xref: /freebsd/contrib/wpa/src/tls/pkcs5.c (revision 10ff414c14eef433d8157f0c17904d740693933b)
1 /*
2  * PKCS #5 (Password-based Encryption)
3  * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "asn1.h"
16 #include "pkcs5.h"
17 
18 
19 struct pkcs5_params {
20 	enum pkcs5_alg {
21 		PKCS5_ALG_UNKNOWN,
22 		PKCS5_ALG_MD5_DES_CBC,
23 		PKCS5_ALG_PBES2,
24 		PKCS5_ALG_SHA1_3DES_CBC,
25 	} alg;
26 	u8 salt[64];
27 	size_t salt_len;
28 	unsigned int iter_count;
29 	enum pbes2_enc_alg {
30 		PBES2_ENC_ALG_UNKNOWN,
31 		PBES2_ENC_ALG_DES_EDE3_CBC,
32 	} enc_alg;
33 	u8 iv[8];
34 	size_t iv_len;
35 };
36 
37 
38 static int oid_is_rsadsi(struct asn1_oid *oid)
39 {
40 	return oid->len >= 4 &&
41 		oid->oid[0] == 1 /* iso */ &&
42 		oid->oid[1] == 2 /* member-body */ &&
43 		oid->oid[2] == 840 /* us */ &&
44 		oid->oid[3] == 113549 /* rsadsi */;
45 }
46 
47 
48 static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
49 {
50 	return oid->len == 7 &&
51 		oid_is_rsadsi(oid) &&
52 		oid->oid[4] == 1 /* pkcs */ &&
53 		oid->oid[5] == 5 /* pkcs-5 */ &&
54 		oid->oid[6] == alg;
55 }
56 
57 
58 static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
59 {
60 	return oid->len == 6 &&
61 		oid_is_rsadsi(oid) &&
62 		oid->oid[4] == 3 /* encryptionAlgorithm */ &&
63 		oid->oid[5] == alg;
64 }
65 
66 
67 static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
68 {
69 	return oid->len == 8 &&
70 		oid_is_rsadsi(oid) &&
71 		oid->oid[4] == 1 /* pkcs */ &&
72 		oid->oid[5] == 12 /* pkcs-12 */ &&
73 		oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
74 		oid->oid[7] == alg;
75 }
76 
77 
78 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
79 {
80 	if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
81 		return PKCS5_ALG_MD5_DES_CBC;
82 	if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
83 		return PKCS5_ALG_SHA1_3DES_CBC;
84 	if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
85 		return PKCS5_ALG_PBES2;
86 	return PKCS5_ALG_UNKNOWN;
87 }
88 
89 
90 static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
91 				  const u8 *enc_alg_end)
92 {
93 	struct asn1_hdr hdr;
94 	const u8 *end, *kdf_end;
95 	struct asn1_oid oid;
96 	char obuf[80];
97 
98 	/*
99 	 * RFC 2898, Ch. A.4
100 	 *
101 	 * PBES2-params ::= SEQUENCE {
102 	 *     keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
103 	 *     encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
104 	 *
105 	 * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
106 	 *     { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
107 	 */
108 
109 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
110 	    !asn1_is_sequence(&hdr)) {
111 		asn1_unexpected(&hdr,
112 				"PKCS #5: Expected SEQUENCE (PBES2-params)");
113 		return -1;
114 	}
115 	pos = hdr.payload;
116 	end = hdr.payload + hdr.length;
117 
118 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
119 	    !asn1_is_sequence(&hdr)) {
120 		asn1_unexpected(&hdr,
121 				"PKCS #5: Expected SEQUENCE (keyDerivationFunc)");
122 		return -1;
123 	}
124 
125 	pos = hdr.payload;
126 	kdf_end = end = hdr.payload + hdr.length;
127 
128 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
129 		wpa_printf(MSG_DEBUG,
130 			   "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
131 		return -1;
132 	}
133 
134 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
135 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
136 		   obuf);
137 	if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
138 		wpa_printf(MSG_DEBUG,
139 			   "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
140 			   obuf);
141 		return -1;
142 	}
143 
144 	/*
145 	 * RFC 2898, C.
