]>
Commit | Line | Data |
---|---|---|
f1739bac JM |
1 | /* |
2 | * PKCS #5 (Password-based Encryption) | |
5ce2941b | 3 | * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi> |
f1739bac | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
f1739bac JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | ||
11 | #include "common.h" | |
03da66bd JM |
12 | #include "crypto/crypto.h" |
13 | #include "crypto/md5.h" | |
4db29e6a | 14 | #include "crypto/sha1.h" |
f1739bac JM |
15 | #include "asn1.h" |
16 | #include "pkcs5.h" | |
17 | ||
18 | ||
19 | struct pkcs5_params { | |
20 | enum pkcs5_alg { | |
21 | PKCS5_ALG_UNKNOWN, | |
4db29e6a JM |
22 | PKCS5_ALG_MD5_DES_CBC, |
23 | PKCS5_ALG_PBES2, | |
5ce2941b | 24 | PKCS5_ALG_SHA1_3DES_CBC, |
f1739bac | 25 | } alg; |
5ce2941b | 26 | u8 salt[64]; |
f1739bac JM |
27 | size_t salt_len; |
28 | unsigned int iter_count; | |
4db29e6a JM |
29 | enum pbes2_enc_alg { |
30 | PBES2_ENC_ALG_UNKNOWN, | |
31 | PBES2_ENC_ALG_DES_EDE3_CBC, | |
32 | } enc_alg; | |
33 | u8 iv[8]; | |
34 | size_t iv_len; | |
f1739bac JM |
35 | }; |
36 | ||
37 | ||
4db29e6a JM |
38 | static int oid_is_rsadsi(struct asn1_oid *oid) |
39 | { | |
40 | return oid->len >= 4 && | |
41 | oid->oid[0] == 1 /* iso */ && | |
42 | oid->oid[1] == 2 /* member-body */ && | |
43 | oid->oid[2] == 840 /* us */ && | |
44 | oid->oid[3] == 113549 /* rsadsi */; | |
45 | } | |
46 | ||
47 | ||
48 | static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg) | |
49 | { | |
50 | return oid->len == 7 && | |
51 | oid_is_rsadsi(oid) && | |
52 | oid->oid[4] == 1 /* pkcs */ && | |
53 | oid->oid[5] == 5 /* pkcs-5 */ && | |
54 | oid->oid[6] == alg; | |
55 | } | |
56 | ||
57 | ||
58 | static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg) | |
59 | { | |
60 | return oid->len == 6 && | |
61 | oid_is_rsadsi(oid) && | |
62 | oid->oid[4] == 3 /* encryptionAlgorithm */ && | |
63 | oid->oid[5] == alg; | |
64 | } | |
65 | ||
66 | ||
5ce2941b JM |
67 | static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg) |
68 | { | |
69 | return oid->len == 8 && | |
70 | oid_is_rsadsi(oid) && | |
71 | oid->oid[4] == 1 /* pkcs */ && | |
72 | oid->oid[5] == 12 /* pkcs-12 */ && | |
73 | oid->oid[6] == 1 /* pkcs-12PbeIds */ && | |
74 | oid->oid[7] == alg; | |
75 | } | |
76 | ||
77 | ||
19df9b07 | 78 | static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid) |
f1739bac | 79 | { |
4db29e6a | 80 | if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */ |
f1739bac | 81 | return PKCS5_ALG_MD5_DES_CBC; |
5ce2941b JM |
82 | if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */ |
83 | return PKCS5_ALG_SHA1_3DES_CBC; | |
4db29e6a JM |
84 | if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */ |
85 | return PKCS5_ALG_PBES2; | |
f1739bac JM |
86 | return PKCS5_ALG_UNKNOWN; |
87 | } | |
88 | ||
89 | ||
4db29e6a JM |
90 | static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, |
91 | const u8 *enc_alg_end) | |
92 | { | |
93 | struct asn1_hdr hdr; | |
94 | const u8 *end, *kdf_end; | |
95 | struct asn1_oid oid; | |
96 | char obuf[80]; | |
97 | ||
98 | /* | |
99 | * RFC 2898, Ch. A.4 | |
100 | * | |
101 | * PBES2-params ::= SEQUENCE { | |
102 | * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, | |
103 | * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} } | |
104 | * | |
105 | * PBES2-KDFs ALGORITHM-IDENTIFIER ::= | |
106 | * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... } | |
107 | */ | |
108 | ||
109 | if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || | |
110 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
111 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
112 | wpa_printf(MSG_DEBUG, | |
