/src/botan/src/lib/pubkey/pbes2/pbes2.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PKCS #5 PBES2 |
3 | | * (C) 1999-2008,2014,2021 Jack Lloyd |
4 | | * (C) 2018 Ribose Inc |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/pbes2.h> |
10 | | #include <botan/cipher_mode.h> |
11 | | #include <botan/pwdhash.h> |
12 | | #include <botan/der_enc.h> |
13 | | #include <botan/ber_dec.h> |
14 | | #include <botan/internal/parsing.h> |
15 | | #include <botan/asn1_obj.h> |
16 | | #include <botan/oids.h> |
17 | | #include <botan/rng.h> |
18 | | |
19 | | namespace Botan { |
20 | | |
21 | | namespace { |
22 | | |
23 | | bool known_pbes_cipher_mode(const std::string& mode) |
24 | 0 | { |
25 | 0 | return (mode == "CBC" || mode == "GCM" || mode == "SIV"); |
26 | 0 | } |
27 | | |
28 | | secure_vector<uint8_t> derive_key(const std::string& passphrase, |
29 | | const AlgorithmIdentifier& kdf_algo, |
30 | | size_t default_key_size) |
31 | 0 | { |
32 | 0 | if(kdf_algo.get_oid() == OID::from_string("PKCS5.PBKDF2")) |
33 | 0 | { |
34 | 0 | secure_vector<uint8_t> salt; |
35 | 0 | size_t iterations = 0, key_length = 0; |
36 | |
|
37 | 0 | AlgorithmIdentifier prf_algo; |
38 | 0 | BER_Decoder(kdf_algo.get_parameters()) |
39 | 0 | .start_sequence() |
40 | 0 | .decode(salt, ASN1_Type::OctetString) |
41 | 0 | .decode(iterations) |
42 | 0 | .decode_optional(key_length, ASN1_Type::Integer, ASN1_Class::Universal) |
43 | 0 | .decode_optional(prf_algo, ASN1_Type::Sequence, ASN1_Class::Constructed, |
44 | 0 | AlgorithmIdentifier("HMAC(SHA-160)", |
45 | 0 | AlgorithmIdentifier::USE_NULL_PARAM)) |
46 | 0 | .end_cons(); |
47 | |
|
48 | 0 | if(salt.size() < 8) |
49 | 0 | throw Decoding_Error("PBE-PKCS5 v2.0: Encoded salt is too small"); |
50 | | |
51 | 0 | if(key_length == 0) |
52 | 0 | key_length = default_key_size; |
53 | |
|
54 | 0 | const std::string prf = OIDS::oid2str_or_throw(prf_algo.get_oid()); |
55 | 0 | auto pbkdf_fam = PasswordHashFamily::create_or_throw("PBKDF2(" + prf + ")"); |
56 | 0 | auto pbkdf = pbkdf_fam->from_params(iterations); |
57 | |
|
58 | 0 | secure_vector<uint8_t> derived_key(key_length); |
59 | 0 | pbkdf->derive_key(derived_key.data(), derived_key.size(), |
60 | 0 | passphrase.data(), passphrase.size(), |
61 | 0 | salt.data(), salt.size()); |
62 | 0 | return derived_key; |
63 | 0 | } |
64 | 0 | else if(kdf_algo.get_oid() == OID::from_string("Scrypt")) |
65 | 0 | { |
66 | 0 | secure_vector<uint8_t> salt; |
67 | 0 | size_t N = 0, r = 0, p = 0; |
68 | 0 | size_t key_length = 0; |
69 | |
|
70 | 0 | AlgorithmIdentifier prf_algo; |
71 | 0 | BER_Decoder(kdf_algo.get_parameters()) |
72 | 0 | .start_sequence() |
73 | 0 | .decode(salt, ASN1_Type::OctetString) |
74 | 0 | .decode(N) |
75 | 0 | .decode(r) |
76 | 0 | .decode(p) |
77 | 0 | .decode_optional(key_length, ASN1_Type::Integer, ASN1_Class::Universal) |
78 | 0 | .end_cons(); |
79 | |
|
80 | 0 | if(key_length == 0) |
81 | 0 | key_length = default_key_size; |
82 | |
|
83 | 0 | secure_vector<uint8_t> derived_key(key_length); |
84 | |
|
85 | 0 | auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt"); |
86 | 0 | auto pwdhash = pwdhash_fam->from_params(N, r, p); |