146 	 *
147 	 * PBKDF2-params ::= SEQUENCE {
148 	 *     salt CHOICE {
149 	 *       specified OCTET STRING,
150 	 *       otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
151 	 *     },
152 	 *     iterationCount INTEGER (1..MAX),
153 	 *     keyLength INTEGER (1..MAX) OPTIONAL,
154 	 *     prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
155 	 *     algid-hmacWithSHA1
156 	 * }
157 	 */
158 
159 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
160 	    !asn1_is_sequence(&hdr)) {
161 		asn1_unexpected(&hdr,
162 				"PKCS #5: Expected SEQUENCE (PBKDF2-params)");
163 		return -1;
164 	}
165 
166 	pos = hdr.payload;
167 	end = hdr.payload + hdr.length;
168 
169 	/* For now, only support the salt CHOICE specified (OCTET STRING) */
170 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
171 	    !asn1_is_octetstring(&hdr) ||
172 	    hdr.length > sizeof(params->salt)) {
173 		asn1_unexpected(&hdr,
174 				"PKCS #5: Expected OCTET STRING (salt.specified)");
175 		return -1;
176 	}
177 	pos = hdr.payload + hdr.length;
178 	os_memcpy(params->salt, hdr.payload, hdr.length);
179 	params->salt_len = hdr.length;
180 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
181 
182 	/* iterationCount INTEGER */
183 	if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
184 		asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
185 		return -1;
186 	}
187 	if (hdr.length == 1) {
188 		params->iter_count = *hdr.payload;
189 	} else if (hdr.length == 2) {
190 		params->iter_count = WPA_GET_BE16(hdr.payload);
191 	} else if (hdr.length == 4) {
192 		params->iter_count = WPA_GET_BE32(hdr.payload);
193 	} else {
194 		wpa_hexdump(MSG_DEBUG,
195 			    "PKCS #5: Unsupported INTEGER value (iterationCount)",
196 			    hdr.payload, hdr.length);
197 		return -1;
198 	}
199 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
200 		   params->iter_count);
201 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
202 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
203 			   params->iter_count);
204 		return -1;
205 	}
206 
207 	/* For now, ignore optional keyLength and prf */
208 
209 	pos = kdf_end;
210 
211 	/* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
212 
213 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
214 	    !asn1_is_sequence(&hdr)) {
215 		asn1_unexpected(&hdr,
216 				"PKCS #5: Expected SEQUENCE (encryptionScheme)");
217 		return -1;
218 	}
219 
220 	pos = hdr.payload;
221 	end = hdr.payload + hdr.length;
222 
223 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
224 		wpa_printf(MSG_DEBUG,
225 			   "PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
226 		return -1;
227 	}
228 
229 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
230 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
231 		   obuf);
232 	if (enc_alg_is_oid(&oid, 7)) {
233 		params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
234 	} else {
235 		wpa_printf(MSG_DEBUG,
236 			   "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
237 			   obuf);
238 		return -1;
239 	}
240 
241 	/*
242 	 * RFC 2898, B.2.2:
243 	 * The parameters field associated with this OID in an
244 	 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
245 	 * specifying the initialization vector for CBC mode.
246 	 */
247 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
248 	    !asn1_is_octetstring(&hdr) || hdr.length != 8) {
249 		asn1_unexpected(&hdr,
250 				"PKCS #5: Expected OCTET STRING (SIZE(8)) (IV)");
251 		return -1;
252 	}
253 	os_memcpy(params->iv, hdr.payload, hdr.length);
254 	params->iv_len = hdr.length;
255 	wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);
256 
257 	return 0;
258 }
259 
260 
261 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
262 			    struct pkcs5_params *params)
263 {
264 	struct asn1_hdr hdr;
265 	const u8 *enc_alg_end, *pos, *end;
266 	struct asn1_oid oid;
267 	char obuf[80];
268 
269 	/* AlgorithmIdentifier */
270 
271 	enc_alg_end = enc_alg + enc_alg_len;
272 
273 	os_memset(params, 0, sizeof(*params));
274 
275 	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
276 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
277 			   "(algorithm)");
278 		return -1;
279 	}
280 
281 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
282 	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
283 	params->alg = pkcs5_get_alg(&oid);
284 	if (params->alg == PKCS5_ALG_UNKNOWN) {
285 		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
286 			   "algorithm %s", obuf);
287 		return -1;
288 	}
289 
290 	if (params->alg == PKCS5_ALG_PBES2)
291 		return pkcs5_get_params_pbes2(params, pos, enc_alg_end);
