1 /* 2 * PKCS #5 (Password-based Encryption) 3 * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/crypto.h" 13 #include "crypto/md5.h" 14 #include "crypto/sha1.h" 15 #include "asn1.h" 16 #include "pkcs5.h" 17 18 19 struct pkcs5_params { 20 enum pkcs5_alg { 21 PKCS5_ALG_UNKNOWN, 22 PKCS5_ALG_MD5_DES_CBC, 23 PKCS5_ALG_PBES2, 24 PKCS5_ALG_SHA1_3DES_CBC, 25 } alg; 26 u8 salt[64]; 27 size_t salt_len; 28 unsigned int iter_count; 29 enum pbes2_enc_alg { 30 PBES2_ENC_ALG_UNKNOWN, 31 PBES2_ENC_ALG_DES_EDE3_CBC, 32 } enc_alg; 33 u8 iv[8]; 34 size_t iv_len; 35 }; 36 37 38 static int oid_is_rsadsi(struct asn1_oid *oid) 39 { 40 return oid->len >= 4 && 41 oid->oid[0] == 1 /* iso */ && 42 oid->oid[1] == 2 /* member-body */ && 43 oid->oid[2] == 840 /* us */ && 44 oid->oid[3] == 113549 /* rsadsi */; 45 } 46 47 48 static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg) 49 { 50 return oid->len == 7 && 51 oid_is_rsadsi(oid) && 52 oid->oid[4] == 1 /* pkcs */ && 53 oid->oid[5] == 5 /* pkcs-5 */ && 54 oid->oid[6] == alg; 55 } 56 57 58 static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg) 59 { 60 return oid->len == 6 && 61 oid_is_rsadsi(oid) && 62 oid->oid[4] == 3 /* encryptionAlgorithm */ && 63 oid->oid[5] == alg; 64 } 65 66 67 static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg) 68 { 69 return oid->len == 8 && 70 oid_is_rsadsi(oid) && 71 oid->oid[4] == 1 /* pkcs */ && 72 oid->oid[5] == 12 /* pkcs-12 */ && 73 oid->oid[6] == 1 /* pkcs-12PbeIds */ && 74 oid->oid[7] == alg; 75 } 76 77 78 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid) 79 { 80 if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */ 81 return PKCS5_ALG_MD5_DES_CBC; 82 if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */ 83 return PKCS5_ALG_SHA1_3DES_CBC; 84 if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */ 85 return PKCS5_ALG_PBES2; 86 return PKCS5_ALG_UNKNOWN; 87 } 88 89 90 static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, 91 const u8 *enc_alg_end) 92 { 93 struct asn1_hdr hdr; 94 const u8 *end, *kdf_end; 95 struct asn1_oid oid; 96 char obuf[80]; 97 98 /* 99 * RFC 2898, Ch. A.4 100 * 101 * PBES2-params ::= SEQUENCE { 102 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, 103 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} } 104 * 105 * PBES2-KDFs ALGORITHM-IDENTIFIER ::= 106 * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... } 107 */ 108 109 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 110 hdr.class != ASN1_CLASS_UNIVERSAL || 111 hdr.tag != ASN1_TAG_SEQUENCE) { 112 wpa_printf(MSG_DEBUG, 113 "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x", 114 hdr.class, hdr.tag); 115 return -1; 116 } 117 pos = hdr.payload; 118 end = hdr.payload + hdr.length; 119 120 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 121 hdr.class != ASN1_CLASS_UNIVERSAL || 122 hdr.tag != ASN1_TAG_SEQUENCE) { 123 wpa_printf(MSG_DEBUG, 124 "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x", 125 hdr.class, hdr.tag); 126 return -1; 127 } 128 129 pos = hdr.payload; 130 kdf_end = end = hdr.payload + hdr.length; 131 132 if (asn1_get_oid(pos, end - pos, &oid, &pos)) { 133 wpa_printf(MSG_DEBUG, 134 "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)"); 135 return -1; 136 } 137 138 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 139 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s", 140 obuf); 141 if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ { 142 wpa_printf(MSG_DEBUG, 143 "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s", 144 obuf); 145 return -1; 146 } 147 148 /* 149 * RFC 2898, C. 150 * 151 * PBKDF2-params ::= SEQUENCE { 152 * salt CHOICE { 153 * specified OCTET STRING, 154 * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} 155 * }, 156 * iterationCount INTEGER (1..MAX), 157 * keyLength INTEGER (1..MAX) OPTIONAL, 158 * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT 159 * algid-hmacWithSHA1 160 * } 161 */ 162 163 