113 | "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x", | |
114 | hdr.class, hdr.tag); | |
115 | return -1; | |
116 | } | |
117 | pos = hdr.payload; | |
118 | end = hdr.payload + hdr.length; | |
119 | ||
120 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || | |
121 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
122 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
123 | wpa_printf(MSG_DEBUG, | |
124 | "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x", | |
125 | hdr.class, hdr.tag); | |
126 | return -1; | |
127 | } | |
128 | ||
129 | pos = hdr.payload; | |
130 | kdf_end = end = hdr.payload + hdr.length; | |
131 | ||
132 | if (asn1_get_oid(pos, end - pos, &oid, &pos)) { | |
133 | wpa_printf(MSG_DEBUG, | |
134 | "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)"); | |
135 | return -1; | |
136 | } | |
137 | ||
138 | asn1_oid_to_str(&oid, obuf, sizeof(obuf)); | |
139 | wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s", | |
140 | obuf); | |
141 | if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ { | |
142 | wpa_printf(MSG_DEBUG, | |
143 | "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s", | |
144 | obuf); | |
145 | return -1; | |
146 | } | |
147 | ||
148 | /* | |
149 | * RFC 2898, C. | |
150 | * | |
151 | * PBKDF2-params ::= SEQUENCE { | |
152 | * salt CHOICE { | |
153 | * specified OCTET STRING, | |
154 | * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} | |
155 | * }, | |
156 | * iterationCount INTEGER (1..MAX), | |
157 | * keyLength INTEGER (1..MAX) OPTIONAL, | |
158 | * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT | |
159 | * algid-hmacWithSHA1 | |
160 | * } | |
161 | */ | |
162 | ||
163 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || | |
164 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
165 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
166 | wpa_printf(MSG_DEBUG, | |
167 | "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x", | |
168 | hdr.class, hdr.tag); | |
169 | return -1; | |
170 | } | |
171 | ||
172 | pos = hdr.payload; | |
173 | end = hdr.payload + hdr.length; | |
174 | ||
175 | /* For now, only support the salt CHOICE specified (OCTET STRING) */ | |
176 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || | |
177 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
178 | hdr.tag != ASN1_TAG_OCTETSTRING || | |
179 | hdr.length > sizeof(params->salt)) { | |
180 | wpa_printf(MSG_DEBUG, | |
181 | "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d", | |
182 | hdr.class, hdr.tag, hdr.length); | |
183 | return -1; | |
184 | } | |
185 | pos = hdr.payload + hdr.length; | |
186 | os_memcpy(params->salt, hdr.payload, hdr.length); | |
187 | params->salt_len = hdr.length; | |
188 | wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len); | |
189 | ||
190 | /* iterationCount INTEGER */ | |
191 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || | |
192 | hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { | |
193 | wpa_printf(MSG_DEBUG, | |
194 | "PKCS #5: Expected INTEGER - found class %d tag 0x%x", | |
195 | hdr.class, hdr.tag); | |
196 | return -1; | |
197 | } | |
198 | if (hdr.length == 1) { | |
199 | params->iter_count = *hdr.payload; | |
200 | } else if (hdr.length == 2) { | |
201 | params->iter_count = WPA_GET_BE16(hdr.payload); | |
202 | } else if (hdr.length == 4) { | |
203 | params->iter_count = WPA_GET_BE32(hdr.payload); | |
204 | } else { | |
205 | wpa_hexdump(MSG_DEBUG, | |
206 | "PKCS #5: Unsupported INTEGER value (iterationCount)", | |
207 | hdr.payload, hdr.length); | |
208 | return -1; | |
209 | } | |
210 | wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", | |
211 | params->iter_count); | |
