deriveKey.cpp   [plain text]

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


/*
 	File:		deriveKey.cpp
	
 	Contains:	CSSM_DeriveKey functions

 	Copyright:	(C) 2000 by Apple Computer, Inc., all rights reserved

 	Written by:	Doug Mitchell <dmitch@apple.com>	
*/

#include <HMACSHA1.h>
#include <pbkdf2.h>
#include <pbkdDigest.h>
#include <pkcs12Derive.h>
#include "AppleCSPSession.h"
#include "AppleCSPUtils.h"
#include "AppleCSPContext.h"
#include "cspdebugging.h"
#include <security_cdsa_utilities/context.h>
#include <DH_exchange.h>
#include "FEEAsymmetricContext.h"

/* minimum legal values */
#define PBKDF2_MIN_SALT			8		/* bytes */
#define PBKDF2_MIN_ITER_CNT		1000	/* iteration count */

#define ALLOW_ZERO_PASSWORD		1 

void AppleCSPSession::DeriveKey_PBKDF2(
	const Context &context,
	const CssmData &Param,
	CSSM_DATA *keyData)
{
	/* validate algorithm-specific arguments */

	/* Param must point to a CSSM_PKCS5_PBKDF2_PARAMS */
	if(Param.Length != sizeof(CSSM_PKCS5_PBKDF2_PARAMS)) {
		errorLog0("DeriveKey_PBKDF2: Param wrong size\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_INPUT_POINTER);
	}
	const CSSM_PKCS5_PBKDF2_PARAMS *pbkdf2Params = 
		reinterpret_cast<const CSSM_PKCS5_PBKDF2_PARAMS *>(Param.Data);
	if(pbkdf2Params == NULL) {
		errorLog0("DeriveKey_PBKDF2: null Param.Data\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_DATA);
	}
	
	/* Get passphrase from either baseKey or from CSSM_PKCS5_PBKDF2_PARAMS */
	CssmKey *passKey = context.get<CssmKey>(CSSM_ATTRIBUTE_KEY);
	CSSM_SIZE	passphraseLen = 0;
	uint8 	*passphrase = NULL;
	if(passKey != NULL) {
		AppleCSPContext::symmetricKeyBits(context, *this,
			CSSM_ALGID_SECURE_PASSPHRASE, CSSM_KEYUSE_DERIVE, 
			passphrase, passphraseLen);
	}
	else {
		passphraseLen = pbkdf2Params->Passphrase.Length;
		passphrase = pbkdf2Params->Passphrase.Data;
	}
	
	#if 	!ALLOW_ZERO_PASSWORD
	/* passphrase required */
	if(passphrase == NULL) {
		errorLog0("DeriveKey_PBKDF2: null Passphrase\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_DATA);
	}
	if(passphraseLen == 0) {		
		/* FIXME - enforce minimum length? */
		errorLog0("DeriveKey_PBKDF2: zero length passphrase\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_INPUT_POINTER);
	}
	#endif	/* ALLOW_ZERO_PASSWORD */
	
	if(pbkdf2Params->PseudoRandomFunction != 
			CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1) {
		errorLog0("DeriveKey_PBKDF2: invalid PRF\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
	}
	
	/* salt, from context, required */
	CssmData salt = context.get<CssmData>(CSSM_ATTRIBUTE_SALT,
		CSSMERR_CSP_MISSING_ATTR_SALT);
	if((salt.Data == NULL) || (salt.Length < PBKDF2_MIN_SALT)){
		CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SALT);
	}
	
	/* iteration count, from context, required */
	uint32 iterCount = context.getInt(CSSM_ATTRIBUTE_ITERATION_COUNT,
		CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT);
	if(iterCount < PBKDF2_MIN_ITER_CNT) {
		CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT);
	}
	
