[thirdparty/hostap.git] / src / tls / pkcs5.c

/*
 * PKCS #5 (Password-based Encryption)
 * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "crypto/crypto.h"
#include "crypto/md5.h"
#include "crypto/sha1.h"
#include "asn1.h"
#include "pkcs5.h"


struct pkcs5_params {
	enum pkcs5_alg {
		PKCS5_ALG_UNKNOWN,
		PKCS5_ALG_MD5_DES_CBC,
		PKCS5_ALG_PBES2,
		PKCS5_ALG_SHA1_3DES_CBC,
	} alg;
	u8 salt[64];
	size_t salt_len;
	unsigned int iter_count;
	enum pbes2_enc_alg {
		PBES2_ENC_ALG_UNKNOWN,
		PBES2_ENC_ALG_DES_EDE3_CBC,
	} enc_alg;
	u8 iv[8];
	size_t iv_len;
};


static int oid_is_rsadsi(struct asn1_oid *oid)
{
	return oid->len >= 4 &&
		oid->oid[0] == 1 /* iso */ &&
		oid->oid[1] == 2 /* member-body */ &&
		oid->oid[2] == 840 /* us */ &&
		oid->oid[3] == 113549 /* rsadsi */;
}


static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
{
	return oid->len == 7 &&
		oid_is_rsadsi(oid) &&
		oid->oid[4] == 1 /* pkcs */ &&
		oid->oid[5] == 5 /* pkcs-5 */ &&
		oid->oid[6] == alg;
}


static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
{
	return oid->len == 6 &&
		oid_is_rsadsi(oid) &&
		oid->oid[4] == 3 /* encryptionAlgorithm */ &&
		oid->oid[5] == alg;
}


static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
{
	return oid->len == 8 &&
		oid_is_rsadsi(oid) &&
		oid->oid[4] == 1 /* pkcs */ &&
		oid->oid[5] == 12 /* pkcs-12 */ &&
		oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
		oid->oid[7] == alg;
}


static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
{
	if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
		return PKCS5_ALG_MD5_DES_CBC;
	if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
		return PKCS5_ALG_SHA1_3DES_CBC;
	if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
		return PKCS5_ALG_PBES2;
	return PKCS5_ALG_UNKNOWN;
}


static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
				  const u8 *enc_alg_end)
{
	struct asn1_hdr hdr;
	const u8 *end, *kdf_end;
	struct asn1_oid oid;
	char obuf[80];

	/*
	 * RFC 2898, Ch. A.4
	 *
	 * PBES2-params ::= SEQUENCE {
	 *     keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
	 *     encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
	 *
	 * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
	 *     { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
	 */

	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}

	pos = hdr.payload;
	kdf_end = end = hdr.payload + hdr.length;

	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
		return -1;
	}

	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
		   obuf);
	if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
			   obuf);
		return -1;
	}

	/*
	 * RFC 2898, C.
	 *
	 * PBKDF2-params ::= SEQUENCE {
	 *     salt CHOICE {
	 *       specified OCTET STRING,
	 *       otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
	 *     },
	 *     iterationCount INTEGER (1..MAX),
	 *     keyLength INTEGER (1..MAX) OPTIONAL,
	 *     prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
	 *     algid-hmacWithSHA1
	 * }
	 */

	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}

	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	/* For now, only support the salt CHOICE specified (OCTET STRING) */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_OCTETSTRING ||
	    hdr.length > sizeof(params->salt)) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d",
			   hdr.class, hdr.tag, hdr.length);
		return -1;
	}
	pos = hdr.payload + hdr.length;
	os_memcpy(params->salt, hdr.payload, hdr.length);
	params->salt_len = hdr.length;
	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);

	/* iterationCount INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected INTEGER - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	if (hdr.length == 1) {
		params->iter_count = *hdr.payload;
	} else if (hdr.length == 2) {
		params->iter_count = WPA_GET_BE16(hdr.payload);
	} else if (hdr.length == 4) {
		params->iter_count = WPA_GET_BE32(hdr.payload);
	} else {
		wpa_hexdump(MSG_DEBUG,
			    "PKCS #5: Unsupported INTEGER value (iterationCount)",
			    hdr.payload, hdr.length);
		return -1;
	}
	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
		   params->iter_count);
	if (params->iter_count == 0 || params->iter_count > 0xffff) {
		wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
			   params->iter_count);
		return -1;
	}