87 | 0 | pwdhash->derive_key(derived_key.data(), derived_key.size(), |
88 | 0 | passphrase.data(), passphrase.size(), |
89 | 0 | salt.data(), salt.size()); |
90 | |
|
91 | 0 | return derived_key; |
92 | 0 | } |
93 | 0 | else |
94 | 0 | throw Decoding_Error("PBE-PKCS5 v2.0: Unknown KDF algorithm " + |
95 | 0 | kdf_algo.get_oid().to_string()); |
96 | 0 | } |
97 | | |
98 | | secure_vector<uint8_t> derive_key(const std::string& passphrase, |
99 | | const std::string& digest, |
100 | | RandomNumberGenerator& rng, |
101 | | size_t* msec_in_iterations_out, |
102 | | size_t iterations_if_msec_null, |
103 | | size_t key_length, |
104 | | AlgorithmIdentifier& kdf_algo) |
105 | 0 | { |
106 | 0 | const secure_vector<uint8_t> salt = rng.random_vec(12); |
107 | |
|
108 | 0 | if(digest == "Scrypt") |
109 | 0 | { |
110 | 0 | auto pwhash_fam = PasswordHashFamily::create_or_throw("Scrypt"); |
111 | |
|
112 | 0 | std::unique_ptr<PasswordHash> pwhash; |
113 | |
|
114 | 0 | if(msec_in_iterations_out) |
115 | 0 | { |
116 | 0 | const std::chrono::milliseconds msec(*msec_in_iterations_out); |
117 | 0 | pwhash = pwhash_fam->tune(key_length, msec); |
118 | 0 | } |
119 | 0 | else |
120 | 0 | { |
121 | 0 | pwhash = pwhash_fam->from_iterations(iterations_if_msec_null); |
122 | 0 | } |
123 | |
|
124 | 0 | secure_vector<uint8_t> key(key_length); |
125 | 0 | pwhash->derive_key(key.data(), key.size(), |
126 | 0 | passphrase.c_str(), passphrase.size(), |
127 | 0 | salt.data(), salt.size()); |
128 | |
|
129 | 0 | const size_t N = pwhash->memory_param(); |
130 | 0 | const size_t r = pwhash->iterations(); |
131 | 0 | const size_t p = pwhash->parallelism(); |
132 | |
|
133 | 0 | if(msec_in_iterations_out) |
134 | 0 | *msec_in_iterations_out = 0; |
135 | |
|
136 | 0 | std::vector<uint8_t> scrypt_params; |
137 | 0 | DER_Encoder(scrypt_params) |
138 | 0 | .start_sequence() |
139 | 0 | .encode(salt, ASN1_Type::OctetString) |
140 | 0 | .encode(N) |
141 | 0 | .encode(r) |
142 | 0 | .encode(p) |
143 | 0 | .encode(key_length) |
144 | 0 | .end_cons(); |
145 | |
|
146 | 0 | kdf_algo = AlgorithmIdentifier(OID::from_string("Scrypt"), scrypt_params); |
147 | 0 | return key; |
148 | 0 | } |
149 | 0 | else |
150 | 0 | { |
151 | 0 | const std::string prf = "HMAC(" + digest + ")"; |
152 | 0 | const std::string pbkdf_name = "PBKDF2(" + prf + ")"; |
153 | |
|
154 | 0 | std::unique_ptr<PasswordHashFamily> pwhash_fam = PasswordHashFamily::create(pbkdf_name); |
155 | 0 | if(!pwhash_fam) |
156 | 0 | throw Invalid_Argument("Unknown password hash digest " + digest); |
157 | | |
158 | 0 | std::unique_ptr<PasswordHash> pwhash; |
159 | |
|
160 | 0 | if(msec_in_iterations_out) |
161 | 0 | { |
162 | 0 | const std::chrono::milliseconds msec(*msec_in_iterations_out); |
163 | 0 | pwhash = pwhash_fam->tune(key_length, msec); |
164 | 0 | } |
165 | 0 | else |
166 | 0 | { |
167 | 0 | pwhash = pwhash_fam->from_iterations(iterations_if_msec_null); |
168 | 0 | } |
169 | |
|
170 | 0 | secure_vector<uint8_t> key(key_length); |
171 | 0 | pwhash->derive_key(key.data(), key.size(), |
172 | 0 | passphrase.c_str(), passphrase.size(), |
173 | 0 | salt.data(), salt.size()); |