212 | if (params->iter_count == 0 || params->iter_count > 0xffff) { | |
213 | wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x", | |
214 | params->iter_count); | |
215 | return -1; | |
216 | } | |
217 | ||
218 | /* For now, ignore optional keyLength and prf */ | |
219 | ||
220 | pos = kdf_end; | |
221 | ||
222 | /* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */ | |
223 | ||
224 | if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || | |
225 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
226 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
227 | wpa_printf(MSG_DEBUG, | |
228 | "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x", | |
229 | hdr.class, hdr.tag); | |
230 | return -1; | |
231 | } | |
232 | ||
233 | pos = hdr.payload; | |
234 | end = hdr.payload + hdr.length; | |
235 | ||
236 | if (asn1_get_oid(pos, end - pos, &oid, &pos)) { | |
237 | wpa_printf(MSG_DEBUG, | |
238 | "PKCS #5: Failed to parse OID (encryptionScheme algorithm)"); | |
239 | return -1; | |
240 | } | |
241 | ||
242 | asn1_oid_to_str(&oid, obuf, sizeof(obuf)); | |
243 | wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s", | |
244 | obuf); | |
245 | if (enc_alg_is_oid(&oid, 7)) { | |
246 | params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC; | |
247 | } else { | |
248 | wpa_printf(MSG_DEBUG, | |
249 | "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s", | |
250 | obuf); | |
251 | return -1; | |
252 | } | |
253 | ||
254 | /* | |
255 | * RFC 2898, B.2.2: | |
256 | * The parameters field associated with this OID in an | |
257 | * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), | |
258 | * specifying the initialization vector for CBC mode. | |
259 | */ | |
260 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || | |
261 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
262 | hdr.tag != ASN1_TAG_OCTETSTRING || | |
263 | hdr.length != 8) { | |
264 | wpa_printf(MSG_DEBUG, | |
265 | "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d", | |
266 | hdr.class, hdr.tag, hdr.length); | |
267 | return -1; | |
268 | } | |
269 | os_memcpy(params->iv, hdr.payload, hdr.length); | |
270 | params->iv_len = hdr.length; | |
271 | wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len); | |
272 | ||
273 | return 0; | |
274 | } | |
275 | ||
276 | ||
f1739bac JM |
277 | static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, |
278 | struct pkcs5_params *params) | |
279 | { | |
280 | struct asn1_hdr hdr; | |
281 | const u8 *enc_alg_end, *pos, *end; | |
282 | struct asn1_oid oid; | |
283 | char obuf[80]; | |
284 | ||
285 | /* AlgorithmIdentifier */ | |
286 | ||
287 | enc_alg_end = enc_alg + enc_alg_len; | |
288 | ||
289 | os_memset(params, 0, sizeof(*params)); | |
290 | ||
291 | if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) { | |
292 | wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID " | |
293 | "(algorithm)"); | |
294 | return -1; | |
295 | } | |
296 | ||
297 | asn1_oid_to_str(&oid, obuf, sizeof(obuf)); | |
298 | wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf); | |
299 | params->alg = pkcs5_get_alg(&oid); | |
300 | if (params->alg == PKCS5_ALG_UNKNOWN) { | |
301 | wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption " | |
302 | "algorithm %s", obuf); | |
303 | return -1; | |
304 | } | |
305 | ||
4db29e6a JM |
306 | if (params->alg == PKCS5_ALG_PBES2) |
307 | return pkcs5_get_params_pbes2(params, pos, enc_alg_end); | |
308 | ||
309 | /* PBES1 */ | |
310 | ||
f1739bac JM |
311 | /* |
312 | * PKCS#5, Section 8 | |
313 | * PBEParameter ::= SEQUENCE { | |
314 | * salt OCTET STRING SIZE(8), | |
315 | * iterationCount INTEGER } | |
5ce2941b JM |
316 | * |
