xref: /freebsd/contrib/wpa/src/tls/pkcs5.c (revision c1d255d3ffdbe447de3ab875bf4e7d7accc5bfc5) 
1e28a4053SRui Paulo /*
2e28a4053SRui Paulo  * PKCS #5 (Password-based Encryption)
3780fb4a2SCy Schubert  * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
4e28a4053SRui Paulo  *
5f05cddf9SRui Paulo  * This software may be distributed under the terms of the BSD license.
6f05cddf9SRui Paulo  * See README for more details.
7e28a4053SRui Paulo  */
8e28a4053SRui Paulo 
9e28a4053SRui Paulo #include "includes.h"
10e28a4053SRui Paulo 
11e28a4053SRui Paulo #include "common.h"
12e28a4053SRui Paulo #include "crypto/crypto.h"
13e28a4053SRui Paulo #include "crypto/md5.h"
14780fb4a2SCy Schubert #include "crypto/sha1.h"
15e28a4053SRui Paulo #include "asn1.h"
16e28a4053SRui Paulo #include "pkcs5.h"
17e28a4053SRui Paulo 
18e28a4053SRui Paulo 
19e28a4053SRui Paulo struct pkcs5_params {
20e28a4053SRui Paulo 	enum pkcs5_alg {
21e28a4053SRui Paulo 		PKCS5_ALG_UNKNOWN,
22780fb4a2SCy Schubert 		PKCS5_ALG_MD5_DES_CBC,
23780fb4a2SCy Schubert 		PKCS5_ALG_PBES2,
24780fb4a2SCy Schubert 		PKCS5_ALG_SHA1_3DES_CBC,
25e28a4053SRui Paulo 	} alg;
26780fb4a2SCy Schubert 	u8 salt[64];
27e28a4053SRui Paulo 	size_t salt_len;
28e28a4053SRui Paulo 	unsigned int iter_count;
29780fb4a2SCy Schubert 	enum pbes2_enc_alg {
30780fb4a2SCy Schubert 		PBES2_ENC_ALG_UNKNOWN,
31780fb4a2SCy Schubert 		PBES2_ENC_ALG_DES_EDE3_CBC,
32780fb4a2SCy Schubert 	} enc_alg;
33780fb4a2SCy Schubert 	u8 iv[8];
34780fb4a2SCy Schubert 	size_t iv_len;
35e28a4053SRui Paulo };
36e28a4053SRui Paulo 
37e28a4053SRui Paulo 
oid_is_rsadsi(struct asn1_oid * oid)38780fb4a2SCy Schubert static int oid_is_rsadsi(struct asn1_oid *oid)
39780fb4a2SCy Schubert {
40780fb4a2SCy Schubert 	return oid->len >= 4 &&
41780fb4a2SCy Schubert 		oid->oid[0] == 1 /* iso */ &&
42780fb4a2SCy Schubert 		oid->oid[1] == 2 /* member-body */ &&
43780fb4a2SCy Schubert 		oid->oid[2] == 840 /* us */ &&
44780fb4a2SCy Schubert 		oid->oid[3] == 113549 /* rsadsi */;
45780fb4a2SCy Schubert }
46780fb4a2SCy Schubert 
47780fb4a2SCy Schubert 
pkcs5_is_oid(struct asn1_oid * oid,unsigned long alg)48780fb4a2SCy Schubert static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
49780fb4a2SCy Schubert {
50780fb4a2SCy Schubert 	return oid->len == 7 &&
51780fb4a2SCy Schubert 		oid_is_rsadsi(oid) &&
52780fb4a2SCy Schubert 		oid->oid[4] == 1 /* pkcs */ &&
53780fb4a2SCy Schubert 		oid->oid[5] == 5 /* pkcs-5 */ &&
54780fb4a2SCy Schubert 		oid->oid[6] == alg;
55780fb4a2SCy Schubert }
56780fb4a2SCy Schubert 
57780fb4a2SCy Schubert 
enc_alg_is_oid(struct asn1_oid * oid,unsigned long alg)58780fb4a2SCy Schubert static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
59780fb4a2SCy Schubert {
60780fb4a2SCy Schubert 	return oid->len == 6 &&
61780fb4a2SCy Schubert 		oid_is_rsadsi(oid) &&
62780fb4a2SCy Schubert 		oid->oid[4] == 3 /* encryptionAlgorithm */ &&
63780fb4a2SCy Schubert 		oid->oid[5] == alg;
64780fb4a2SCy Schubert }
65780fb4a2SCy Schubert 
66780fb4a2SCy Schubert 
pkcs12_is_pbe_oid(struct asn1_oid * oid,unsigned long alg)67780fb4a2SCy Schubert static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
68780fb4a2SCy Schubert {
69780fb4a2SCy Schubert 	return oid->len == 8 &&
70780fb4a2SCy Schubert 		oid_is_rsadsi(oid) &&
71780fb4a2SCy Schubert 		oid->oid[4] == 1 /* pkcs */ &&
72780fb4a2SCy Schubert 		oid->oid[5] == 12 /* pkcs-12 */ &&
73780fb4a2SCy Schubert 		oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
74780fb4a2SCy Schubert 		oid->oid[7] == alg;
75780fb4a2SCy Schubert }
76780fb4a2SCy Schubert 