	/* For now, ignore optional keyLength and prf */

	pos = kdf_end;

	/* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */

	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}

	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
		return -1;
	}

	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
		   obuf);
	if (enc_alg_is_oid(&oid, 7)) {
		params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
	} else {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
			   obuf);
		return -1;
	}

	/*
	 * RFC 2898, B.2.2:
	 * The parameters field associated with this OID in an
	 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
	 * specifying the initialization vector for CBC mode.
	 */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_OCTETSTRING ||
	    hdr.length != 8) {
		wpa_printf(MSG_DEBUG,
			   "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d",
			   hdr.class, hdr.tag, hdr.length);
		return -1;
	}
	os_memcpy(params->iv, hdr.payload, hdr.length);
	params->iv_len = hdr.length;
	wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);

	return 0;
}


static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
			    struct pkcs5_params *params)
{
	struct asn1_hdr hdr;
	const u8 *enc_alg_end, *pos, *end;
	struct asn1_oid oid;
	char obuf[80];

	/* AlgorithmIdentifier */

	enc_alg_end = enc_alg + enc_alg_len;

	os_memset(params, 0, sizeof(*params));

	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
			   "(algorithm)");
		return -1;
	}

	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
	params->alg = pkcs5_get_alg(&oid);
	if (params->alg == PKCS5_ALG_UNKNOWN) {
		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
			   "algorithm %s", obuf);
		return -1;
	}

	if (params->alg == PKCS5_ALG_PBES2)
		return pkcs5_get_params_pbes2(params, pos, enc_alg_end);

	/* PBES1 */

	/*
	 * PKCS#5, Section 8
	 * PBEParameter ::= SEQUENCE {
	 *   salt OCTET STRING SIZE(8),
	 *   iterationCount INTEGER }
	 *
	 * Note: The same implementation can be used to parse the PKCS #12
	 * version described in RFC 7292, C:
	 * pkcs-12PbeParams ::= SEQUENCE {
	 *     salt        OCTET STRING,
	 *     iterations  INTEGER
	 * }
	 */

	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
			   "(PBEParameter) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	/* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_OCTETSTRING ||
	    hdr.length > sizeof(params->salt)) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
			   "(salt) - found class %d tag 0x%x size %d",
			   hdr.class, hdr.tag, hdr.length);
		return -1;
	}
	pos = hdr.payload + hdr.length;
	os_memcpy(params->salt, hdr.payload, hdr.length);
	params->salt_len = hdr.length;
	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
		    params->salt, params->salt_len);

	/* iterationCount INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
			   "class %d tag 0x%x", hdr.class, hdr.tag);
		return -1;
	}
	if (hdr.length == 1)
		params->iter_count = *hdr.payload;
	else if (hdr.length == 2)
		params->iter_count = WPA_GET_BE16(hdr.payload);
	else if (hdr.length == 4)
		params->iter_count = WPA_GET_BE32(hdr.payload);
	else {
		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
			    " (iterationCount)",
			    hdr.payload, hdr.length);
		return -1;
	}
	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
		   params->iter_count);
	if (params->iter_count == 0 || params->iter_count > 0xffff) {
		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
			   "iterationCount=0x%x", params->iter_count);
		return -1;
	}

	return 0;
}


static struct crypto_cipher *
pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd)
{
	u8 key[24];

	if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC ||
	    params->iv_len != 8)
		return NULL;

	wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
			      passwd, os_strlen(passwd));
	wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
		    params->salt, params->salt_len);
	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
		   params->iter_count);
	if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
			params->iter_count, key, sizeof(key)) < 0)
		return NULL;
	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
	wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);

	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
				  key, sizeof(key));
}


static void add_byte_array_mod(u8 *a, const u8 *b, size_t len)
{
	size_t i;
	unsigned int carry = 0;

	for (i = len - 1; i < len; i--) {
		carry = carry + a[i] + b[i];
		a[i] = carry & 0xff;
		carry >>= 8;
	}
}


static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt,
			  size_t salt_len, u8 id, unsigned int iter,
			  size_t out_len, u8 *out)
{
	unsigned int u, v, S_len, P_len, i;
	u8 *D = NULL, *I = NULL, *B = NULL, *pos;
	int res = -1;