317 | * Note: The same implementation can be used to parse the PKCS #12 | |
318 | * version described in RFC 7292, C: | |
319 | * pkcs-12PbeParams ::= SEQUENCE { | |
320 | * salt OCTET STRING, | |
321 | * iterations INTEGER | |
322 | * } | |
f1739bac JM |
323 | */ |
324 | ||
325 | if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || | |
326 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
327 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
328 | wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE " | |
329 | "(PBEParameter) - found class %d tag 0x%x", | |
330 | hdr.class, hdr.tag); | |
331 | return -1; | |
332 | } | |
333 | pos = hdr.payload; | |
334 | end = hdr.payload + hdr.length; | |
335 | ||
5ce2941b | 336 | /* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */ |
f1739bac JM |
337 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || |
338 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
339 | hdr.tag != ASN1_TAG_OCTETSTRING || | |
5ce2941b | 340 | hdr.length > sizeof(params->salt)) { |
f1739bac JM |
341 | wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) " |
342 | "(salt) - found class %d tag 0x%x size %d", | |
343 | hdr.class, hdr.tag, hdr.length); | |
344 | return -1; | |
345 | } | |
346 | pos = hdr.payload + hdr.length; | |
347 | os_memcpy(params->salt, hdr.payload, hdr.length); | |
348 | params->salt_len = hdr.length; | |
349 | wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", | |
350 | params->salt, params->salt_len); | |
351 | ||
352 | /* iterationCount INTEGER */ | |
353 | if (asn1_get_next(pos, end - pos, &hdr) < 0 || | |
354 | hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { | |
355 | wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found " | |
356 | "class %d tag 0x%x", hdr.class, hdr.tag); | |
357 | return -1; | |
358 | } | |
359 | if (hdr.length == 1) | |
360 | params->iter_count = *hdr.payload; | |
361 | else if (hdr.length == 2) | |
362 | params->iter_count = WPA_GET_BE16(hdr.payload); | |
363 | else if (hdr.length == 4) | |
364 | params->iter_count = WPA_GET_BE32(hdr.payload); | |
365 | else { | |
366 | wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value " | |
367 | " (iterationCount)", | |
368 | hdr.payload, hdr.length); | |
369 | return -1; | |
370 | } | |
371 | wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", | |
372 | params->iter_count); | |
373 | if (params->iter_count == 0 || params->iter_count > 0xffff) { | |
374 | wpa_printf(MSG_INFO, "PKCS #5: Unsupported " | |
375 | "iterationCount=0x%x", params->iter_count); | |
376 | return -1; | |
377 | } | |
378 | ||
379 | return 0; | |
380 | } | |
381 | ||
382 | ||
4db29e6a JM |
383 | static struct crypto_cipher * |
384 | pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd) | |
385 | { | |
386 | u8 key[24]; | |
387 | ||
388 | if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC || | |
389 | params->iv_len != 8) | |
390 | return NULL; | |
391 | ||
392 | wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2", | |
393 | passwd, os_strlen(passwd)); | |
394 | wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2", | |
395 | params->salt, params->salt_len); | |
396 | wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u", | |
397 | params->iter_count); | |
398 | if (pbkdf2_sha1(passwd, params->salt, params->salt_len, | |
399 | params->iter_count, key, sizeof(key)) < 0) | |
400 | return NULL; | |
401 | wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key)); | |
402 | wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len); | |
403 | ||
404 | return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv, | |
405 | key, sizeof(key)); | |
406 | } | |
407 | ||
408 | ||
5ce2941b JM |