174 | |
|
175 | 0 | std::vector<uint8_t> pbkdf2_params; |
176 | |
|
177 | 0 | const size_t iterations = pwhash->iterations(); |
178 | |
|
179 | 0 | if(msec_in_iterations_out) |
180 | 0 | *msec_in_iterations_out = iterations; |
181 | |
|
182 | 0 | DER_Encoder(pbkdf2_params) |
183 | 0 | .start_sequence() |
184 | 0 | .encode(salt, ASN1_Type::OctetString) |
185 | 0 | .encode(iterations) |
186 | 0 | .encode(key_length) |
187 | 0 | .encode_if(prf != "HMAC(SHA-160)", |
188 | 0 | AlgorithmIdentifier(prf, AlgorithmIdentifier::USE_NULL_PARAM)) |
189 | 0 | .end_cons(); |
190 | |
|
191 | 0 | kdf_algo = AlgorithmIdentifier("PKCS5.PBKDF2", pbkdf2_params); |
192 | 0 | return key; |
193 | 0 | } |
194 | 0 | } |
195 | | |
196 | | /* |
197 | | * PKCS#5 v2.0 PBE Encryption |
198 | | */ |
199 | | std::pair<AlgorithmIdentifier, std::vector<uint8_t>> |
200 | | pbes2_encrypt_shared(const secure_vector<uint8_t>& key_bits, |
201 | | const std::string& passphrase, |
202 | | size_t* msec_in_iterations_out, |
203 | | size_t iterations_if_msec_null, |
204 | | const std::string& cipher, |
205 | | const std::string& prf, |
206 | | RandomNumberGenerator& rng) |
207 | 0 | { |
208 | 0 | const std::vector<std::string> cipher_spec = split_on(cipher, '/'); |
209 | 0 | if(cipher_spec.size() != 2) |
210 | 0 | throw Encoding_Error("PBE-PKCS5 v2.0: Invalid cipher spec " + cipher); |
211 | | |
212 | 0 | if(!known_pbes_cipher_mode(cipher_spec[1])) |
213 | 0 | throw Encoding_Error("PBE-PKCS5 v2.0: Don't know param format for " + cipher); |
214 | | |
215 | 0 | const OID cipher_oid = OIDS::str2oid_or_empty(cipher); |
216 | 0 | if(cipher_oid.empty()) |
217 | 0 | throw Encoding_Error("PBE-PKCS5 v2.0: No OID assigned for " + cipher); |
218 | | |
219 | 0 | std::unique_ptr<Cipher_Mode> enc = Cipher_Mode::create(cipher, ENCRYPTION); |
220 | |
|
221 | 0 | if(!enc) |
222 | 0 | throw Decoding_Error("PBE-PKCS5 cannot encrypt no cipher " + cipher); |
223 | | |
224 | 0 | const size_t key_length = enc->key_spec().maximum_keylength(); |
225 | |
|
226 | 0 | const secure_vector<uint8_t> iv = rng.random_vec(enc->default_nonce_length()); |
227 | |
|
228 | 0 | AlgorithmIdentifier kdf_algo; |
229 | |
|
230 | 0 | const secure_vector<uint8_t> derived_key = |
231 | 0 | derive_key(passphrase, prf, rng, |
232 | 0 | msec_in_iterations_out, iterations_if_msec_null, |
233 | 0 | key_length, kdf_algo); |
234 | |
|
235 | 0 | enc->set_key(derived_key); |
236 | 0 | enc->start(iv); |
237 | 0 | secure_vector<uint8_t> ctext = key_bits; |
238 | 0 | enc->finish(ctext); |
239 | |
|
240 | 0 | std::vector<uint8_t> encoded_iv; |
241 | 0 | DER_Encoder(encoded_iv).encode(iv, ASN1_Type::OctetString); |
242 | |
|
243 | 0 | std::vector<uint8_t> pbes2_params; |
244 | 0 | DER_Encoder(pbes2_params) |
245 | 0 | .start_sequence() |
246 | 0 | .encode(kdf_algo) |
247 | 0 | .encode(AlgorithmIdentifier(cipher, encoded_iv)) |
248 | 0 | .end_cons(); |
249 | |
|
250 | 0 | AlgorithmIdentifier id(OID::from_string("PBE-PKCS5v20"), pbes2_params); |
251 | |
|
252 | 0 | return std::make_pair(id, unlock(ctext)); |
253 | 0 | } |
254 | | |
255 | | } |
256 | | |
257 | | std::pair<AlgorithmIdentifier, std::vector<uint8_t>> |