	/* RFC 7292, B.2 */
	u = SHA1_MAC_LEN;
	v = 64;

	/* D = copies of ID */
	D = os_malloc(v);
	if (!D)
		goto done;
	os_memset(D, id, v);

	/* S = copies of salt; P = copies of password, I = S || P */
	S_len = v * ((salt_len + v - 1) / v);
	P_len = v * ((pw_len + v - 1) / v);
	I = os_malloc(S_len + P_len);
	if (!I)
		goto done;
	pos = I;
	if (salt_len) {
		for (i = 0; i < S_len; i++)
			*pos++ = salt[i % salt_len];
	}
	if (pw_len) {
		for (i = 0; i < P_len; i++)
			*pos++ = pw[i % pw_len];
	}

	B = os_malloc(v);
	if (!B)
		goto done;

	for (;;) {
		u8 hash[SHA1_MAC_LEN];
		const u8 *addr[2];
		size_t len[2];

		addr[0] = D;
		len[0] = v;
		addr[1] = I;
		len[1] = S_len + P_len;
		if (sha1_vector(2, addr, len, hash) < 0)
			goto done;

		addr[0] = hash;
		len[0] = SHA1_MAC_LEN;
		for (i = 1; i < iter; i++) {
			if (sha1_vector(1, addr, len, hash) < 0)
				goto done;
		}

		if (out_len <= u) {
			os_memcpy(out, hash, out_len);
			res = 0;
			goto done;
		}

		os_memcpy(out, hash, u);
		out += u;
		out_len -= u;

		/* I_j = (I_j + B + 1) mod 2^(v*8) */
		/* B = copies of Ai (final hash value) */
		for (i = 0; i < v; i++)
			B[i] = hash[i % u];
		inc_byte_array(B, v);
		for (i = 0; i < S_len + P_len; i += v)
			add_byte_array_mod(&I[i], B, v);
	}

done:
	os_free(B);
	os_free(I);
	os_free(D);
	return res;
}


#define PKCS12_ID_ENC 1
#define PKCS12_ID_IV 2
#define PKCS12_ID_MAC 3

static struct crypto_cipher *
pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd)
{
	unsigned int i;
	u8 *pw;
	size_t pw_len;
	u8 key[24];
	u8 iv[8];

	if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
		return NULL;

	pw_len = passwd ? os_strlen(passwd) : 0;
	pw = os_malloc(2 * (pw_len + 1));
	if (!pw)
		return NULL;
	if (pw_len) {
		for (i = 0; i <= pw_len; i++)
			WPA_PUT_BE16(&pw[2 * i], passwd[i]);
		pw_len = 2 * (pw_len + 1);
	}

	if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
			   PKCS12_ID_ENC, params->iter_count,
			   sizeof(key), key) < 0 ||
	    pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
			   PKCS12_ID_IV, params->iter_count,
			   sizeof(iv), iv) < 0) {
		os_free(pw);
		return NULL;
	}

	os_free(pw);

	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));

	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
}


static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
						const char *passwd)
{
	unsigned int i;
	u8 hash[MD5_MAC_LEN];
	const u8 *addr[2];
	size_t len[2];

	if (params->alg == PKCS5_ALG_PBES2)
		return pkcs5_crypto_init_pbes2(params, passwd);

	if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
		return pkcs12_crypto_init_sha1(params, passwd);

	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
		return NULL;

	addr[0] = (const u8 *) passwd;
	len[0] = os_strlen(passwd);
	addr[1] = params->salt;
	len[1] = params->salt_len;
	if (md5_vector(2, addr, len, hash) < 0)
		return NULL;
	addr[0] = hash;
	len[0] = MD5_MAC_LEN;
	for (i = 1; i < params->iter_count; i++) {
		if (md5_vector(1, addr, len, hash) < 0)
			return NULL;
	}
	/* TODO: DES key parity bits(?) */
	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);

	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
}


u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
		   const u8 *enc_data, size_t enc_data_len,
		   const char *passwd, size_t *data_len)
{
	struct crypto_cipher *ctx;
	u8 *eb, pad;
	struct pkcs5_params params;
	unsigned int i;

	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
		return NULL;
	}

	ctx = pkcs5_crypto_init(&params, passwd);
	if (ctx == NULL) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
		return NULL;
	}