292 
293 	/* PBES1 */
294 
295 	/*
296 	 * PKCS#5, Section 8
297 	 * PBEParameter ::= SEQUENCE {
298 	 *   salt OCTET STRING SIZE(8),
299 	 *   iterationCount INTEGER }
300 	 *
301 	 * Note: The same implementation can be used to parse the PKCS #12
302 	 * version described in RFC 7292, C:
303 	 * pkcs-12PbeParams ::= SEQUENCE {
304 	 *     salt        OCTET STRING,
305 	 *     iterations  INTEGER
306 	 * }
307 	 */
308 
309 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
310 	    !asn1_is_sequence(&hdr)) {
311 		asn1_unexpected(&hdr,
312 				"PKCS #5: Expected SEQUENCE (PBEParameter)");
313 		return -1;
314 	}
315 	pos = hdr.payload;
316 	end = hdr.payload + hdr.length;
317 
318 	/* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
319 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
320 	    !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) {
321 		asn1_unexpected(&hdr,
322 				"PKCS #5: Expected OCTETSTRING SIZE(8) (salt)");
323 		return -1;
324 	}
325 	pos = hdr.payload + hdr.length;
326 	os_memcpy(params->salt, hdr.payload, hdr.length);
327 	params->salt_len = hdr.length;
328 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
329 		    params->salt, params->salt_len);
330 
331 	/* iterationCount INTEGER */
332 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
333 	    !asn1_is_integer(&hdr)) {
334 		asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
335 		return -1;
336 	}
337 	if (hdr.length == 1)
338 		params->iter_count = *hdr.payload;
339 	else if (hdr.length == 2)
340 		params->iter_count = WPA_GET_BE16(hdr.payload);
341 	else if (hdr.length == 4)
342 		params->iter_count = WPA_GET_BE32(hdr.payload);
343 	else {
344 		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
345 			    " (iterationCount)",
346 			    hdr.payload, hdr.length);
347 		return -1;
348 	}
349 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
350 		   params->iter_count);
351 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
352 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
353 			   "iterationCount=0x%x", params->iter_count);
354 		return -1;
355 	}
356 
357 	return 0;
358 }
359 
360 
361 static struct crypto_cipher *
362 pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd)
363 {
364 	u8 key[24];
365 
366 	if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC ||
367 	    params->iv_len != 8)
368 		return NULL;
369 
370 	wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
371 			      passwd, os_strlen(passwd));
372 	wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
373 		    params->salt, params->salt_len);
374 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
375 		   params->iter_count);
376 	if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
377 			params->iter_count, key, sizeof(key)) < 0)
378 		return NULL;
379 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
380 	wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);
381 
382 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
383 				  key, sizeof(key));
384 }
385 
386 
387 static void add_byte_array_mod(u8 *a, const u8 *b, size_t len)
388 {
389 	size_t i;
390 	unsigned int carry = 0;
391 
392 	for (i = len - 1; i < len; i--) {
393 		carry = carry + a[i] + b[i];
394 		a[i] = carry & 0xff;
395 		carry >>= 8;
396 	}
397 }
398 
399 
400 static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt,
401 			  size_t salt_len, u8 id, unsigned int iter,
402 			  size_t out_len, u8 *out)
403 {
404 	unsigned int u, v, S_len, P_len, i;
405 	u8 *D = NULL, *I = NULL, *B = NULL, *pos;
406 	int res = -1;
407 
408 	/* RFC 7292, B.2 */
409 	u = SHA1_MAC_LEN;
410 	v = 64;
411 
412 	/* D = copies of ID */
413 	D = os_malloc(v);
414 	if (!D)
415 		goto done;
416 	os_memset(D, id, v);
417 
418 	/* S = copies of salt; P = copies of password, I = S || P */
419 	S_len = v * ((salt_len + v - 1) / v);
420 	P_len = v * ((pw_len + v - 1) / v);
421 	I = os_malloc(S_len + P_len);
422 	if (!I)
423 		goto done;
424 	pos = I;
425 	if (salt_len) {
426 		for (i = 0; i < S_len; i++)
427 			*pos++ = salt[i % salt_len];
428 	}
429 	if (pw_len) {
430 		for (i = 0; i < P_len; i++)
431 			*pos++ = pw[i % pw_len];
432 	}
433 
434 	B = os_malloc(v);
435 	if (!B)
436 		goto done;
437 
438 	for (;;) {
439 		u8 hash[SHA1_MAC_LEN];
440 		const u8 *addr[2];
441 		size_t len[2];
442 
443 		addr[0] = D;
444 		len[0] = v;
445 		addr[1] = I;
446 		len[1] = S_len + P_len;
447 		if (sha1_vector(2, addr, len, hash) < 0)
448 			goto done;
449 
450 		addr[0] = hash;
451 		len[0] = SHA1_MAC_LEN;
452 		for (i = 1; i < iter; i++) {
453 			if (sha1_vector(1, addr, len, hash) < 0)