409 | static void add_byte_array_mod(u8 *a, const u8 *b, size_t len) |
410 | { | |
411 | size_t i; | |
412 | unsigned int carry = 0; | |
413 | ||
414 | for (i = len - 1; i < len; i--) { | |
415 | carry = carry + a[i] + b[i]; | |
416 | a[i] = carry & 0xff; | |
417 | carry >>= 8; | |
418 | } | |
419 | } | |
420 | ||
421 | ||
422 | static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt, | |
423 | size_t salt_len, u8 id, unsigned int iter, | |
424 | size_t out_len, u8 *out) | |
425 | { | |
426 | unsigned int u, v, S_len, P_len, i; | |
427 | u8 *D = NULL, *I = NULL, *B = NULL, *pos; | |
428 | int res = -1; | |
429 | ||
430 | /* RFC 7292, B.2 */ | |
431 | u = SHA1_MAC_LEN; | |
432 | v = 64; | |
433 | ||
434 | /* D = copies of ID */ | |
435 | D = os_malloc(v); | |
436 | if (!D) | |
437 | goto done; | |
438 | os_memset(D, id, v); | |
439 | ||
440 | /* S = copies of salt; P = copies of password, I = S || P */ | |
441 | S_len = v * ((salt_len + v - 1) / v); | |
442 | P_len = v * ((pw_len + v - 1) / v); | |
443 | I = os_malloc(S_len + P_len); | |
444 | if (!I) | |
445 | goto done; | |
446 | pos = I; | |
447 | if (salt_len) { | |
448 | for (i = 0; i < S_len; i++) | |
449 | *pos++ = salt[i % salt_len]; | |
450 | } | |
451 | if (pw_len) { | |
452 | for (i = 0; i < P_len; i++) | |
453 | *pos++ = pw[i % pw_len]; | |
454 | } | |
455 | ||
456 | B = os_malloc(v); | |
457 | if (!B) | |
458 | goto done; | |
459 | ||
460 | for (;;) { | |
461 | u8 hash[SHA1_MAC_LEN]; | |
462 | const u8 *addr[2]; | |
463 | size_t len[2]; | |
464 | ||
465 | addr[0] = D; | |
466 | len[0] = v; | |
467 | addr[1] = I; | |
468 | len[1] = S_len + P_len; | |
469 | if (sha1_vector(2, addr, len, hash) < 0) | |
470 | goto done; | |
471 | ||
472 | addr[0] = hash; | |
473 | len[0] = SHA1_MAC_LEN; | |
474 | for (i = 1; i < iter; i++) { | |
475 | if (sha1_vector(1, addr, len, hash) < 0) | |
476 | goto done; | |
477 | } | |
478 | ||
479 | if (out_len <= u) { | |
480 | os_memcpy(out, hash, out_len); | |
481 | res = 0; | |
482 | goto done; | |
483 | } | |
484 | ||
485 | os_memcpy(out, hash, u); | |
486 | out += u; | |
487 | out_len -= u; | |
488 | ||
489 | /* I_j = (I_j + B + 1) mod 2^(v*8) */ | |
490 | /* B = copies of Ai (final hash value) */ | |
491 | for (i = 0; i < v; i++) | |
492 | B[i] = hash[i % u]; | |
493 | inc_byte_array(B, v); | |
494 | for (i = 0; i < S_len + P_len; i += v) | |
495 | add_byte_array_mod(&I[i], B, v); | |
496 | } | |
497 | ||
498 | done: | |
499 | os_free(B); | |
500 | os_free(I); | |
501 | os_free(D); | |
502 | return res; | |
503 | } | |
504 | ||
505 | ||
506 | #define PKCS12_ID_ENC 1 | |
507 | #define PKCS12_ID_IV 2 | |
508 | #define PKCS12_ID_MAC 3 | |
509 | ||
510 | static struct crypto_cipher * | |
511 | pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd) | |
512 | { | |
513 | unsigned int i; | |
514 | u8 *pw; | |
515 | size_t pw_len; | |
516 | u8 key[24]; | |
517 | u8 iv[8]; | |
518 | ||
519 | if (params->alg != PKCS5_ALG_SHA1_3DES_CBC) | |
520 | return NULL; | |
521 | ||
522 | pw_len = passwd ? os_strlen(passwd) : 0; | |
523 | pw = os_malloc(2 * (pw_len + 1)); | |
524 | if (!pw) | |
525 | return NULL; | |
526 | if (pw_len) { | |
527 | for (i = 0; i <= pw_len; i++) | |
528 | WPA_PUT_BE16(&pw[2 * i], passwd[i]); | |
529 | pw_len = 2 * (pw_len + 1); | |
530 | } | |
531 | ||
532 | if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len, | |
533 | PKCS12_ID_ENC, params->iter_count, | |
534 | sizeof(key), key) < 0 || | |
535 | pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len, | |
536 | PKCS12_ID_IV, params->iter_count, | |
537 | sizeof(iv), iv) < 0) { | |
538 | os_free(pw); | |
539 | return NULL; | |
540 | } | |