77780fb4a2SCy Schubert 
pkcs5_get_alg(struct asn1_oid * oid)78f05cddf9SRui Paulo static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
79e28a4053SRui Paulo {
80780fb4a2SCy Schubert 	if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
81e28a4053SRui Paulo 		return PKCS5_ALG_MD5_DES_CBC;
82780fb4a2SCy Schubert 	if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
83780fb4a2SCy Schubert 		return PKCS5_ALG_SHA1_3DES_CBC;
84780fb4a2SCy Schubert 	if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
85780fb4a2SCy Schubert 		return PKCS5_ALG_PBES2;
86e28a4053SRui Paulo 	return PKCS5_ALG_UNKNOWN;
87e28a4053SRui Paulo }
88e28a4053SRui Paulo 
89e28a4053SRui Paulo 
pkcs5_get_params_pbes2(struct pkcs5_params * params,const u8 * pos,const u8 * enc_alg_end)90780fb4a2SCy Schubert static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
91780fb4a2SCy Schubert 				  const u8 *enc_alg_end)
92780fb4a2SCy Schubert {
93780fb4a2SCy Schubert 	struct asn1_hdr hdr;
94780fb4a2SCy Schubert 	const u8 *end, *kdf_end;
95780fb4a2SCy Schubert 	struct asn1_oid oid;
96780fb4a2SCy Schubert 	char obuf[80];
97780fb4a2SCy Schubert 
98780fb4a2SCy Schubert 	/*
99780fb4a2SCy Schubert 	 * RFC 2898, Ch. A.4
100780fb4a2SCy Schubert 	 *
101780fb4a2SCy Schubert 	 * PBES2-params ::= SEQUENCE {
102780fb4a2SCy Schubert 	 *     keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
103780fb4a2SCy Schubert 	 *     encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
104780fb4a2SCy Schubert 	 *
105780fb4a2SCy Schubert 	 * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
106780fb4a2SCy Schubert 	 *     { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
107780fb4a2SCy Schubert 	 */
108780fb4a2SCy Schubert 
109780fb4a2SCy Schubert 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
110*c1d255d3SCy Schubert 	    !asn1_is_sequence(&hdr)) {
111*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
112*c1d255d3SCy Schubert 				"PKCS #5: Expected SEQUENCE (PBES2-params)");
113780fb4a2SCy Schubert 		return -1;
114780fb4a2SCy Schubert 	}
115780fb4a2SCy Schubert 	pos = hdr.payload;
116780fb4a2SCy Schubert 	end = hdr.payload + hdr.length;
117780fb4a2SCy Schubert 
118780fb4a2SCy Schubert 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
119*c1d255d3SCy Schubert 	    !asn1_is_sequence(&hdr)) {
120*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
121*c1d255d3SCy Schubert 				"PKCS #5: Expected SEQUENCE (keyDerivationFunc)");
122780fb4a2SCy Schubert 		return -1;
123780fb4a2SCy Schubert 	}
124780fb4a2SCy Schubert 
125780fb4a2SCy Schubert 	pos = hdr.payload;
126780fb4a2SCy Schubert 	kdf_end = end = hdr.payload + hdr.length;
127780fb4a2SCy Schubert 
128780fb4a2SCy Schubert 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
129780fb4a2SCy Schubert 		wpa_printf(MSG_DEBUG,
130780fb4a2SCy Schubert 			   "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
131780fb4a2SCy Schubert 		return -1;
132780fb4a2SCy Schubert 	}
133780fb4a2SCy Schubert 
134780fb4a2SCy Schubert 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
135780fb4a2SCy Schubert 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
136780fb4a2SCy Schubert 		   obuf);
137780fb4a2SCy Schubert 	if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
138780fb4a2SCy Schubert 		wpa_printf(MSG_DEBUG,
139780fb4a2SCy Schubert 			   "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
140780fb4a2SCy Schubert 			   obuf);
141780fb4a2SCy Schubert 		return -1;
142780fb4a2SCy Schubert 	}
143780fb4a2SCy Schubert 
144780fb4a2SCy Schubert 	/*
145780fb4a2SCy Schubert 	 * RFC 2898, C.
