Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / cda1202e0e8f4423b2310d94e5ca698ba878dba4 / . / src / tls / pkcs5.c
blob: 7bef89b4fdf5b4c82a22e39fa8fac4d254c5d106 [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * PKCS #5 (Password-based Encryption)
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]3 * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]4 *
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/crypto.h"
13#include "crypto/md5.h"
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]14#include "crypto/sha1.h"
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]15#include "asn1.h"
16#include "pkcs5.h"
17
18
19struct pkcs5_params {
20 enum pkcs5_alg {
21 PKCS5_ALG_UNKNOWN,
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]22 PKCS5_ALG_MD5_DES_CBC,
23 PKCS5_ALG_PBES2,
24 PKCS5_ALG_SHA1_3DES_CBC,
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]25 } alg;
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]26 u8 salt[64];
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]27 size_t salt_len;
28 unsigned int iter_count;
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]29 enum pbes2_enc_alg {
30 PBES2_ENC_ALG_UNKNOWN,
31 PBES2_ENC_ALG_DES_EDE3_CBC,
32 } enc_alg;
33 u8 iv[8];
34 size_t iv_len;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]35};
36
37
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]38static int oid_is_rsadsi(struct asn1_oid *oid)
39{
40 return oid->len >= 4 &&
41 oid->oid[0] == 1 /* iso */ &&
42 oid->oid[1] == 2 /* member-body */ &&
43 oid->oid[2] == 840 /* us */ &&
44 oid->oid[3] == 113549 /* rsadsi */;
45}
46
47
48static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
49{
50 return oid->len == 7 &&
51 oid_is_rsadsi(oid) &&
52 oid->oid[4] == 1 /* pkcs */ &&
53 oid->oid[5] == 5 /* pkcs-5 */ &&
54 oid->oid[6] == alg;
55}
56
57
58static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
59{
60 return oid->len == 6 &&
61 oid_is_rsadsi(oid) &&
62 oid->oid[4] == 3 /* encryptionAlgorithm */ &&
63 oid->oid[5] == alg;
64}
65
66
67static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
68{
69 return oid->len == 8 &&
70 oid_is_rsadsi(oid) &&
71 oid->oid[4] == 1 /* pkcs */ &&
72 oid->oid[5] == 12 /* pkcs-12 */ &&
73 oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
74 oid->oid[7] == alg;
75}
76
77
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]78static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]79{
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]80 if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]81 return PKCS5_ALG_MD5_DES_CBC;
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]82 if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
83 return PKCS5_ALG_SHA1_3DES_CBC;
84 if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
85 return PKCS5_ALG_PBES2;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]86 return PKCS5_ALG_UNKNOWN;
87}
88
89
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]90static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
91 const u8 *enc_alg_end)
92{
93 struct asn1_hdr hdr;
94 const u8 *end, *kdf_end;
95 struct asn1_oid oid;
96 char obuf[80];
97
98 /*
99 * RFC 2898, Ch. A.4
100 *
101 * PBES2-params ::= SEQUENCE {
102 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
103 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
104 *
105 * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
106 * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
107 */
108
109 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]110 !asn1_is_sequence(&hdr)) {
111 asn1_unexpected(&hdr,
112 "PKCS #5: Expected SEQUENCE (PBES2-params)");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]113 return -1;
114 }
115 pos = hdr.payload;
116 end = hdr.payload + hdr.length;
117
118 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]119 !asn1_is_sequence(&hdr)) {
120 asn1_unexpected(&hdr,
121 "PKCS #5: Expected SEQUENCE (keyDerivationFunc)");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]122 return -1;
123 }
124
125 pos = hdr.payload;
126 kdf_end = end = hdr.payload + hdr.length;
127
128 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
129 wpa_printf(MSG_DEBUG,
130 "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
131 return -1;
132 }
133
134 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
135 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
136 obuf);
137 if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
138 wpa_printf(MSG_DEBUG,
139 "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
140 obuf);
141 return -1;
142 }
143
144 /*
145 * RFC 2898, C.
