Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / b33296565cabfbf7edc0c6fe724fd2bd40a06256 / . / src / tls / pkcs5.c
blob: a2ad83b8a898d1dd2b4750c3c8a843e3f372a299 [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * PKCS #5 (Password-based Encryption)
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]3 * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]4 *
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/crypto.h"
13#include "crypto/md5.h"
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]14#include "crypto/sha1.h"
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]15#include "asn1.h"
16#include "pkcs5.h"
17
18
19struct pkcs5_params {
20 enum pkcs5_alg {
21 PKCS5_ALG_UNKNOWN,
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]22 PKCS5_ALG_MD5_DES_CBC,
23 PKCS5_ALG_PBES2,
24 PKCS5_ALG_SHA1_3DES_CBC,
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]25 } alg;
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]26 u8 salt[64];
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]27 size_t salt_len;
28 unsigned int iter_count;
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]29 enum pbes2_enc_alg {
30 PBES2_ENC_ALG_UNKNOWN,
31 PBES2_ENC_ALG_DES_EDE3_CBC,
32 } enc_alg;
33 u8 iv[8];
34 size_t iv_len;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]35};
36
37
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]38static int oid_is_rsadsi(struct asn1_oid *oid)
39{
40 return oid->len >= 4 &&
41 oid->oid[0] == 1 /* iso */ &&
42 oid->oid[1] == 2 /* member-body */ &&
43 oid->oid[2] == 840 /* us */ &&
44 oid->oid[3] == 113549 /* rsadsi */;
45}
46
47
48static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
49{
50 return oid->len == 7 &&
51 oid_is_rsadsi(oid) &&
52 oid->oid[4] == 1 /* pkcs */ &&
53 oid->oid[5] == 5 /* pkcs-5 */ &&
54 oid->oid[6] == alg;
55}
56
57
58static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
59{
60 return oid->len == 6 &&
61 oid_is_rsadsi(oid) &&
62 oid->oid[4] == 3 /* encryptionAlgorithm */ &&
63 oid->oid[5] == alg;
64}
65
66
67static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
68{
69 return oid->len == 8 &&
70 oid_is_rsadsi(oid) &&
71 oid->oid[4] == 1 /* pkcs */ &&
72 oid->oid[5] == 12 /* pkcs-12 */ &&
73 oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
74 oid->oid[7] == alg;
75}
76
77
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]78static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]79{
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]80 if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]81 return PKCS5_ALG_MD5_DES_CBC;
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]82 if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
83 return PKCS5_ALG_SHA1_3DES_CBC;
84 if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
85 return PKCS5_ALG_PBES2;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]86 return PKCS5_ALG_UNKNOWN;
87}
88
89
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]90static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
91 const u8 *enc_alg_end)
92{
93 struct asn1_hdr hdr;
94 const u8 *end, *kdf_end;
95 struct asn1_oid oid;
96 char obuf[80];
97
98 /*
99 * RFC 2898, Ch. A.4
100 *
101 * PBES2-params ::= SEQUENCE {
102 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
103 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
104 *
105 * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
106 * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
107 */
108
109 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
110 hdr.class != ASN1_CLASS_UNIVERSAL ||
111 hdr.tag != ASN1_TAG_SEQUENCE) {
112 wpa_printf(MSG_DEBUG,
113 "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x",
114 hdr.class, hdr.tag);
115 return -1;
116 }
117 pos = hdr.payload;
118 end = hdr.payload + hdr.length;
119
120 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
121 hdr.class != ASN1_CLASS_UNIVERSAL ||
122 hdr.tag != ASN1_TAG_SEQUENCE) {
123 wpa_printf(MSG_DEBUG,
124 "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x",
125 hdr.class, hdr.tag);
126 return -1;
127 }
128
129 pos = hdr.payload;
130 kdf_end = end = hdr.payload + hdr.length;
131
132 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
133 wpa_printf(MSG_DEBUG,
134 "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
135 return -1;
136 }
137
138 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
139 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
140 obuf);
141 if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
142 wpa_printf(MSG_DEBUG,
143 "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
144 obuf);
145 return -1;
146 }
147
148 /*
149 * RFC 2898, C.