146780fb4a2SCy Schubert 	 *
147780fb4a2SCy Schubert 	 * PBKDF2-params ::= SEQUENCE {
148780fb4a2SCy Schubert 	 *     salt CHOICE {
149780fb4a2SCy Schubert 	 *       specified OCTET STRING,
150780fb4a2SCy Schubert 	 *       otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
151780fb4a2SCy Schubert 	 *     },
152780fb4a2SCy Schubert 	 *     iterationCount INTEGER (1..MAX),
153780fb4a2SCy Schubert 	 *     keyLength INTEGER (1..MAX) OPTIONAL,
154780fb4a2SCy Schubert 	 *     prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
155780fb4a2SCy Schubert 	 *     algid-hmacWithSHA1
156780fb4a2SCy Schubert 	 * }
157780fb4a2SCy Schubert 	 */
158780fb4a2SCy Schubert 
159780fb4a2SCy Schubert 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
160*c1d255d3SCy Schubert 	    !asn1_is_sequence(&hdr)) {
161*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
162*c1d255d3SCy Schubert 				"PKCS #5: Expected SEQUENCE (PBKDF2-params)");
163780fb4a2SCy Schubert 		return -1;
164780fb4a2SCy Schubert 	}
165780fb4a2SCy Schubert 
166780fb4a2SCy Schubert 	pos = hdr.payload;
167780fb4a2SCy Schubert 	end = hdr.payload + hdr.length;
168780fb4a2SCy Schubert 
169780fb4a2SCy Schubert 	/* For now, only support the salt CHOICE specified (OCTET STRING) */
170780fb4a2SCy Schubert 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
171*c1d255d3SCy Schubert 	    !asn1_is_octetstring(&hdr) ||
172780fb4a2SCy Schubert 	    hdr.length > sizeof(params->salt)) {
173*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
174*c1d255d3SCy Schubert 				"PKCS #5: Expected OCTET STRING (salt.specified)");
175780fb4a2SCy Schubert 		return -1;
176780fb4a2SCy Schubert 	}
177780fb4a2SCy Schubert 	pos = hdr.payload + hdr.length;
178780fb4a2SCy Schubert 	os_memcpy(params->salt, hdr.payload, hdr.length);
179780fb4a2SCy Schubert 	params->salt_len = hdr.length;
180780fb4a2SCy Schubert 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
181780fb4a2SCy Schubert 
182780fb4a2SCy Schubert 	/* iterationCount INTEGER */
183*c1d255d3SCy Schubert 	if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
184*c1d255d3SCy Schubert 		asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
185780fb4a2SCy Schubert 		return -1;
186780fb4a2SCy Schubert 	}
187780fb4a2SCy Schubert 	if (hdr.length == 1) {
188780fb4a2SCy Schubert 		params->iter_count = *hdr.payload;
189780fb4a2SCy Schubert 	} else if (hdr.length == 2) {
190780fb4a2SCy Schubert 		params->iter_count = WPA_GET_BE16(hdr.payload);
191780fb4a2SCy Schubert 	} else if (hdr.length == 4) {
192780fb4a2SCy Schubert 		params->iter_count = WPA_GET_BE32(hdr.payload);
193780fb4a2SCy Schubert 	} else {
194780fb4a2SCy Schubert 		wpa_hexdump(MSG_DEBUG,
195780fb4a2SCy Schubert 			    "PKCS #5: Unsupported INTEGER value (iterationCount)",
196780fb4a2SCy Schubert 			    hdr.payload, hdr.length);
197780fb4a2SCy Schubert 		return -1;
198780fb4a2SCy Schubert 	}
199780fb4a2SCy Schubert 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
200780fb4a2SCy Schubert 		   params->iter_count);
201780fb4a2SCy Schubert 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
202780fb4a2SCy Schubert 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
203780fb4a2SCy Schubert 			   params->iter_count);
204780fb4a2SCy Schubert 		return -1;
205780fb4a2SCy Schubert 	}
206780fb4a2SCy Schubert 
207780fb4a2SCy Schubert 	/* For now, ignore optional keyLength and prf */
208780fb4a2SCy Schubert 
209780fb4a2SCy Schubert 	pos = kdf_end;
210780fb4a2SCy Schubert 
211780fb4a2SCy Schubert 	/* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
212780fb4a2SCy Schubert 
213780fb4a2SCy Schubert 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
214*c1d255d3SCy Schubert 	    !asn1_is_sequence(&hdr)) {
215*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
216*c1d255d3SCy Schubert 				"PKCS #5: Expected SEQUENCE (encryptionScheme)");
217780fb4a2SCy Schubert 		return -1;
218780fb4a2SCy Schubert 	}
219780fb4a2SCy Schubert 
220780fb4a2SCy Schubert 	pos = hdr.payload;
221780fb4a2SCy Schubert 	end = hdr.payload + hdr.length;
222780fb4a2SCy Schubert 
223780fb4a2SCy Schubert 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
224780fb4a2SCy Schubert 		wpa_printf(MSG_DEBUG,
225780fb4a2SCy Schubert 			   "PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
226780fb4a2SCy Schubert 		return -1;
227780fb4a2SCy Schubert 	}
228780fb4a2SCy Schubert 
229780fb4a2SCy Schubert 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
230780fb4a2SCy Schubert 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
231780fb4a2SCy Schubert 		   obuf);
232780fb4a2SCy Schubert 	if (enc_alg_is_oid(&oid, 7)) {
233780fb4a2SCy Schubert 		params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
234780fb4a2SCy Schubert 	} else {
235780fb4a2SCy Schubert 		wpa_printf(MSG_DEBUG,
236780fb4a2SCy Schubert 			   "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
237780fb4a2SCy Schubert 			   obuf);
238780fb4a2SCy Schubert 		return -1;
239780fb4a2SCy Schubert 	}
240780fb4a2SCy Schubert 
241780fb4a2SCy Schubert 	/*
242780fb4a2SCy Schubert 	 * RFC 2898, B.2.2:
243780fb4a2SCy Schubert 	 * The parameters field associated with this OID in an
244780fb4a2SCy Schubert 	 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
245780fb4a2SCy Schubert 	 * specifying the initialization vector for CBC mode.