454 				goto done;
455 		}
456 
457 		if (out_len <= u) {
458 			os_memcpy(out, hash, out_len);
459 			res = 0;
460 			goto done;
461 		}
462 
463 		os_memcpy(out, hash, u);
464 		out += u;
465 		out_len -= u;
466 
467 		/* I_j = (I_j + B + 1) mod 2^(v*8) */
468 		/* B = copies of Ai (final hash value) */
469 		for (i = 0; i < v; i++)
470 			B[i] = hash[i % u];
471 		inc_byte_array(B, v);
472 		for (i = 0; i < S_len + P_len; i += v)
473 			add_byte_array_mod(&I[i], B, v);
474 	}
475 
476 done:
477 	os_free(B);
478 	os_free(I);
479 	os_free(D);
480 	return res;
481 }
482 
483 
484 #define PKCS12_ID_ENC 1
485 #define PKCS12_ID_IV 2
486 #define PKCS12_ID_MAC 3
487 
488 static struct crypto_cipher *
489 pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd)
490 {
491 	unsigned int i;
492 	u8 *pw;
493 	size_t pw_len;
494 	u8 key[24];
495 	u8 iv[8];
496 
497 	if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
498 		return NULL;
499 
500 	pw_len = passwd ? os_strlen(passwd) : 0;
501 	pw = os_malloc(2 * (pw_len + 1));
502 	if (!pw)
503 		return NULL;
504 	if (pw_len) {
505 		for (i = 0; i <= pw_len; i++)
506 			WPA_PUT_BE16(&pw[2 * i], passwd[i]);
507 		pw_len = 2 * (pw_len + 1);
508 	}
509 
510 	if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
511 			   PKCS12_ID_ENC, params->iter_count,
512 			   sizeof(key), key) < 0 ||
513 	    pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
514 			   PKCS12_ID_IV, params->iter_count,
515 			   sizeof(iv), iv) < 0) {
516 		os_free(pw);
517 		return NULL;
518 	}
519 
520 	os_free(pw);
521 
522 	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
523 	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));
524 
525 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
526 }
527 
528 
529 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
530 						const char *passwd)
531 {
532 	unsigned int i;
533 	u8 hash[MD5_MAC_LEN];
534 	const u8 *addr[2];
535 	size_t len[2];
536 
537 	if (params->alg == PKCS5_ALG_PBES2)
538 		return pkcs5_crypto_init_pbes2(params, passwd);
539 
540 	if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
541 		return pkcs12_crypto_init_sha1(params, passwd);
542 
543 	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
544 		return NULL;
545 
546 	addr[0] = (const u8 *) passwd;
547 	len[0] = os_strlen(passwd);
548 	addr[1] = params->salt;
549 	len[1] = params->salt_len;
550 	if (md5_vector(2, addr, len, hash) < 0)
551 		return NULL;
552 	addr[0] = hash;
553 	len[0] = MD5_MAC_LEN;
554 	for (i = 1; i < params->iter_count; i++) {
555 		if (md5_vector(1, addr, len, hash) < 0)
556 			return NULL;
557 	}
558 	/* TODO: DES key parity bits(?) */
559 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
560 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
561 
562 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
563 }
564 
565 
566 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
567 		   const u8 *enc_data, size_t enc_data_len,
568 		   const char *passwd, size_t *data_len)
569 {
570 	struct crypto_cipher *ctx;
571 	u8 *eb, pad;
572 	struct pkcs5_params params;
573 	unsigned int i;
574 
575 	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
576 		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
577 		return NULL;
578 	}
579 
580 	ctx = pkcs5_crypto_init(&params, passwd);
581 	if (ctx == NULL) {
582 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
583 		return NULL;
584 	}
585 
586 	/* PKCS #5, Section 7 - Decryption process */
587 	if (enc_data_len < 16 || enc_data_len % 8) {
588 		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
589 			   "%d", (int) enc_data_len);
590 		crypto_cipher_deinit(ctx);
591 		return NULL;
592 	}
593 
594 	eb = os_malloc(enc_data_len);
595 	if (eb == NULL) {
596 		crypto_cipher_deinit(ctx);
597 		return NULL;
598 	}
599 
600 	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
601 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
602 		crypto_cipher_deinit(ctx);
603 		os_free(eb);
604 		return NULL;
605 	}
606 	crypto_cipher_deinit(ctx);
607 
608 	pad = eb[enc_data_len - 1];
609 	if (pad > 8) {
610 		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
611 		os_free(eb);
612 		return NULL;
613 	}
614 	for (i = enc_data_len - pad; i < enc_data_len; i++) {
615 		if (eb[i] != pad) {
616 			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
617 				    eb + enc_data_len - pad, pad);
618 			os_free(eb);
619 			return NULL;
620 		}
621 	}
622 
623 	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
624 			eb, enc_data_len - pad);
625 
626 	*data_len = enc_data_len - pad;
627 	return eb;
628 }
629