146 *
147 * PBKDF2-params ::= SEQUENCE {
148 * salt CHOICE {
149 * specified OCTET STRING,
150 * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
151 * },
152 * iterationCount INTEGER (1..MAX),
153 * keyLength INTEGER (1..MAX) OPTIONAL,
154 * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
155 * algid-hmacWithSHA1
156 * }
157 */
158
159 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]160 !asn1_is_sequence(&hdr)) {
161 asn1_unexpected(&hdr,
162 "PKCS #5: Expected SEQUENCE (PBKDF2-params)");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]163 return -1;
164 }
165
166 pos = hdr.payload;
167 end = hdr.payload + hdr.length;
168
169 /* For now, only support the salt CHOICE specified (OCTET STRING) */
170 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]171 !asn1_is_octetstring(&hdr) ||
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]172 hdr.length > sizeof(params->salt)) {
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]173 asn1_unexpected(&hdr,
174 "PKCS #5: Expected OCTET STRING (salt.specified)");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]175 return -1;
176 }
177 pos = hdr.payload + hdr.length;
178 os_memcpy(params->salt, hdr.payload, hdr.length);
179 params->salt_len = hdr.length;
180 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
181
182 /* iterationCount INTEGER */
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]183 if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
184 asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]185 return -1;
186 }
187 if (hdr.length == 1) {
188 params->iter_count = *hdr.payload;
189 } else if (hdr.length == 2) {
190 params->iter_count = WPA_GET_BE16(hdr.payload);
191 } else if (hdr.length == 4) {
192 params->iter_count = WPA_GET_BE32(hdr.payload);
193 } else {
194 wpa_hexdump(MSG_DEBUG,
195 "PKCS #5: Unsupported INTEGER value (iterationCount)",
196 hdr.payload, hdr.length);
197 return -1;
198 }
199 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
200 params->iter_count);
201 if (params->iter_count == 0 || params->iter_count > 0xffff) {
202 wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
203 params->iter_count);
204 return -1;
205 }
206
207 /* For now, ignore optional keyLength and prf */
208
209 pos = kdf_end;
210
211 /* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
212
213 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]214 !asn1_is_sequence(&hdr)) {
215 asn1_unexpected(&hdr,
216 "PKCS #5: Expected SEQUENCE (encryptionScheme)");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]217 return -1;
218 }
219
220 pos = hdr.payload;
221 end = hdr.payload + hdr.length;
222
223 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
224 wpa_printf(MSG_DEBUG,
225 "PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
226 return -1;
227 }
228
229 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
230 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
231 obuf);
232 if (enc_alg_is_oid(&oid, 7)) {
233 params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
234 } else {
235 wpa_printf(MSG_DEBUG,
236 "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
237 obuf);
238 return -1;
239 }
240
241 /*
242 * RFC 2898, B.2.2:
243 * The parameters field associated with this OID in an
244 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
245 * specifying the initialization vector for CBC mode.
246 */
247 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]248 !asn1_is_octetstring(&hdr) || hdr.length != 8) {
249 asn1_unexpected(&hdr,
250 "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV)");
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]251 return -1;
252 }
253 os_memcpy(params->iv, hdr.payload, hdr.length);
254 params->iv_len = hdr.length;
255 wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);
256
257 return 0;
258}
259
260
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]261static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
262 struct pkcs5_params *params)
263{
264 struct asn1_hdr hdr;
265 const u8 *enc_alg_end, *pos, *end;
266 struct asn1_oid oid;
267 char obuf[80];
268
269 /* AlgorithmIdentifier */
270
271 enc_alg_end = enc_alg + enc_alg_len;
272
273 os_memset(params, 0, sizeof(*params));
274
275 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
276 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
277 "(algorithm)");
278 return -1;
279 }
280
281 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
282 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
283 params->alg = pkcs5_get_alg(&oid);
284 if (params->alg == PKCS5_ALG_UNKNOWN) {
285 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
286 "algorithm %s", obuf);
287 return -1;