246780fb4a2SCy Schubert 	 */
247780fb4a2SCy Schubert 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
248*c1d255d3SCy Schubert 	    !asn1_is_octetstring(&hdr) || hdr.length != 8) {
249*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
250*c1d255d3SCy Schubert 				"PKCS #5: Expected OCTET STRING (SIZE(8)) (IV)");
251780fb4a2SCy Schubert 		return -1;
252780fb4a2SCy Schubert 	}
253780fb4a2SCy Schubert 	os_memcpy(params->iv, hdr.payload, hdr.length);
254780fb4a2SCy Schubert 	params->iv_len = hdr.length;
255780fb4a2SCy Schubert 	wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);
256780fb4a2SCy Schubert 
257780fb4a2SCy Schubert 	return 0;
258780fb4a2SCy Schubert }
259780fb4a2SCy Schubert 
260780fb4a2SCy Schubert 
pkcs5_get_params(const u8 * enc_alg,size_t enc_alg_len,struct pkcs5_params * params)261e28a4053SRui Paulo static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
262e28a4053SRui Paulo 			    struct pkcs5_params *params)
263e28a4053SRui Paulo {
264e28a4053SRui Paulo 	struct asn1_hdr hdr;
265e28a4053SRui Paulo 	const u8 *enc_alg_end, *pos, *end;
266e28a4053SRui Paulo 	struct asn1_oid oid;
267e28a4053SRui Paulo 	char obuf[80];
268e28a4053SRui Paulo 
269e28a4053SRui Paulo 	/* AlgorithmIdentifier */
270e28a4053SRui Paulo 
271e28a4053SRui Paulo 	enc_alg_end = enc_alg + enc_alg_len;
272e28a4053SRui Paulo 
273e28a4053SRui Paulo 	os_memset(params, 0, sizeof(*params));
274e28a4053SRui Paulo 
275e28a4053SRui Paulo 	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
276e28a4053SRui Paulo 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
277e28a4053SRui Paulo 			   "(algorithm)");
278e28a4053SRui Paulo 		return -1;
279e28a4053SRui Paulo 	}
280e28a4053SRui Paulo 
281e28a4053SRui Paulo 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
282e28a4053SRui Paulo 	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
283e28a4053SRui Paulo 	params->alg = pkcs5_get_alg(&oid);
284e28a4053SRui Paulo 	if (params->alg == PKCS5_ALG_UNKNOWN) {
285e28a4053SRui Paulo 		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
286e28a4053SRui Paulo 			   "algorithm %s", obuf);
287e28a4053SRui Paulo 		return -1;
288e28a4053SRui Paulo 	}
289e28a4053SRui Paulo 
290780fb4a2SCy Schubert 	if (params->alg == PKCS5_ALG_PBES2)
291780fb4a2SCy Schubert 		return pkcs5_get_params_pbes2(params, pos, enc_alg_end);
292780fb4a2SCy Schubert 
293780fb4a2SCy Schubert 	/* PBES1 */
294780fb4a2SCy Schubert 
295e28a4053SRui Paulo 	/*
296e28a4053SRui Paulo 	 * PKCS#5, Section 8
297e28a4053SRui Paulo 	 * PBEParameter ::= SEQUENCE {
298e28a4053SRui Paulo 	 *   salt OCTET STRING SIZE(8),
299e28a4053SRui Paulo 	 *   iterationCount INTEGER }
300780fb4a2SCy Schubert 	 *
301780fb4a2SCy Schubert 	 * Note: The same implementation can be used to parse the PKCS #12
302780fb4a2SCy Schubert 	 * version described in RFC 7292, C:
303780fb4a2SCy Schubert 	 * pkcs-12PbeParams ::= SEQUENCE {
304780fb4a2SCy Schubert 	 *     salt        OCTET STRING,
305780fb4a2SCy Schubert 	 *     iterations  INTEGER
306780fb4a2SCy Schubert 	 * }
307e28a4053SRui Paulo 	 */
308e28a4053SRui Paulo 
309e28a4053SRui Paulo 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
310*c1d255d3SCy Schubert 	    !asn1_is_sequence(&hdr)) {
311*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
312*c1d255d3SCy Schubert 				"PKCS #5: Expected SEQUENCE (PBEParameter)");
313e28a4053SRui Paulo 		return -1;
314e28a4053SRui Paulo 	}
315e28a4053SRui Paulo 	pos = hdr.payload;
316e28a4053SRui Paulo 	end = hdr.payload + hdr.length;
317e28a4053SRui Paulo 
318780fb4a2SCy Schubert 	/* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
319e28a4053SRui Paulo 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