	/* PKCS #5, Section 7 - Decryption process */
	if (enc_data_len < 16 || enc_data_len % 8) {
		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
			   "%d", (int) enc_data_len);
		crypto_cipher_deinit(ctx);
		return NULL;
	}

	eb = os_malloc(enc_data_len);
	if (eb == NULL) {
		crypto_cipher_deinit(ctx);
		return NULL;
	}

	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
		crypto_cipher_deinit(ctx);
		os_free(eb);
		return NULL;
	}
	crypto_cipher_deinit(ctx);

	pad = eb[enc_data_len - 1];
	if (pad > 8) {
		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
		os_free(eb);
		return NULL;
	}
	for (i = enc_data_len - pad; i < enc_data_len; i++) {
		if (eb[i] != pad) {
			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
				    eb + enc_data_len - pad, pad);
			os_free(eb);
			return NULL;
		}
	}

	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
			eb, enc_data_len - pad);

	*data_len = enc_data_len - pad;
	return eb;
}
Commit	Line	Data
f1739bac JM	1	/*
f1739bac JM	2	* PKCS #5 (Password-based Encryption)
5ce2941b	3	* Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
f1739bac	4	*
0f3d578e JM	5	* This software may be distributed under the terms of the BSD license.
0f3d578e JM	6	* See README for more details.
f1739bac JM	7	*/
	8
	9	#include "includes.h"
	10
	11	#include "common.h"
03da66bd JM	12	#include "crypto/crypto.h"
03da66bd JM	13	#include "crypto/md5.h"
4db29e6a	14	#include "crypto/sha1.h"
f1739bac JM	15	#include "asn1.h"
	16	#include "pkcs5.h"
	17
	18
	19	struct pkcs5_params {
	20	enum pkcs5_alg {
	21	PKCS5_ALG_UNKNOWN,
4db29e6a JM	22	PKCS5_ALG_MD5_DES_CBC,
4db29e6a JM	23	PKCS5_ALG_PBES2,
5ce2941b	24	PKCS5_ALG_SHA1_3DES_CBC,
f1739bac	25	} alg;
5ce2941b	26	u8 salt[64];
f1739bac JM	27	size_t salt_len;
f1739bac JM	28	unsigned int iter_count;
4db29e6a JM	29	enum pbes2_enc_alg {
	30	PBES2_ENC_ALG_UNKNOWN,
	31	PBES2_ENC_ALG_DES_EDE3_CBC,
	32	} enc_alg;
	33	u8 iv[8];
	34	size_t iv_len;
f1739bac JM	35	};
	36
	37
4db29e6a JM	38	static int oid_is_rsadsi(struct asn1_oid *oid)
	39	{
	40	return oid->len >= 4 &&
	41	oid->oid[0] == 1 /* iso */ &&
	42	oid->oid[1] == 2 /* member-body */ &&
	43	oid->oid[2] == 840 /* us */ &&
	44	oid->oid[3] == 113549 /* rsadsi */;
	45	}
	46
	47
	48	static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
	49	{
	50	return oid->len == 7 &&
	51	oid_is_rsadsi(oid) &&
	52	oid->oid[4] == 1 /* pkcs */ &&
	53	oid->oid[5] == 5 /* pkcs-5 */ &&
	54	oid->oid[6] == alg;
	55	}
	56
	57
	58	static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
	59	{
	60	return oid->len == 6 &&
	61	oid_is_rsadsi(oid) &&
	62	oid->oid[4] == 3 /* encryptionAlgorithm */ &&
	63	oid->oid[5] == alg;
	64	}
	65
	66
5ce2941b JM	67	static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
	68	{
	69	return oid->len == 8 &&
	70	oid_is_rsadsi(oid) &&
	71	oid->oid[4] == 1 /* pkcs */ &&
	72	oid->oid[5] == 12 /* pkcs-12 */ &&
	73	oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
	74	oid->oid[7] == alg;
	75	}
	76
	77
19df9b07	78	static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
f1739bac	79	{
4db29e6a	80	if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
f1739bac	81	return PKCS5_ALG_MD5_DES_CBC;
5ce2941b JM	82	if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
5ce2941b JM	83	return PKCS5_ALG_SHA1_3DES_CBC;
4db29e6a JM	84	if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
4db29e6a JM	85	return PKCS5_ALG_PBES2;
f1739bac JM	86	return PKCS5_ALG_UNKNOWN;
	87	}
	88
	89
4db29e6a JM	90	static int pkcs5_get_params_pbes2(struct pkcs5_params params, const u8 pos,
	91	const u8 *enc_alg_end)
	92	{
	93	struct asn1_hdr hdr;
	94	const u8 end, kdf_end;
	95	struct asn1_oid oid;
	96	char obuf[80];
	97
	98	/*
	99	* RFC 2898, Ch. A.4
	100	*
	101	* PBES2-params ::= SEQUENCE {
	102	* keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
	103	* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
	104	*
	105	* PBES2-KDFs ALGORITHM-IDENTIFIER ::=