	/* 
	 * allocate a temp buffer, length 
	 *    = MAX (hLen, saltLen + 4) + 2 * hLen
	 *    = MAX (kSHA1DigestSize, saltLen + 4) + 2 * kSHA1DigestSize
	 */
	uint32 tempLen = salt.Length + 4;
	if(tempLen < kSHA1DigestSize) {
		tempLen = kSHA1DigestSize;
	}
	tempLen += (2 * kSHA1DigestSize);
	CSSM_DATA tempData = {0, NULL};
	setUpData(tempData, tempLen, privAllocator);
	
	/* go */
	pbkdf2 (hmacsha1, 
		kSHA1DigestSize,
		passphrase, passphraseLen,
		salt.Data, salt.Length,
		iterCount,
		keyData->Data, keyData->Length,
		tempData.Data);
	freeData(&tempData, privAllocator, false);
}

/*
 * PKCS5 v1.5 key derivation. Also used for traditional openssl key 
 * derivation, which is mighty similar to PKCS5 v1.5, with the addition
 * of the ability to generate more than (keysize + ivsize) bytes. 
 */
void AppleCSPSession::DeriveKey_PKCS5_V1_5(
	const Context &context,
	CSSM_ALGORITHMS algId,
	const CssmData &Param,			// IV optional, mallocd by app to indicate
									//   size 
	CSSM_DATA *keyData)				// mallocd by caller to indicate size
{
	CSSM_DATA pwd = {0, NULL};
	
	/* password from either Seed.Param or from base key */
	CssmCryptoData *cryptData = 
		context.get<CssmCryptoData>(CSSM_ATTRIBUTE_SEED);
	if((cryptData != NULL) && (cryptData->Param.Length != 0)) {
		pwd = cryptData->Param;
	}
	else {
		/* Get secure passphrase from base key */
		CssmKey *passKey = context.get<CssmKey>(CSSM_ATTRIBUTE_KEY);
		if (passKey != NULL) {
			AppleCSPContext::symmetricKeyBits(context, *this,
				CSSM_ALGID_SECURE_PASSPHRASE, CSSM_KEYUSE_DERIVE, 
				pwd.Data, pwd.Length);
		}
	}

	if(pwd.Data == NULL) {
		errorLog0("DeriveKey_PKCS5_V1_5: null Passphrase\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_DATA);
	}
	if(pwd.Length == 0) {		
		errorLog0("DeriveKey_PKCS5_V1_5: zero length passphrase\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_INPUT_POINTER);
	}

	CSSM_ALGORITHMS hashAlg;
	unsigned digestLen;
	bool opensslAlg = false;
	switch(algId) {
		case CSSM_ALGID_PKCS5_PBKDF1_MD5:
			hashAlg = CSSM_ALGID_MD5;
			digestLen = kMD5DigestSize;
			break;
		case CSSM_ALGID_PKCS5_PBKDF1_MD2:
			hashAlg = CSSM_ALGID_MD2;
			digestLen = kMD2DigestSize;
			break;
		case CSSM_ALGID_PKCS5_PBKDF1_SHA1:
			hashAlg = CSSM_ALGID_SHA1;
			digestLen = kSHA1DigestSize;
			break;
		case CSSM_ALGID_PBE_OPENSSL_MD5:
			hashAlg = CSSM_ALGID_MD5;
			digestLen = kMD5DigestSize;
			opensslAlg = true;
			break;			
		default:
			/* should not have been called */
			assert(0);
			CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
	}

	/* IV optional */
	CSSM_DATA iv = Param;
	
	/* total requested length can't exceed digest size for struct PKCS5 v1.5*/
	if(!opensslAlg && ((keyData->Length + iv.Length) > digestLen)) {
		errorLog0("DeriveKey_PKCS5_V1_5: requested length larger than digest\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH);
	}
	
	/* salt, from context, required */
	CssmData salt = context.get<CssmData>(CSSM_ATTRIBUTE_SALT,
		CSSMERR_CSP_MISSING_ATTR_SALT);
	if(salt.Data == NULL) {
		CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SALT);
	}
	
	/* iteration count, from context, required */
	uint32 iterCount = context.getInt(CSSM_ATTRIBUTE_ITERATION_COUNT,
		CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT);
		