320*c1d255d3SCy Schubert 	    !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) {
321*c1d255d3SCy Schubert 		asn1_unexpected(&hdr,
322*c1d255d3SCy Schubert 				"PKCS #5: Expected OCTETSTRING SIZE(8) (salt)");
323e28a4053SRui Paulo 		return -1;
324e28a4053SRui Paulo 	}
325e28a4053SRui Paulo 	pos = hdr.payload + hdr.length;
326e28a4053SRui Paulo 	os_memcpy(params->salt, hdr.payload, hdr.length);
327e28a4053SRui Paulo 	params->salt_len = hdr.length;
328e28a4053SRui Paulo 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
329e28a4053SRui Paulo 		    params->salt, params->salt_len);
330e28a4053SRui Paulo 
331e28a4053SRui Paulo 	/* iterationCount INTEGER */
332e28a4053SRui Paulo 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
333*c1d255d3SCy Schubert 	    !asn1_is_integer(&hdr)) {
334*c1d255d3SCy Schubert 		asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
335e28a4053SRui Paulo 		return -1;
336e28a4053SRui Paulo 	}
337e28a4053SRui Paulo 	if (hdr.length == 1)
338e28a4053SRui Paulo 		params->iter_count = *hdr.payload;
339e28a4053SRui Paulo 	else if (hdr.length == 2)
340e28a4053SRui Paulo 		params->iter_count = WPA_GET_BE16(hdr.payload);
341e28a4053SRui Paulo 	else if (hdr.length == 4)
342e28a4053SRui Paulo 		params->iter_count = WPA_GET_BE32(hdr.payload);
343e28a4053SRui Paulo 	else {
344e28a4053SRui Paulo 		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
345e28a4053SRui Paulo 			    " (iterationCount)",
346e28a4053SRui Paulo 			    hdr.payload, hdr.length);
347e28a4053SRui Paulo 		return -1;
348e28a4053SRui Paulo 	}
349e28a4053SRui Paulo 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
350e28a4053SRui Paulo 		   params->iter_count);
351e28a4053SRui Paulo 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
352e28a4053SRui Paulo 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
353e28a4053SRui Paulo 			   "iterationCount=0x%x", params->iter_count);
354e28a4053SRui Paulo 		return -1;
355e28a4053SRui Paulo 	}
356e28a4053SRui Paulo 
357e28a4053SRui Paulo 	return 0;
358e28a4053SRui Paulo }
359e28a4053SRui Paulo 
360e28a4053SRui Paulo 
361780fb4a2SCy Schubert static struct crypto_cipher *
pkcs5_crypto_init_pbes2(struct pkcs5_params * params,const char * passwd)362780fb4a2SCy Schubert pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd)
363780fb4a2SCy Schubert {
364780fb4a2SCy Schubert 	u8 key[24];
365780fb4a2SCy Schubert 
366780fb4a2SCy Schubert 	if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC ||
367780fb4a2SCy Schubert 	    params->iv_len != 8)
368780fb4a2SCy Schubert 		return NULL;
369780fb4a2SCy Schubert 
370780fb4a2SCy Schubert 	wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
371780fb4a2SCy Schubert 			      passwd, os_strlen(passwd));
372780fb4a2SCy Schubert 	wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
373780fb4a2SCy Schubert 		    params->salt, params->salt_len);
374780fb4a2SCy Schubert 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
375780fb4a2SCy Schubert 		   params->iter_count);
376780fb4a2SCy Schubert 	if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
377780fb4a2SCy Schubert 			params->iter_count, key, sizeof(key)) < 0)
378780fb4a2SCy Schubert 		return NULL;
379780fb4a2SCy Schubert 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
380780fb4a2SCy Schubert 	wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);
381780fb4a2SCy Schubert 
382780fb4a2SCy Schubert 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
383780fb4a2SCy Schubert 				  key, sizeof(key));
384780fb4a2SCy Schubert }
385780fb4a2SCy Schubert 
386780fb4a2SCy Schubert 
add_byte_array_mod(u8 * a,const u8 * b,size_t len)387780fb4a2SCy Schubert static void add_byte_array_mod(u8 *a, const u8 *b, size_t len)
388780fb4a2SCy Schubert {