150 *
151 * PBKDF2-params ::= SEQUENCE {
152 * salt CHOICE {
153 * specified OCTET STRING,
154 * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
155 * },
156 * iterationCount INTEGER (1..MAX),
157 * keyLength INTEGER (1..MAX) OPTIONAL,
158 * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
159 * algid-hmacWithSHA1
160 * }
161 */
162
163 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
164 hdr.class != ASN1_CLASS_UNIVERSAL ||
165 hdr.tag != ASN1_TAG_SEQUENCE) {
166 wpa_printf(MSG_DEBUG,
167 "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x",
168 hdr.class, hdr.tag);
169 return -1;
170 }
171
172 pos = hdr.payload;
173 end = hdr.payload + hdr.length;
174
175 /* For now, only support the salt CHOICE specified (OCTET STRING) */
176 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
177 hdr.class != ASN1_CLASS_UNIVERSAL ||
178 hdr.tag != ASN1_TAG_OCTETSTRING ||
179 hdr.length > sizeof(params->salt)) {
180 wpa_printf(MSG_DEBUG,
181 "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d",
182 hdr.class, hdr.tag, hdr.length);
183 return -1;
184 }
185 pos = hdr.payload + hdr.length;
186 os_memcpy(params->salt, hdr.payload, hdr.length);
187 params->salt_len = hdr.length;
188 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
189
190 /* iterationCount INTEGER */
191 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
192 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
193 wpa_printf(MSG_DEBUG,
194 "PKCS #5: Expected INTEGER - found class %d tag 0x%x",
195 hdr.class, hdr.tag);
196 return -1;
197 }
198 if (hdr.length == 1) {
199 params->iter_count = *hdr.payload;
200 } else if (hdr.length == 2) {
201 params->iter_count = WPA_GET_BE16(hdr.payload);
202 } else if (hdr.length == 4) {
203 params->iter_count = WPA_GET_BE32(hdr.payload);
204 } else {
205 wpa_hexdump(MSG_DEBUG,
206 "PKCS #5: Unsupported INTEGER value (iterationCount)",
207 hdr.payload, hdr.length);
208 return -1;
209 }
210 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
211 params->iter_count);
212 if (params->iter_count == 0 || params->iter_count > 0xffff) {
213 wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
214 params->iter_count);
215 return -1;
216 }
217
218 /* For now, ignore optional keyLength and prf */
219
220 pos = kdf_end;
221
222 /* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
223
224 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
225 hdr.class != ASN1_CLASS_UNIVERSAL ||
226 hdr.tag != ASN1_TAG_SEQUENCE) {
227 wpa_printf(MSG_DEBUG,
228 "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x",
229 hdr.class, hdr.tag);
230 return -1;
231 }
232
233 pos = hdr.payload;
234 end = hdr.payload + hdr.length;
235
236 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
237 wpa_printf(MSG_DEBUG,
238 "PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
239 return -1;
240 }
241
242 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
243 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
244 obuf);
245 if (enc_alg_is_oid(&oid, 7)) {
246 params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
247 } else {
248 wpa_printf(MSG_DEBUG,
249 "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
250 obuf);
251 return -1;
252 }
253
254 /*
255 * RFC 2898, B.2.2:
256 * The parameters field associated with this OID in an
257 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
258 * specifying the initialization vector for CBC mode.
259 */
260 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
261 hdr.class != ASN1_CLASS_UNIVERSAL ||
262 hdr.tag != ASN1_TAG_OCTETSTRING ||
263 hdr.length != 8) {
264 wpa_printf(MSG_DEBUG,
265 "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d",
266 hdr.class, hdr.tag, hdr.length);
267 return -1;
268 }
269 os_memcpy(params->iv, hdr.payload, hdr.length);
270 params->iv_len = hdr.length;
271 wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);
272
273 return 0;
274}
275
276
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]277static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
278 struct pkcs5_params *params)
279{
280 struct asn1_hdr hdr;
281 const u8 *enc_alg_end, *pos, *end;
282 struct asn1_oid oid;
283 char obuf[80];
284
285 /* AlgorithmIdentifier */
286
287 enc_alg_end = enc_alg + enc_alg_len;
288
289 os_memset(params, 0, sizeof(*params));
290
291 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
292 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
293 "(algorithm)");
294 return -1;
295 }
296
297 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
298 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
299 params->alg = pkcs5_get_alg(&oid);
300 if (params->alg == PKCS5_ALG_UNKNOWN) {
301 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
302 "algorithm %s", obuf);
303 return -1;
304 }
305