	/* 
	 * Apply the underlying hash function Hash for c iterations to
	 *  the concatenation of the password P and the salt S, then 
	 * extract the first dkLen octets to produce a derived key DK:
	 *
	 *		T1 = Hash (P || S) ,
	 *		T2 = Hash (T1) ,
	 *		...
	 *		Tc = Hash (Tc-1) ,
	 *		DK = Tc<0..dkLen-1> .
	 */
	DigestCtx ctx;
	uint8 *keyDataP		= keyData->Data;
	uint32 keyBytesToGo = keyData->Length;
	uint8 *ivDataP		= iv.Data;
	uint32 ivBytesToGo  = iv.Length;
	bool looping		= false;		// true for additional bytes for openssl
	unsigned char digestOut[kMaxDigestSize];
	
	for(;;) {
		/* this loop guaranteed to only run once if !opensslAlg */
		DigestCtxInit(&ctx, hashAlg);
		
		if(looping) {
			/* openssl addition: re-digest the digest here */
			DigestCtxUpdate(&ctx, digestOut, digestLen);
		}
		
		/* digest password then salt */
		DigestCtxUpdate(&ctx, pwd.Data, pwd.Length);
		DigestCtxUpdate(&ctx, salt.Data, salt.Length);

		DigestCtxFinal(&ctx, digestOut);
		
		/* now iterCount-1 more iterations */
		for(unsigned dex=1; dex<iterCount; dex++) {
			DigestCtxInit(&ctx, hashAlg);
			DigestCtxUpdate(&ctx, digestOut, digestLen);
			DigestCtxFinal(&ctx, digestOut);
		}
		
		/* first n bytes to the key */
		uint32 bytesAvail = digestLen;
		uint32 toMove = (keyBytesToGo > bytesAvail) ? bytesAvail : keyBytesToGo;
		memmove(keyDataP, digestOut, toMove);
		uint8 *remainder = digestOut + toMove;
		bytesAvail   -= toMove;
		keyDataP     += toMove;
		keyBytesToGo -= toMove;
		
		/* then optionally some to IV */
		if(ivBytesToGo && bytesAvail) {
			toMove = (ivBytesToGo > bytesAvail) ? bytesAvail : ivBytesToGo;
			memmove(ivDataP, remainder, toMove);
			ivDataP     += toMove;
			ivBytesToGo -= toMove;
		}
		if((keyBytesToGo == 0) && (ivBytesToGo == 0)) {
			/* guaranteed true for PKCS5 v1.5 */
			break;
		}
		
		assert(opensslAlg == true);
		looping = true;
	}
	DigestCtxFree(&ctx);
}

/*
 * Member function initially declared for CSPAbstractPluginSession;
 * we're overriding the null version in CSPFullPluginSession.
 *
 * We'll generate any type of key (for now). 
 */
void AppleCSPSession::DeriveKey(
	CSSM_CC_HANDLE CCHandle,
	const Context &context,
	CssmData &Param,
	uint32 KeyUsage,
	uint32 KeyAttr,
	const CssmData *KeyLabel,
	const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
	CssmKey &DerivedKey)
{
	/* validate input args, common to all algorithms */
	switch(context.algorithm()) {
		case CSSM_ALGID_PKCS5_PBKDF2:
		case CSSM_ALGID_DH:
		case CSSM_ALGID_PKCS12_PBE_ENCR:
		case CSSM_ALGID_PKCS12_PBE_MAC:
		case CSSM_ALGID_PKCS5_PBKDF1_MD5:
		case CSSM_ALGID_PKCS5_PBKDF1_MD2:
		case CSSM_ALGID_PKCS5_PBKDF1_SHA1:
		case CSSM_ALGID_PBE_OPENSSL_MD5:
		case CSSM_ALGID_OPENSSH1:
		#if CRYPTKIT_CSP_ENABLE
		case CSSM_ALGID_ECDH:
		case CSSM_ALGID_ECDH_X963_KDF:
		#endif
			break;
		/* maybe more here, later */
		default:
			CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
	}
	DerivedKey.KeyData.Data = NULL;
	DerivedKey.KeyData.Length = 0;
	cspKeyStorage keyStorage = cspParseKeyAttr(CKT_Session, KeyAttr);
	cspValidateKeyUsageBits(CKT_Session, KeyUsage);
	