389780fb4a2SCy Schubert 	size_t i;
390780fb4a2SCy Schubert 	unsigned int carry = 0;
391780fb4a2SCy Schubert 
392780fb4a2SCy Schubert 	for (i = len - 1; i < len; i--) {
393780fb4a2SCy Schubert 		carry = carry + a[i] + b[i];
394780fb4a2SCy Schubert 		a[i] = carry & 0xff;
395780fb4a2SCy Schubert 		carry >>= 8;
396780fb4a2SCy Schubert 	}
397780fb4a2SCy Schubert }
398780fb4a2SCy Schubert 
399780fb4a2SCy Schubert 
pkcs12_key_gen(const u8 * pw,size_t pw_len,const u8 * salt,size_t salt_len,u8 id,unsigned int iter,size_t out_len,u8 * out)400780fb4a2SCy Schubert static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt,
401780fb4a2SCy Schubert 			  size_t salt_len, u8 id, unsigned int iter,
402780fb4a2SCy Schubert 			  size_t out_len, u8 *out)
403780fb4a2SCy Schubert {
404780fb4a2SCy Schubert 	unsigned int u, v, S_len, P_len, i;
405780fb4a2SCy Schubert 	u8 *D = NULL, *I = NULL, *B = NULL, *pos;
406780fb4a2SCy Schubert 	int res = -1;
407780fb4a2SCy Schubert 
408780fb4a2SCy Schubert 	/* RFC 7292, B.2 */
409780fb4a2SCy Schubert 	u = SHA1_MAC_LEN;
410780fb4a2SCy Schubert 	v = 64;
411780fb4a2SCy Schubert 
412780fb4a2SCy Schubert 	/* D = copies of ID */
413780fb4a2SCy Schubert 	D = os_malloc(v);
414780fb4a2SCy Schubert 	if (!D)
415780fb4a2SCy Schubert 		goto done;
416780fb4a2SCy Schubert 	os_memset(D, id, v);
417780fb4a2SCy Schubert 
418780fb4a2SCy Schubert 	/* S = copies of salt; P = copies of password, I = S || P */
419780fb4a2SCy Schubert 	S_len = v * ((salt_len + v - 1) / v);
420780fb4a2SCy Schubert 	P_len = v * ((pw_len + v - 1) / v);
421780fb4a2SCy Schubert 	I = os_malloc(S_len + P_len);
422780fb4a2SCy Schubert 	if (!I)
423780fb4a2SCy Schubert 		goto done;
424780fb4a2SCy Schubert 	pos = I;
425780fb4a2SCy Schubert 	if (salt_len) {
426780fb4a2SCy Schubert 		for (i = 0; i < S_len; i++)
427780fb4a2SCy Schubert 			*pos++ = salt[i % salt_len];
428780fb4a2SCy Schubert 	}
429780fb4a2SCy Schubert 	if (pw_len) {
430780fb4a2SCy Schubert 		for (i = 0; i < P_len; i++)
431780fb4a2SCy Schubert 			*pos++ = pw[i % pw_len];
432780fb4a2SCy Schubert 	}
433780fb4a2SCy Schubert 
434780fb4a2SCy Schubert 	B = os_malloc(v);
435780fb4a2SCy Schubert 	if (!B)
436780fb4a2SCy Schubert 		goto done;
437780fb4a2SCy Schubert 
438780fb4a2SCy Schubert 	for (;;) {
439780fb4a2SCy Schubert 		u8 hash[SHA1_MAC_LEN];
440780fb4a2SCy Schubert 		const u8 *addr[2];
441780fb4a2SCy Schubert 		size_t len[2];
442780fb4a2SCy Schubert 
443780fb4a2SCy Schubert 		addr[0] = D;
444780fb4a2SCy Schubert 		len[0] = v;
445780fb4a2SCy Schubert 		addr[1] = I;
446780fb4a2SCy Schubert 		len[1] = S_len + P_len;
447780fb4a2SCy Schubert 		if (sha1_vector(2, addr, len, hash) < 0)
448780fb4a2SCy Schubert 			goto done;
449780fb4a2SCy Schubert 
450780fb4a2SCy Schubert 		addr[0] = hash;
451780fb4a2SCy Schubert 		len[0] = SHA1_MAC_LEN;
452780fb4a2SCy Schubert 		for (i = 1; i < iter; i++) {
453780fb4a2SCy Schubert 			if (sha1_vector(1, addr, len, hash) < 0)
454780fb4a2SCy Schubert 				goto done;
455780fb4a2SCy Schubert 		}
456780fb4a2SCy Schubert 
457780fb4a2SCy Schubert 		if (out_len <= u) {
458780fb4a2SCy Schubert 			os_memcpy(out, hash, out_len);
459780fb4a2SCy Schubert 			res = 0;
460780fb4a2SCy Schubert 			goto done;
461780fb4a2SCy Schubert 		}
462780fb4a2SCy Schubert 
463780fb4a2SCy Schubert 		os_memcpy(out, hash, u);
464780fb4a2SCy Schubert 		out += u;
465780fb4a2SCy Schubert 		out_len -= u;
466780fb4a2SCy Schubert 
467780fb4a2SCy Schubert 		/* I_j = (I_j + B + 1) mod 2^(v*8) */
468780fb4a2SCy Schubert 		/* B = copies of Ai (final hash value) */
469780fb4a2SCy Schubert 		for (i = 0; i < v; i++)
470780fb4a2SCy Schubert 			B[i] = hash[i % u];
471780fb4a2SCy Schubert 		inc_byte_array(B, v);