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]306 if (params->alg == PKCS5_ALG_PBES2)
307 return pkcs5_get_params_pbes2(params, pos, enc_alg_end);
308
309 /* PBES1 */
310
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]311 /*
312 * PKCS#5, Section 8
313 * PBEParameter ::= SEQUENCE {
314 * salt OCTET STRING SIZE(8),
315 * iterationCount INTEGER }
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]316 *
317 * Note: The same implementation can be used to parse the PKCS #12
318 * version described in RFC 7292, C:
319 * pkcs-12PbeParams ::= SEQUENCE {
320 * salt OCTET STRING,
321 * iterations INTEGER
322 * }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]323 */
324
325 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
326 hdr.class != ASN1_CLASS_UNIVERSAL ||
327 hdr.tag != ASN1_TAG_SEQUENCE) {
328 wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
329 "(PBEParameter) - found class %d tag 0x%x",
330 hdr.class, hdr.tag);
331 return -1;
332 }
333 pos = hdr.payload;
334 end = hdr.payload + hdr.length;
335
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]336 /* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]337 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
338 hdr.class != ASN1_CLASS_UNIVERSAL ||
339 hdr.tag != ASN1_TAG_OCTETSTRING ||
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]340 hdr.length > sizeof(params->salt)) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]341 wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
342 "(salt) - found class %d tag 0x%x size %d",
343 hdr.class, hdr.tag, hdr.length);
344 return -1;
345 }
346 pos = hdr.payload + hdr.length;
347 os_memcpy(params->salt, hdr.payload, hdr.length);
348 params->salt_len = hdr.length;
349 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
350 params->salt, params->salt_len);
351
352 /* iterationCount INTEGER */
353 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
354 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
355 wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
356 "class %d tag 0x%x", hdr.class, hdr.tag);
357 return -1;
358 }
359 if (hdr.length == 1)
360 params->iter_count = *hdr.payload;
361 else if (hdr.length == 2)
362 params->iter_count = WPA_GET_BE16(hdr.payload);
363 else if (hdr.length == 4)
364 params->iter_count = WPA_GET_BE32(hdr.payload);
365 else {
366 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
367 " (iterationCount)",
368 hdr.payload, hdr.length);
369 return -1;
370 }
371 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
372 params->iter_count);
373 if (params->iter_count == 0 || params->iter_count > 0xffff) {
374 wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
375 "iterationCount=0x%x", params->iter_count);
376 return -1;
377 }
378
379 return 0;
380}
381
382
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]383static struct crypto_cipher *
384pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd)
385{
386 u8 key[24];
387
388 if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC ||
389 params->iv_len != 8)
390 return NULL;
391
392 wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
393 passwd, os_strlen(passwd));
394 wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
395 params->salt, params->salt_len);
396 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
397 params->iter_count);
398 if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
399 params->iter_count, key, sizeof(key)) < 0)
400 return NULL;
401 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
402 wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);
403
404 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
405 key, sizeof(key));
406}
407
408
409static void add_byte_array_mod(u8 *a, const u8 *b, size_t len)
410{
411 size_t i;
412 unsigned int carry = 0;
413
414 for (i = len - 1; i < len; i--) {
415 carry = carry + a[i] + b[i];
416 a[i] = carry & 0xff;
417 carry >>= 8;
418 }
419}
420
421
422static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt,
423 size_t salt_len, u8 id, unsigned int iter,
424 size_t out_len, u8 *out)
425{
426 unsigned int u, v, S_len, P_len, i;
427 u8 *D = NULL, *I = NULL, *B = NULL, *pos;
428 int res = -1;
429
430 /* RFC 7292, B.2 */
431 u = SHA1_MAC_LEN;
432 v = 64;
433
434 /* D = copies of ID */
435 D = os_malloc(v);
436 if (!D)
437 goto done;
438 os_memset(D, id, v);
439
440 /* S = copies of salt; P = copies of password, I = S || P */
441 S_len = v * ((salt_len + v - 1) / v);
442 P_len = v * ((pw_len + v - 1) / v);
443 I = os_malloc(S_len + P_len);
444 if (!I)
445 goto done;
446 pos = I;
447 if (salt_len) {
448 for (i = 0; i < S_len; i++)
449 *pos++ = salt[i % salt_len];
450 }
451 if (pw_len) {
452 for (i = 0; i < P_len; i++)
453 *pos++ = pw[i % pw_len];
454 }
455
456 B = os_malloc(v);
457 if (!B)
458 goto done;
459
460 for (;;) {
461 u8 hash[SHA1_MAC_LEN];