	/* outgoing key type, required (though any algorithm is OK) */
	uint32 keyType = context.getInt(CSSM_ATTRIBUTE_KEY_TYPE,
		CSSMERR_CSP_MISSING_ATTR_KEY_TYPE);

	/* outgoing key size, required - any nonzero value is OK */
	uint32 reqKeySize = context.getInt(
		CSSM_ATTRIBUTE_KEY_LENGTH, 
		CSSMERR_CSP_MISSING_ATTR_KEY_LENGTH);

	/* cook up a place to put the key data */
	uint32 keySizeInBytes = (reqKeySize + 7) / 8;
	SymmetricBinaryKey *binKey = NULL;
	CSSM_DATA_PTR keyData = NULL;
	
	switch(keyStorage) {
		case CKS_None:
			/* no way */
			CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
		case CKS_Ref:
			/* cook up a symmetric binary key */
			binKey = new SymmetricBinaryKey(reqKeySize);
			keyData = &binKey->mKeyData;
			break;
		case CKS_Data:
			/* key bytes --> caller's cssmKey */
			keyData = &DerivedKey.KeyData;
			setUpData(*keyData, keySizeInBytes, 
				normAllocator);
			break;
	}

	/* break off to algorithm-specific code, whose job it is
	 * to fill in keyData->Data with keyData->Length bytes */
	switch(context.algorithm()) {
		case CSSM_ALGID_PKCS5_PBKDF2:
			DeriveKey_PBKDF2(context,
				Param,
				keyData);
			break;
		case CSSM_ALGID_DH:
			DeriveKey_DH(context,
				Param,
				keyData,
				*this);
			break;
		case CSSM_ALGID_PKCS12_PBE_ENCR:
		case CSSM_ALGID_PKCS12_PBE_MAC:
			DeriveKey_PKCS12(context,
				*this,
				Param,
				keyData);
			break;
		case CSSM_ALGID_PKCS5_PBKDF1_MD5:
		case CSSM_ALGID_PKCS5_PBKDF1_MD2:
		case CSSM_ALGID_PKCS5_PBKDF1_SHA1:
		case CSSM_ALGID_PBE_OPENSSL_MD5:
			DeriveKey_PKCS5_V1_5(context,
				context.algorithm(),
				Param,
				keyData);
			break;
		case CSSM_ALGID_OPENSSH1:
			DeriveKey_OpenSSH1(context,
				context.algorithm(),
				Param,
				keyData);
			break;
		#if CRYPTKIT_CSP_ENABLE
		case CSSM_ALGID_ECDH:
		case CSSM_ALGID_ECDH_X963_KDF:
			CryptKit::DeriveKey_ECDH(context,
				context.algorithm(),
				Param,
				keyData,
				*this);
			break;
		#endif
		/* maybe more here, later */
		default:
			assert(0);
	}
	
	/* set up outgoing header */
	KeyAttr &= ~KEY_ATTR_RETURN_MASK;
	CSSM_KEYHEADER &hdr = DerivedKey.KeyHeader;
	setKeyHeader(hdr,
		plugin.myGuid(),
		keyType,
		CSSM_KEYCLASS_SESSION_KEY, 
		KeyAttr, 
		KeyUsage);
	/* handle derived size < requested size, legal for Diffie-Hellman */
	hdr.LogicalKeySizeInBits = keyData->Length * 8;
	
	if(keyStorage == CKS_Ref) {
		/* store and convert to ref key */
		addRefKey(*binKey, DerivedKey);
	}
	else {
		/* Raw data */
		hdr.BlobType = CSSM_KEYBLOB_RAW;
		hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING; 
	}
}