472780fb4a2SCy Schubert 		for (i = 0; i < S_len + P_len; i += v)
473780fb4a2SCy Schubert 			add_byte_array_mod(&I[i], B, v);
474780fb4a2SCy Schubert 	}
475780fb4a2SCy Schubert 
476780fb4a2SCy Schubert done:
477780fb4a2SCy Schubert 	os_free(B);
478780fb4a2SCy Schubert 	os_free(I);
479780fb4a2SCy Schubert 	os_free(D);
480780fb4a2SCy Schubert 	return res;
481780fb4a2SCy Schubert }
482780fb4a2SCy Schubert 
483780fb4a2SCy Schubert 
484780fb4a2SCy Schubert #define PKCS12_ID_ENC 1
485780fb4a2SCy Schubert #define PKCS12_ID_IV 2
486780fb4a2SCy Schubert #define PKCS12_ID_MAC 3
487780fb4a2SCy Schubert 
488780fb4a2SCy Schubert static struct crypto_cipher *
pkcs12_crypto_init_sha1(struct pkcs5_params * params,const char * passwd)489780fb4a2SCy Schubert pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd)
490780fb4a2SCy Schubert {
491780fb4a2SCy Schubert 	unsigned int i;
492780fb4a2SCy Schubert 	u8 *pw;
493780fb4a2SCy Schubert 	size_t pw_len;
494780fb4a2SCy Schubert 	u8 key[24];
495780fb4a2SCy Schubert 	u8 iv[8];
496780fb4a2SCy Schubert 
497780fb4a2SCy Schubert 	if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
498780fb4a2SCy Schubert 		return NULL;
499780fb4a2SCy Schubert 
500780fb4a2SCy Schubert 	pw_len = passwd ? os_strlen(passwd) : 0;
501780fb4a2SCy Schubert 	pw = os_malloc(2 * (pw_len + 1));
502780fb4a2SCy Schubert 	if (!pw)
503780fb4a2SCy Schubert 		return NULL;
504780fb4a2SCy Schubert 	if (pw_len) {
505780fb4a2SCy Schubert 		for (i = 0; i <= pw_len; i++)
506780fb4a2SCy Schubert 			WPA_PUT_BE16(&pw[2 * i], passwd[i]);
507780fb4a2SCy Schubert 		pw_len = 2 * (pw_len + 1);
508780fb4a2SCy Schubert 	}
509780fb4a2SCy Schubert 
510780fb4a2SCy Schubert 	if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
511780fb4a2SCy Schubert 			   PKCS12_ID_ENC, params->iter_count,
512780fb4a2SCy Schubert 			   sizeof(key), key) < 0 ||
513780fb4a2SCy Schubert 	    pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
514780fb4a2SCy Schubert 			   PKCS12_ID_IV, params->iter_count,
515780fb4a2SCy Schubert 			   sizeof(iv), iv) < 0) {
516780fb4a2SCy Schubert 		os_free(pw);
517780fb4a2SCy Schubert 		return NULL;
518780fb4a2SCy Schubert 	}
519780fb4a2SCy Schubert 
520780fb4a2SCy Schubert 	os_free(pw);
521780fb4a2SCy Schubert 
522780fb4a2SCy Schubert 	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
523780fb4a2SCy Schubert 	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));
524780fb4a2SCy Schubert 
525780fb4a2SCy Schubert 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
526780fb4a2SCy Schubert }
527780fb4a2SCy Schubert 
528780fb4a2SCy Schubert 
pkcs5_crypto_init(struct pkcs5_params * params,const char * passwd)529e28a4053SRui Paulo static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
530e28a4053SRui Paulo 						const char *passwd)
531e28a4053SRui Paulo {
532e28a4053SRui Paulo 	unsigned int i;
533e28a4053SRui Paulo 	u8 hash[MD5_MAC_LEN];
534e28a4053SRui Paulo 	const u8 *addr[2];
535e28a4053SRui Paulo 	size_t len[2];
536e28a4053SRui Paulo 
537780fb4a2SCy Schubert 	if (params->alg == PKCS5_ALG_PBES2)
538780fb4a2SCy Schubert 		return pkcs5_crypto_init_pbes2(params, passwd);
539780fb4a2SCy Schubert 
540780fb4a2SCy Schubert 	if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
541780fb4a2SCy Schubert 		return pkcs12_crypto_init_sha1(params, passwd);
542780fb4a2SCy Schubert 
543e28a4053SRui Paulo 	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
544e28a4053SRui Paulo 		return NULL;
545e28a4053SRui Paulo 
546e28a4053SRui Paulo 	addr[0] = (const u8 *) passwd;
547e28a4053SRui Paulo 	len[0] = os_strlen(passwd);
548e28a4053SRui Paulo 	addr[1] = params->salt;
549e28a4053SRui Paulo 	len[1] = params->salt_len;
550e28a4053SRui Paulo 	if (md5_vector(2, addr, len, hash) < 0)