	106	* { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
	107	*/
	108
	109	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 \|\|
	110	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	111	hdr.tag != ASN1_TAG_SEQUENCE) {
	112	wpa_printf(MSG_DEBUG,
	113	"PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x",
	114	hdr.class, hdr.tag);
	115	return -1;
	116	}
	117	pos = hdr.payload;
	118	end = hdr.payload + hdr.length;
	119
	120	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
	121	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	122	hdr.tag != ASN1_TAG_SEQUENCE) {
	123	wpa_printf(MSG_DEBUG,
	124	"PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x",
	125	hdr.class, hdr.tag);
	126	return -1;
	127	}
	128
	129	pos = hdr.payload;
	130	kdf_end = end = hdr.payload + hdr.length;
	131
	132	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
	133	wpa_printf(MSG_DEBUG,
	134	"PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
	135	return -1;
	136	}
	137
	138	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
	139	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
	140	obuf);
	141	if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
	142	wpa_printf(MSG_DEBUG,
	143	"PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
	144	obuf);
	145	return -1;
	146	}
	147
	148	/*
	149	* RFC 2898, C.
	150	*
	151	* PBKDF2-params ::= SEQUENCE {
	152	* salt CHOICE {
	153	* specified OCTET STRING,
154	* otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
155	* },
156	* iterationCount INTEGER (1..MAX),
157	* keyLength INTEGER (1..MAX) OPTIONAL,
158	* prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
159	* algid-hmacWithSHA1
160	* }
161	*/
162
163	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
164	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
165	hdr.tag != ASN1_TAG_SEQUENCE) {
166	wpa_printf(MSG_DEBUG,
167	"PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x",
168	hdr.class, hdr.tag);
169	return -1;
170	}
171
172	pos = hdr.payload;
173	end = hdr.payload + hdr.length;
174
175	/* For now, only support the salt CHOICE specified (OCTET STRING) */
176	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
177	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
178	hdr.tag != ASN1_TAG_OCTETSTRING \|\|
179	hdr.length > sizeof(params->salt)) {
180	wpa_printf(MSG_DEBUG,
181	"PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d",
182	hdr.class, hdr.tag, hdr.length);
183	return -1;
184	}
185	pos = hdr.payload + hdr.length;
186	os_memcpy(params->salt, hdr.payload, hdr.length);
187	params->salt_len = hdr.length;
188	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
189
190	/* iterationCount INTEGER */
191	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
192	hdr.class != ASN1_CLASS_UNIVERSAL \|\| hdr.tag != ASN1_TAG_INTEGER) {
193	wpa_printf(MSG_DEBUG,
194	"PKCS #5: Expected INTEGER - found class %d tag 0x%x",
195	hdr.class, hdr.tag);
196	return -1;
197	}
198	if (hdr.length == 1) {
199	params->iter_count = *hdr.payload;
200	} else if (hdr.length == 2) {
201	params->iter_count = WPA_GET_BE16(hdr.payload);
202	} else if (hdr.length == 4) {
203	params->iter_count = WPA_GET_BE32(hdr.payload);
204	} else {
205	wpa_hexdump(MSG_DEBUG,
206	"PKCS #5: Unsupported INTEGER value (iterationCount)",
207	hdr.payload, hdr.length);
208	return -1;
209	}
210	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
211	params->iter_count);
212	if (params->iter_count == 0 \|\| params->iter_count > 0xffff) {
213	wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
214	params->iter_count);
215	return -1;
216	}
217
218	/* For now, ignore optional keyLength and prf */
219
220	pos = kdf_end;
221
222	/* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
223
224	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 \|\|
225	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
226	hdr.tag != ASN1_TAG_SEQUENCE) {
227	wpa_printf(MSG_DEBUG,
228	"PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x",