288 }
289
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]290 if (params->alg == PKCS5_ALG_PBES2)
291 return pkcs5_get_params_pbes2(params, pos, enc_alg_end);
292
293 /* PBES1 */
294
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]295 /*
296 * PKCS#5, Section 8
297 * PBEParameter ::= SEQUENCE {
298 * salt OCTET STRING SIZE(8),
299 * iterationCount INTEGER }
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]300 *
301 * Note: The same implementation can be used to parse the PKCS #12
302 * version described in RFC 7292, C:
303 * pkcs-12PbeParams ::= SEQUENCE {
304 * salt OCTET STRING,
305 * iterations INTEGER
306 * }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]307 */
308
309 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]310 !asn1_is_sequence(&hdr)) {
311 asn1_unexpected(&hdr,
312 "PKCS #5: Expected SEQUENCE (PBEParameter)");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]313 return -1;
314 }
315 pos = hdr.payload;
316 end = hdr.payload + hdr.length;
317
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]318 /* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]319 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]320 !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) {
321 asn1_unexpected(&hdr,
322 "PKCS #5: Expected OCTETSTRING SIZE(8) (salt)");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]323 return -1;
324 }
325 pos = hdr.payload + hdr.length;
326 os_memcpy(params->salt, hdr.payload, hdr.length);
327 params->salt_len = hdr.length;
328 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
329 params->salt, params->salt_len);
330
331 /* iterationCount INTEGER */
332 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]333 !asn1_is_integer(&hdr)) {
334 asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]335 return -1;
336 }
337 if (hdr.length == 1)
338 params->iter_count = *hdr.payload;
339 else if (hdr.length == 2)
340 params->iter_count = WPA_GET_BE16(hdr.payload);
341 else if (hdr.length == 4)
342 params->iter_count = WPA_GET_BE32(hdr.payload);
343 else {
344 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
345 " (iterationCount)",
346 hdr.payload, hdr.length);
347 return -1;
348 }
349 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
350 params->iter_count);
351 if (params->iter_count == 0 || params->iter_count > 0xffff) {
352 wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
353 "iterationCount=0x%x", params->iter_count);
354 return -1;
355 }
356
357 return 0;
358}
359
360
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]361static struct crypto_cipher *
362pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd)
363{
364 u8 key[24];
365
366 if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC ||
367 params->iv_len != 8)
368 return NULL;
369
370 wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
371 passwd, os_strlen(passwd));
372 wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
373 params->salt, params->salt_len);
374 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
375 params->iter_count);
376 if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
377 params->iter_count, key, sizeof(key)) < 0)
378 return NULL;
379 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
380 wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);
381
382 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
383 key, sizeof(key));
384}
385
386
387static void add_byte_array_mod(u8 *a, const u8 *b, size_t len)
388{
389 size_t i;
390 unsigned int carry = 0;
391
392 for (i = len - 1; i < len; i--) {
393 carry = carry + a[i] + b[i];
394 a[i] = carry & 0xff;
395 carry >>= 8;
396 }
397}
398
399
400static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt,
401 size_t salt_len, u8 id, unsigned int iter,
402 size_t out_len, u8 *out)
403{
404 unsigned int u, v, S_len, P_len, i;
405 u8 *D = NULL, *I = NULL, *B = NULL, *pos;
406 int res = -1;
407
408 /* RFC 7292, B.2 */
409 u = SHA1_MAC_LEN;
410 v = 64;
411
412 /* D = copies of ID */
413 D = os_malloc(v);
414 if (!D)
415 goto done;
416 os_memset(D, id, v);
417
418 /* S = copies of salt; P = copies of password, I = S || P */
419 S_len = v * ((salt_len + v - 1) / v);
420 P_len = v * ((pw_len + v - 1) / v);
421 I = os_malloc(S_len + P_len);
422 if (!I)
423 goto done;
424 pos = I;
425 if (salt_len) {
426 for (i = 0; i < S_len; i++)
427 *pos++ = salt[i % salt_len];
428 }
429 if (pw_len) {
430 for (i = 0; i < P_len; i++)
431 *pos++ = pw[i % pw_len];
432 }
433
434 B = os_malloc(v);
435 if (!B)
436 goto done;
437
438 for (;;) {
439 u8 hash[SHA1_MAC_LEN];
440 const u8 *addr[2];
441 size_t len[2];
442
443 addr[0] = D;
444 len[0] = v;
445 addr[1] = I;
446 len[1] = S_len + P_len;