551e28a4053SRui Paulo 		return NULL;
552e28a4053SRui Paulo 	addr[0] = hash;
553e28a4053SRui Paulo 	len[0] = MD5_MAC_LEN;
554e28a4053SRui Paulo 	for (i = 1; i < params->iter_count; i++) {
555e28a4053SRui Paulo 		if (md5_vector(1, addr, len, hash) < 0)
556e28a4053SRui Paulo 			return NULL;
557e28a4053SRui Paulo 	}
558e28a4053SRui Paulo 	/* TODO: DES key parity bits(?) */
559e28a4053SRui Paulo 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
560e28a4053SRui Paulo 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
561e28a4053SRui Paulo 
562e28a4053SRui Paulo 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
563e28a4053SRui Paulo }
564e28a4053SRui Paulo 
565e28a4053SRui Paulo 
pkcs5_decrypt(const u8 * enc_alg,size_t enc_alg_len,const u8 * enc_data,size_t enc_data_len,const char * passwd,size_t * data_len)566e28a4053SRui Paulo u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
567e28a4053SRui Paulo 		   const u8 *enc_data, size_t enc_data_len,
568e28a4053SRui Paulo 		   const char *passwd, size_t *data_len)
569e28a4053SRui Paulo {
570e28a4053SRui Paulo 	struct crypto_cipher *ctx;
571e28a4053SRui Paulo 	u8 *eb, pad;
572e28a4053SRui Paulo 	struct pkcs5_params params;
573e28a4053SRui Paulo 	unsigned int i;
574e28a4053SRui Paulo 
575e28a4053SRui Paulo 	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
576e28a4053SRui Paulo 		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
577e28a4053SRui Paulo 		return NULL;
578e28a4053SRui Paulo 	}
579e28a4053SRui Paulo 
580e28a4053SRui Paulo 	ctx = pkcs5_crypto_init(&params, passwd);
581e28a4053SRui Paulo 	if (ctx == NULL) {
582e28a4053SRui Paulo 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
583e28a4053SRui Paulo 		return NULL;
584e28a4053SRui Paulo 	}
585e28a4053SRui Paulo 
586e28a4053SRui Paulo 	/* PKCS #5, Section 7 - Decryption process */
587e28a4053SRui Paulo 	if (enc_data_len < 16 || enc_data_len % 8) {
588e28a4053SRui Paulo 		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
589e28a4053SRui Paulo 			   "%d", (int) enc_data_len);
590e28a4053SRui Paulo 		crypto_cipher_deinit(ctx);
591e28a4053SRui Paulo 		return NULL;
592e28a4053SRui Paulo 	}
593e28a4053SRui Paulo 
594e28a4053SRui Paulo 	eb = os_malloc(enc_data_len);
595e28a4053SRui Paulo 	if (eb == NULL) {
596e28a4053SRui Paulo 		crypto_cipher_deinit(ctx);
597e28a4053SRui Paulo 		return NULL;
598e28a4053SRui Paulo 	}
599e28a4053SRui Paulo 
600e28a4053SRui Paulo 	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
601e28a4053SRui Paulo 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
602e28a4053SRui Paulo 		crypto_cipher_deinit(ctx);
603e28a4053SRui Paulo 		os_free(eb);
604e28a4053SRui Paulo 		return NULL;
605e28a4053SRui Paulo 	}
606e28a4053SRui Paulo 	crypto_cipher_deinit(ctx);
607e28a4053SRui Paulo 
608e28a4053SRui Paulo 	pad = eb[enc_data_len - 1];
609e28a4053SRui Paulo 	if (pad > 8) {
610e28a4053SRui Paulo 		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
611e28a4053SRui Paulo 		os_free(eb);
612e28a4053SRui Paulo 		return NULL;
613e28a4053SRui Paulo 	}
614e28a4053SRui Paulo 	for (i = enc_data_len - pad; i < enc_data_len; i++) {
615e28a4053SRui Paulo 		if (eb[i] != pad) {
616e28a4053SRui Paulo 			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
617e28a4053SRui Paulo 				    eb + enc_data_len - pad, pad);
618e28a4053SRui Paulo 			os_free(eb);
619e28a4053SRui Paulo 			return NULL;
620e28a4053SRui Paulo 		}
621e28a4053SRui Paulo 	}
622e28a4053SRui Paulo 
623e28a4053SRui Paulo 	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
624e28a4053SRui Paulo 			eb, enc_data_len - pad);
625e28a4053SRui Paulo 
626e28a4053SRui Paulo 	*data_len = enc_data_len - pad;
627e28a4053SRui Paulo 	return eb;
628e28a4053SRui Paulo }
629