462 const u8 *addr[2];
463 size_t len[2];
464
465 addr[0] = D;
466 len[0] = v;
467 addr[1] = I;
468 len[1] = S_len + P_len;
469 if (sha1_vector(2, addr, len, hash) < 0)
470 goto done;
471
472 addr[0] = hash;
473 len[0] = SHA1_MAC_LEN;
474 for (i = 1; i < iter; i++) {
475 if (sha1_vector(1, addr, len, hash) < 0)
476 goto done;
477 }
478
479 if (out_len <= u) {
480 os_memcpy(out, hash, out_len);
481 res = 0;
482 goto done;
483 }
484
485 os_memcpy(out, hash, u);
486 out += u;
487 out_len -= u;
488
489 /* I_j = (I_j + B + 1) mod 2^(v*8) */
490 /* B = copies of Ai (final hash value) */
491 for (i = 0; i < v; i++)
492 B[i] = hash[i % u];
493 inc_byte_array(B, v);
494 for (i = 0; i < S_len + P_len; i += v)
495 add_byte_array_mod(&I[i], B, v);
496 }
497
498done:
499 os_free(B);
500 os_free(I);
501 os_free(D);
502 return res;
503}
504
505
506#define PKCS12_ID_ENC 1
507#define PKCS12_ID_IV 2
508#define PKCS12_ID_MAC 3
509
510static struct crypto_cipher *
511pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd)
512{
513 unsigned int i;
514 u8 *pw;
515 size_t pw_len;
516 u8 key[24];
517 u8 iv[8];
518
519 if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
520 return NULL;
521
522 pw_len = passwd ? os_strlen(passwd) : 0;
523 pw = os_malloc(2 * (pw_len + 1));
524 if (!pw)
525 return NULL;
526 if (pw_len) {
527 for (i = 0; i <= pw_len; i++)
528 WPA_PUT_BE16(&pw[2 * i], passwd[i]);
529 pw_len = 2 * (pw_len + 1);
530 }
531
532 if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
533 PKCS12_ID_ENC, params->iter_count,
534 sizeof(key), key) < 0 ||
535 pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
536 PKCS12_ID_IV, params->iter_count,
537 sizeof(iv), iv) < 0) {
538 os_free(pw);
539 return NULL;
540 }
541
542 os_free(pw);
543
544 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
545 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));
546
547 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
548}
549
550
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]551static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
552 const char *passwd)
553{
554 unsigned int i;
555 u8 hash[MD5_MAC_LEN];
556 const u8 *addr[2];
557 size_t len[2];
558
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]559 if (params->alg == PKCS5_ALG_PBES2)
560 return pkcs5_crypto_init_pbes2(params, passwd);
561
562 if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
563 return pkcs12_crypto_init_sha1(params, passwd);
564
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]565 if (params->alg != PKCS5_ALG_MD5_DES_CBC)
566 return NULL;
567
568 addr[0] = (const u8 *) passwd;
569 len[0] = os_strlen(passwd);
570 addr[1] = params->salt;
571 len[1] = params->salt_len;
572 if (md5_vector(2, addr, len, hash) < 0)
573 return NULL;
574 addr[0] = hash;
575 len[0] = MD5_MAC_LEN;
576 for (i = 1; i < params->iter_count; i++) {
577 if (md5_vector(1, addr, len, hash) < 0)
578 return NULL;
579 }
580 /* TODO: DES key parity bits(?) */
581 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
582 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
583
584 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
585}
586
587
588u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
589 const u8 *enc_data, size_t enc_data_len,
590 const char *passwd, size_t *data_len)
591{
592 struct crypto_cipher *ctx;
593 u8 *eb, pad;
594 struct pkcs5_params params;
595 unsigned int i;
596
597 if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
598 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
599 return NULL;
600 }
601
602 ctx = pkcs5_crypto_init(&params, passwd);
603 if (ctx == NULL) {
604 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
605 return NULL;
606 }
607
608 /* PKCS #5, Section 7 - Decryption process */
609 if (enc_data_len < 16 || enc_data_len % 8) {
610 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
611 "%d", (int) enc_data_len);
612 crypto_cipher_deinit(ctx);
613 return NULL;
614 }
615
616 eb = os_malloc(enc_data_len);
617 if (eb == NULL) {
618 crypto_cipher_deinit(ctx);
619 return NULL;
620 }
621
622 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
623 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
624 crypto_cipher_deinit(ctx);
625 os_free(eb);
626 return NULL;
627 }
628 crypto_cipher_deinit(ctx);
629
630 pad = eb[enc_data_len - 1];
631 if (pad > 8) {
632 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
633 os_free(eb);
634 return NULL;
635 }
636 for (i = enc_data_len - pad; i < enc_data_len; i++) {
637 if (eb[i] != pad) {
638 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
639 eb + enc_data_len - pad, pad);
640 os_free(eb);
641 return NULL;
642 }
643 }
644
645 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
646 eb, enc_data_len - pad);
647
648 *data_len = enc_data_len - pad;
649 return eb;
650}