;
		692	}
		693
		694	if (!pbe->iter)
		695	iter = 1;
		696	else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
		697	PKCS12error(PKCS12_R_DECODE_ERROR);
		698	PBEPARAM_free(pbe);
		699	return 0;
		700	}
		701	salt = pbe->salt->data;
		702	saltlen = pbe->salt->length;
		703	if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
		704	iter, EVP_CIPHER_key_length(cipher), key, md)) {
		705	PKCS12error(PKCS12_R_KEY_GEN_ERROR);
		706	PBEPARAM_free(pbe);
		707	return 0;
		708	}
		709	if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
		710	iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
		711	PKCS12error(PKCS12_R_IV_GEN_ERROR);
		712	PBEPARAM_free(pbe);
		713	return 0;
		714	}
		715	PBEPARAM_free(pbe);
		716	ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
		717	explicit_bzero(key, EVP_MAX_KEY_LENGTH);
		718	explicit_bzero(iv, EVP_MAX_IV_LENGTH);
		719	return ret;
		720	}
		721	LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
		722
344	/*	723	/*
345	* XXX - remove the functions below in the next major bump	724	* XXX - remove the functions below in the next major bump
346	*/	725	*/