229	hdr.class, hdr.tag);
230	return -1;
231	}
232
233	pos = hdr.payload;
234	end = hdr.payload + hdr.length;
235
236	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
237	wpa_printf(MSG_DEBUG,
238	"PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
239	return -1;
240	}
241
242	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
243	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
244	obuf);
245	if (enc_alg_is_oid(&oid, 7)) {
246	params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
247	} else {
248	wpa_printf(MSG_DEBUG,
249	"PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
250	obuf);
251	return -1;
252	}
253
254	/*
255	* RFC 2898, B.2.2:
256	* The parameters field associated with this OID in an
257	* AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
258	* specifying the initialization vector for CBC mode.
259	*/
260	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
261	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
262	hdr.tag != ASN1_TAG_OCTETSTRING \|\|
263	hdr.length != 8) {
264	wpa_printf(MSG_DEBUG,
265	"PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d",
266	hdr.class, hdr.tag, hdr.length);
267	return -1;
268	}
269	os_memcpy(params->iv, hdr.payload, hdr.length);
270	params->iv_len = hdr.length;
271	wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);
272
273	return 0;
274	}
275
276
f1739bac JM	277	static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
	278	struct pkcs5_params *params)
	279	{
	280	struct asn1_hdr hdr;
	281	const u8 enc_alg_end, pos, *end;
	282	struct asn1_oid oid;
	283	char obuf[80];
	284
	285	/* AlgorithmIdentifier */
	286
	287	enc_alg_end = enc_alg + enc_alg_len;
	288
	289	os_memset(params, 0, sizeof(*params));
	290
	291	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
	292	wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
	293	"(algorithm)");
	294	return -1;
	295	}
	296
	297	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
	298	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
	299	params->alg = pkcs5_get_alg(&oid);
	300	if (params->alg == PKCS5_ALG_UNKNOWN) {
	301	wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
	302	"algorithm %s", obuf);
	303	return -1;
	304	}
	305
4db29e6a JM	306	if (params->alg == PKCS5_ALG_PBES2)
	307	return pkcs5_get_params_pbes2(params, pos, enc_alg_end);
	308
	309	/* PBES1 */
	310
f1739bac JM	311	/*
	312	* PKCS#5, Section 8
	313	* PBEParameter ::= SEQUENCE {
	314	* salt OCTET STRING SIZE(8),
	315	* iterationCount INTEGER }
5ce2941b JM	316	*
	317	* Note: The same implementation can be used to parse the PKCS #12
	318	* version described in RFC 7292, C:
	319	* pkcs-12PbeParams ::= SEQUENCE {
	320	* salt OCTET STRING,
	321	* iterations INTEGER
	322	* }
f1739bac JM	323	*/
	324
	325	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 \|\|
	326	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	327	hdr.tag != ASN1_TAG_SEQUENCE) {
	328	wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
	329	"(PBEParameter) - found class %d tag 0x%x",
	330	hdr.class, hdr.tag);
	331	return -1;
	332	}
	333	pos = hdr.payload;
	334	end = hdr.payload + hdr.length;
	335
5ce2941b	336	/* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
f1739bac JM	337	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
	338	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	339	hdr.tag != ASN1_TAG_OCTETSTRING \|\|
5ce2941b	340	hdr.length > sizeof(params->salt)) {
f1739bac JM	341	wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
	342	"(salt) - found class %d tag 0x%x size %d",
	343	hdr.class, hdr.tag, hdr.length);
	344	return -1;
	345	}
	346	pos = hdr.payload + hdr.length;
	347	os_memcpy(params->salt, hdr.payload, hdr.length);
	348	params->salt_len = hdr.length;
	349	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
	350	params->salt, params->salt_len);
	351
	352	/* iterationCount INTEGER */
	353	if (asn1_get_next(pos, end - pos, &hdr) < 0 \|\|