447 if (sha1_vector(2, addr, len, hash) < 0)
448 goto done;
449
450 addr[0] = hash;
451 len[0] = SHA1_MAC_LEN;
452 for (i = 1; i < iter; i++) {
453 if (sha1_vector(1, addr, len, hash) < 0)
454 goto done;
455 }
456
457 if (out_len <= u) {
458 os_memcpy(out, hash, out_len);
459 res = 0;
460 goto done;
461 }
462
463 os_memcpy(out, hash, u);
464 out += u;
465 out_len -= u;
466
467 /* I_j = (I_j + B + 1) mod 2^(v*8) */
468 /* B = copies of Ai (final hash value) */
469 for (i = 0; i < v; i++)
470 B[i] = hash[i % u];
471 inc_byte_array(B, v);
472 for (i = 0; i < S_len + P_len; i += v)
473 add_byte_array_mod(&I[i], B, v);
474 }
475
476done:
477 os_free(B);
478 os_free(I);
479 os_free(D);
480 return res;
481}
482
483
484#define PKCS12_ID_ENC 1
485#define PKCS12_ID_IV 2
486#define PKCS12_ID_MAC 3
487
488static struct crypto_cipher *
489pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd)
490{
491 unsigned int i;
492 u8 *pw;
493 size_t pw_len;
494 u8 key[24];
495 u8 iv[8];
496
497 if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
498 return NULL;
499
500 pw_len = passwd ? os_strlen(passwd) : 0;
501 pw = os_malloc(2 * (pw_len + 1));
502 if (!pw)
503 return NULL;
504 if (pw_len) {
505 for (i = 0; i <= pw_len; i++)
506 WPA_PUT_BE16(&pw[2 * i], passwd[i]);
507 pw_len = 2 * (pw_len + 1);
508 }
509
510 if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
511 PKCS12_ID_ENC, params->iter_count,
512 sizeof(key), key) < 0 ||
513 pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
514 PKCS12_ID_IV, params->iter_count,
515 sizeof(iv), iv) < 0) {
516 os_free(pw);
517 return NULL;
518 }
519
520 os_free(pw);
521
522 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
523 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));
524
525 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
526}
527
528
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]529static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
530 const char *passwd)
531{
532 unsigned int i;
533 u8 hash[MD5_MAC_LEN];
534 const u8 *addr[2];
535 size_t len[2];
536
Dmitry Shmidt1b467752015-12-14 12:45:46 -0800[diff] [blame]537 if (params->alg == PKCS5_ALG_PBES2)
538 return pkcs5_crypto_init_pbes2(params, passwd);
539
540 if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
541 return pkcs12_crypto_init_sha1(params, passwd);
542
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]543 if (params->alg != PKCS5_ALG_MD5_DES_CBC)
544 return NULL;
545
546 addr[0] = (const u8 *) passwd;
547 len[0] = os_strlen(passwd);
548 addr[1] = params->salt;
549 len[1] = params->salt_len;
550 if (md5_vector(2, addr, len, hash) < 0)
551 return NULL;
552 addr[0] = hash;
553 len[0] = MD5_MAC_LEN;
554 for (i = 1; i < params->iter_count; i++) {
555 if (md5_vector(1, addr, len, hash) < 0)
556 return NULL;
557 }
558 /* TODO: DES key parity bits(?) */
559 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
560 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
561
562 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
563}
564
565
566u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
567 const u8 *enc_data, size_t enc_data_len,
568 const char *passwd, size_t *data_len)
569{
570 struct crypto_cipher *ctx;
571 u8 *eb, pad;
572 struct pkcs5_params params;
573 unsigned int i;
574
575 if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
576 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
577 return NULL;
578 }
579
580 ctx = pkcs5_crypto_init(&params, passwd);
581 if (ctx == NULL) {
582 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
583 return NULL;
584 }
585
586 /* PKCS #5, Section 7 - Decryption process */
587 if (enc_data_len < 16 || enc_data_len % 8) {
588 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
589 "%d", (int) enc_data_len);
590 crypto_cipher_deinit(ctx);
591 return NULL;
592 }
593
594 eb = os_malloc(enc_data_len);
595 if (eb == NULL) {
596 crypto_cipher_deinit(ctx);
597 return NULL;
598 }
599
600 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
601 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
602 crypto_cipher_deinit(ctx);
603 os_free(eb);
604 return NULL;
605 }
606 crypto_cipher_deinit(ctx);
607
608 pad = eb[enc_data_len - 1];
609 if (pad > 8) {
610 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
611 os_free(eb);
612 return NULL;
613 }
614 for (i = enc_data_len - pad; i < enc_data_len; i++) {
615 if (eb[i] != pad) {
616 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
617 eb + enc_data_len - pad, pad);
618 os_free(eb);
619 return NULL;
620 }
621 }
622
623 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
624 eb, enc_data_len - pad);
625
626 *data_len = enc_data_len - pad;
627 return eb;
628}