541 | ||
542 | os_free(pw); | |
543 | ||
544 | wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key)); | |
545 | wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv)); | |
546 | ||
547 | return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key)); | |
548 | } | |
549 | ||
550 | ||
f1739bac JM |
551 | static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params, |
552 | const char *passwd) | |
553 | { | |
554 | unsigned int i; | |
555 | u8 hash[MD5_MAC_LEN]; | |
556 | const u8 *addr[2]; | |
557 | size_t len[2]; | |
558 | ||
4db29e6a JM |
559 | if (params->alg == PKCS5_ALG_PBES2) |
560 | return pkcs5_crypto_init_pbes2(params, passwd); | |
561 | ||
5ce2941b JM |
562 | if (params->alg == PKCS5_ALG_SHA1_3DES_CBC) |
563 | return pkcs12_crypto_init_sha1(params, passwd); | |
564 | ||
f1739bac JM |
565 | if (params->alg != PKCS5_ALG_MD5_DES_CBC) |
566 | return NULL; | |
567 | ||
568 | addr[0] = (const u8 *) passwd; | |
569 | len[0] = os_strlen(passwd); | |
570 | addr[1] = params->salt; | |
571 | len[1] = params->salt_len; | |
572 | if (md5_vector(2, addr, len, hash) < 0) | |
573 | return NULL; | |
574 | addr[0] = hash; | |
575 | len[0] = MD5_MAC_LEN; | |
576 | for (i = 1; i < params->iter_count; i++) { | |
577 | if (md5_vector(1, addr, len, hash) < 0) | |
578 | return NULL; | |
579 | } | |
580 | /* TODO: DES key parity bits(?) */ | |
581 | wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8); | |
582 | wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8); | |
583 | ||
584 | return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8); | |
585 | } | |
586 | ||
587 | ||
588 | u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len, | |
589 | const u8 *enc_data, size_t enc_data_len, | |
590 | const char *passwd, size_t *data_len) | |
591 | { | |
592 | struct crypto_cipher *ctx; | |
593 | u8 *eb, pad; | |
594 | struct pkcs5_params params; | |
595 | unsigned int i; | |
596 | ||
597 | if (pkcs5_get_params(enc_alg, enc_alg_len, ¶ms) < 0) { | |
598 | wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters"); | |
599 | return NULL; | |
600 | } | |
601 | ||
602 | ctx = pkcs5_crypto_init(¶ms, passwd); | |
603 | if (ctx == NULL) { | |
604 | wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto"); | |
605 | return NULL; | |
606 | } | |
607 | ||
608 | /* PKCS #5, Section 7 - Decryption process */ | |
609 | if (enc_data_len < 16 || enc_data_len % 8) { | |
610 | wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext " | |
611 | "%d", (int) enc_data_len); | |
612 | crypto_cipher_deinit(ctx); | |
613 | return NULL; | |
614 | } | |
615 | ||
616 | eb = os_malloc(enc_data_len); | |
617 | if (eb == NULL) { | |
618 | crypto_cipher_deinit(ctx); | |
619 | return NULL; | |
620 | } | |
621 | ||
622 | if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) { | |
623 | wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB"); | |
624 | crypto_cipher_deinit(ctx); | |
625 | os_free(eb); | |
626 | return NULL; | |
627 | } | |
628 | crypto_cipher_deinit(ctx); | |
629 | ||
630 | pad = eb[enc_data_len - 1]; | |
631 | if (pad > 8) { | |
632 | wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad); | |
633 | os_free(eb); | |
634 | return NULL; | |
635 | } | |
636 | for (i = enc_data_len - pad; i < enc_data_len; i++) { | |
637 | if (eb[i] != pad) { | |
638 | wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS", | |
639 | eb + enc_data_len - pad, pad); | |
640 | os_free(eb); | |
641 | return NULL; | |
642 | } | |
643 | } | |
644 | ||
645 | wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)", | |
646 | eb, enc_data_len - pad); | |
647 | ||
648 | *data_len = enc_data_len - pad; | |
649 | return eb; | |
650 | } |