	354	hdr.class != ASN1_CLASS_UNIVERSAL \|\| hdr.tag != ASN1_TAG_INTEGER) {
	355	wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
	356	"class %d tag 0x%x", hdr.class, hdr.tag);
	357	return -1;
	358	}
	359	if (hdr.length == 1)
	360	params->iter_count = *hdr.payload;
	361	else if (hdr.length == 2)
	362	params->iter_count = WPA_GET_BE16(hdr.payload);
	363	else if (hdr.length == 4)
	364	params->iter_count = WPA_GET_BE32(hdr.payload);
	365	else {
	366	wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
	367	" (iterationCount)",
	368	hdr.payload, hdr.length);
	369	return -1;
	370	}
	371	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
	372	params->iter_count);
	373	if (params->iter_count == 0 \|\| params->iter_count > 0xffff) {
	374	wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
	375	"iterationCount=0x%x", params->iter_count);
	376	return -1;
	377	}
	378
	379	return 0;
	380	}
	381
	382
4db29e6a JM	383	static struct crypto_cipher *
	384	pkcs5_crypto_init_pbes2(struct pkcs5_params params, const char passwd)
	385	{
	386	u8 key[24];
	387
	388	if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC \|\|
	389	params->iv_len != 8)
	390	return NULL;
	391
	392	wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
	393	passwd, os_strlen(passwd));
	394	wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
	395	params->salt, params->salt_len);
	396	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
	397	params->iter_count);
	398	if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
	399	params->iter_count, key, sizeof(key)) < 0)
	400	return NULL;
	401	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
	402	wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);
	403
	404	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
	405	key, sizeof(key));
	406	}
	407
	408
5ce2941b JM	409	static void add_byte_array_mod(u8 a, const u8 b, size_t len)
	410	{
	411	size_t i;
	412	unsigned int carry = 0;
	413
	414	for (i = len - 1; i < len; i--) {
	415	carry = carry + a[i] + b[i];
	416	a[i] = carry & 0xff;
	417	carry >>= 8;
	418	}
	419	}
	420
	421
	422	static int pkcs12_key_gen(const u8 pw, size_t pw_len, const u8 salt,
	423	size_t salt_len, u8 id, unsigned int iter,
	424	size_t out_len, u8 *out)
	425	{
	426	unsigned int u, v, S_len, P_len, i;
	427	u8 D = NULL, I = NULL, B = NULL, pos;
	428	int res = -1;
	429
	430	/* RFC 7292, B.2 */
	431	u = SHA1_MAC_LEN;
	432	v = 64;
	433
	434	/* D = copies of ID */
	435	D = os_malloc(v);
	436	if (!D)
	437	goto done;
	438	os_memset(D, id, v);
	439
	440	/* S = copies of salt; P = copies of password, I = S \|\| P */
	441	S_len = v * ((salt_len + v - 1) / v);
	442	P_len = v * ((pw_len + v - 1) / v);
	443	I = os_malloc(S_len + P_len);
	444	if (!I)
	445	goto done;
	446	pos = I;
	447	if (salt_len) {
	448	for (i = 0; i < S_len; i++)
	449	*pos++ = salt[i % salt_len];
	450	}
	451	if (pw_len) {
	452	for (i = 0; i < P_len; i++)
	453	*pos++ = pw[i % pw_len];
	454	}
	455
	456	B = os_malloc(v);
	457	if (!B)
	458	goto done;
	459
	460	for (;;) {
	461	u8 hash[SHA1_MAC_LEN];
	462	const u8 *addr[2];
	463	size_t len[2];
	464
	465	addr[0] = D;
	466	len[0] = v;
	467	addr[1] = I;
	468	len[1] = S_len + P_len;
	469	if (sha1_vector(2, addr, len, hash) < 0)
	470	goto done;
	471
	472	addr[0] = hash;
473	len[0] = SHA1_MAC_LEN;
474	for (i = 1; i < iter; i++) {
475	if (sha1_vector(1, addr, len, hash) < 0)
476	goto done;
477	}
478
479	if (out_len <= u) {
480	os_memcpy(out, hash, out_len);
481	res = 0;
482	goto done;
483	}
484
485	os_memcpy(out, hash, u);
486	out += u;
487	out_len -= u;
488
489	/* I_j = (I_j + B + 1) mod 2^(v8) /
490	/* B = copies of Ai (final hash value) */
491	for (i = 0; i < v; i++)
492	B[i] = hash[i % u];
493	inc_byte_array(B, v);
494	for (i = 0; i < S_len + P_len; i += v)
495	add_byte_array_mod(&I[i], B, v);
496	}
497
498	done:
499	os_free(B);
500	os_free(I);
501	os_free(D);
502	return res;
503	}
504
505
506	#define PKCS12_ID_ENC 1