258 | | pbes2_encrypt(const secure_vector<uint8_t>& key_bits, |
259 | | const std::string& passphrase, |
260 | | std::chrono::milliseconds msec, |
261 | | const std::string& cipher, |
262 | | const std::string& digest, |
263 | | RandomNumberGenerator& rng) |
264 | 0 | { |
265 | 0 | size_t msec_in_iterations_out = static_cast<size_t>(msec.count()); |
266 | 0 | return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng); |
267 | | // return value msec_in_iterations_out discarded |
268 | 0 | } |
269 | | |
270 | | std::pair<AlgorithmIdentifier, std::vector<uint8_t>> |
271 | | pbes2_encrypt_msec(const secure_vector<uint8_t>& key_bits, |
272 | | const std::string& passphrase, |
273 | | std::chrono::milliseconds msec, |
274 | | size_t* out_iterations_if_nonnull, |
275 | | const std::string& cipher, |
276 | | const std::string& digest, |
277 | | RandomNumberGenerator& rng) |
278 | 0 | { |
279 | 0 | size_t msec_in_iterations_out = static_cast<size_t>(msec.count()); |
280 | |
|
281 | 0 | auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng); |
282 | |
|
283 | 0 | if(out_iterations_if_nonnull) |
284 | 0 | *out_iterations_if_nonnull = msec_in_iterations_out; |
285 | |
|
286 | 0 | return ret; |
287 | 0 | } |
288 | | |
289 | | std::pair<AlgorithmIdentifier, std::vector<uint8_t>> |
290 | | pbes2_encrypt_iter(const secure_vector<uint8_t>& key_bits, |
291 | | const std::string& passphrase, |
292 | | size_t pbkdf_iter, |
293 | | const std::string& cipher, |
294 | | const std::string& digest, |
295 | | RandomNumberGenerator& rng) |
296 | 0 | { |
297 | 0 | return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng); |
298 | 0 | } |
299 | | |
300 | | secure_vector<uint8_t> |
301 | | pbes2_decrypt(const secure_vector<uint8_t>& key_bits, |
302 | | const std::string& passphrase, |
303 | | const std::vector<uint8_t>& params) |
304 | 0 | { |
305 | 0 | AlgorithmIdentifier kdf_algo, enc_algo; |
306 | |
|
307 | 0 | BER_Decoder(params) |
308 | 0 | .start_sequence() |
309 | 0 | .decode(kdf_algo) |
310 | 0 | .decode(enc_algo) |
311 | 0 | .end_cons(); |
312 | |
|
313 | 0 | const std::string cipher = OIDS::oid2str_or_throw(enc_algo.get_oid()); |
314 | 0 | const std::vector<std::string> cipher_spec = split_on(cipher, '/'); |
315 | 0 | if(cipher_spec.size() != 2) |
316 | 0 | throw Decoding_Error("PBE-PKCS5 v2.0: Invalid cipher spec " + cipher); |
317 | 0 | if(!known_pbes_cipher_mode(cipher_spec[1])) |
318 | 0 | throw Decoding_Error("PBE-PKCS5 v2.0: Don't know param format for " + cipher); |
319 | | |
320 | 0 | secure_vector<uint8_t> iv; |
321 | 0 | BER_Decoder(enc_algo.get_parameters()).decode(iv, ASN1_Type::OctetString).verify_end(); |
322 | |
|
323 | 0 | std::unique_ptr<Cipher_Mode> dec = Cipher_Mode::create(cipher, DECRYPTION); |
324 | 0 | if(!dec) |
325 | 0 | throw Decoding_Error("PBE-PKCS5 cannot decrypt no cipher " + cipher); |
326 | | |
327 | 0 | dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength())); |
328 | |
|
329 | 0 | dec->start(iv); |
330 | |
|
331 | 0 | secure_vector<uint8_t> buf = key_bits; |
332 | 0 | dec->finish(buf); |
333 | |
|
334 | 0 | return buf; |
335 | 0 | } |
336 | | |
337 | | } |