507	#define PKCS12_ID_IV 2
508	#define PKCS12_ID_MAC 3
509
510	static struct crypto_cipher *
511	pkcs12_crypto_init_sha1(struct pkcs5_params params, const char passwd)
512	{
513	unsigned int i;
514	u8 *pw;
515	size_t pw_len;
516	u8 key[24];
517	u8 iv[8];
518
519	if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
520	return NULL;
521
522	pw_len = passwd ? os_strlen(passwd) : 0;
523	pw = os_malloc(2 * (pw_len + 1));
524	if (!pw)
525	return NULL;
526	if (pw_len) {
527	for (i = 0; i <= pw_len; i++)
528	WPA_PUT_BE16(&pw[2 * i], passwd[i]);
529	pw_len = 2 * (pw_len + 1);
530	}
531
532	if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
533	PKCS12_ID_ENC, params->iter_count,
534	sizeof(key), key) < 0 \|\|
535	pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
536	PKCS12_ID_IV, params->iter_count,
537	sizeof(iv), iv) < 0) {
538	os_free(pw);
539	return NULL;
540	}
541
542	os_free(pw);
543
544	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
545	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));
546
547	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
548	}
549
550
f1739bac JM	551	static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
	552	const char *passwd)
	553	{
	554	unsigned int i;
	555	u8 hash[MD5_MAC_LEN];
	556	const u8 *addr[2];
	557	size_t len[2];
	558
4db29e6a JM	559	if (params->alg == PKCS5_ALG_PBES2)
	560	return pkcs5_crypto_init_pbes2(params, passwd);
	561
5ce2941b JM	562	if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
	563	return pkcs12_crypto_init_sha1(params, passwd);
	564
f1739bac JM	565	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
	566	return NULL;
	567
	568	addr[0] = (const u8 *) passwd;
	569	len[0] = os_strlen(passwd);
	570	addr[1] = params->salt;
	571	len[1] = params->salt_len;
	572	if (md5_vector(2, addr, len, hash) < 0)
	573	return NULL;
	574	addr[0] = hash;
	575	len[0] = MD5_MAC_LEN;
	576	for (i = 1; i < params->iter_count; i++) {
	577	if (md5_vector(1, addr, len, hash) < 0)
	578	return NULL;
	579	}
	580	/* TODO: DES key parity bits(?) */
	581	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
	582	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
	583
	584	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
	585	}
	586
	587
	588	u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
	589	const u8 *enc_data, size_t enc_data_len,
	590	const char passwd, size_t data_len)
	591	{
	592	struct crypto_cipher *ctx;
	593	u8 *eb, pad;
	594	struct pkcs5_params params;
	595	unsigned int i;
	596
	597	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
	598	wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
	599	return NULL;
	600	}
	601
	602	ctx = pkcs5_crypto_init(&params, passwd);
	603	if (ctx == NULL) {
	604	wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
	605	return NULL;
	606	}
	607
	608	/* PKCS #5, Section 7 - Decryption process */
	609	if (enc_data_len < 16 \|\| enc_data_len % 8) {
	610	wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
	611	"%d", (int) enc_data_len);
	612	crypto_cipher_deinit(ctx);
	613	return NULL;
	614	}
	615
	616	eb = os_malloc(enc_data_len);
	617	if (eb == NULL) {
	618	crypto_cipher_deinit(ctx);
	619	return NULL;
	620	}
	621
	622	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
	623	wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
	624	crypto_cipher_deinit(ctx);
	625	os_free(eb);
	626	return NULL;
	627	}
	628	crypto_cipher_deinit(ctx);
629
630	pad = eb[enc_data_len - 1];
631	if (pad > 8) {
632	wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
633	os_free(eb);
634	return NULL;
635	}
636	for (i = enc_data_len - pad; i < enc_data_len; i++) {
637	if (eb[i] != pad) {
638	wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
639	eb + enc_data_len - pad, pad);
640	os_free(eb);
641	return NULL;
642	}
643	}
644
645	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
646	eb, enc_data_len - pad);
647
648	*data_len = enc_data_len - pad;
649	return eb;
650	}