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 164 hdr.class != ASN1_CLASS_UNIVERSAL || 165 hdr.tag != ASN1_TAG_SEQUENCE) { 166 wpa_printf(MSG_DEBUG, 167 "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x", 168 hdr.class, hdr.tag); 169 return -1; 170 } 171 172 pos = hdr.payload; 173 end = hdr.payload + hdr.length; 174 175 /* For now, only support the salt CHOICE specified (OCTET STRING) */ 176 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 177 hdr.class != ASN1_CLASS_UNIVERSAL || 178 hdr.tag != ASN1_TAG_OCTETSTRING || 179 hdr.length > sizeof(params->salt)) { 180 wpa_printf(MSG_DEBUG, 181 "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d", 182 hdr.class, hdr.tag, hdr.length); 183 return -1; 184 } 185 pos = hdr.payload + hdr.length; 186 os_memcpy(params->salt, hdr.payload, hdr.length); 187 params->salt_len = hdr.length; 188 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len); 189 190 /* iterationCount INTEGER */ 191 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 192 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { 193 wpa_printf(MSG_DEBUG, 194 "PKCS #5: Expected INTEGER - found class %d tag 0x%x", 195 hdr.class, hdr.tag); 196 return -1; 197 } 198 if (hdr.length == 1) { 199 params->iter_count = *hdr.payload; 200 } else if (hdr.length == 2) { 201 params->iter_count = WPA_GET_BE16(hdr.payload); 202 } else if (hdr.length == 4) { 203 params->iter_count = WPA_GET_BE32(hdr.payload); 204 } else { 205 wpa_hexdump(MSG_DEBUG, 206 "PKCS #5: Unsupported INTEGER value (iterationCount)", 207 hdr.payload, hdr.length); 208 return -1; 209 } 210 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", 211 params->iter_count); 212 if (params->iter_count == 0 || params->iter_count > 0xffff) { 213 wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x", 214 params->iter_count); 215 return -1; 216 } 217 218 /* For now, ignore optional keyLength and prf */ 219 220 pos = kdf_end; 221 222 /* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */ 223 224 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 225 hdr.class != ASN1_CLASS_UNIVERSAL || 226 hdr.tag != ASN1_TAG_SEQUENCE) { 227 wpa_printf(MSG_DEBUG, 228 "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x", 229 hdr.class, hdr.tag); 230 return -1; 231 } 232 233 pos = hdr.payload; 234 end = hdr.payload + hdr.length; 235 236 if (asn1_get_oid(pos, end - pos, &oid, &pos)) { 237 wpa_printf(MSG_DEBUG, 238 "PKCS #5: Failed to parse OID (encryptionScheme algorithm)"); 239 return -1; 240 } 241 242 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 243 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s", 244 obuf); 245 if (enc_alg_is_oid(&oid, 7)) { 246 params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC; 247 } else { 248 wpa_printf(MSG_DEBUG, 249 "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s", 250 obuf); 251 return -1; 252 } 253 254 /* 255 * RFC 2898, B.2.2: 256 * The parameters field associated with this OID in an 257 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), 258 * specifying the initialization vector for CBC mode. 259 */ 260 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 261 hdr.class != ASN1_CLASS_UNIVERSAL || 262 hdr.tag != ASN1_TAG_OCTETSTRING || 263 hdr.length != 8) { 264 wpa_printf(MSG_DEBUG, 265 "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d", 266 hdr.class, hdr.tag, hdr.length); 267 return -1; 268 } 269 os_memcpy(params->iv, hdr.payload, hdr.length); 270 params->iv_len = hdr.length; 271 wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len); 272 273 return 0; 274 } 275 276 277 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, 278 struct pkcs5_params *params) 279 { 280 struct asn1_hdr hdr; 281 const u8 *enc_alg_end, *pos, *end; 282 struct asn1_oid oid; 283 char obuf[80]; 284 285 /* AlgorithmIdentifier */ 286 287 enc_alg_end = enc_alg + enc_alg_len; 288 289 os_memset(params, 0, sizeof(*params)); 290 291 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) { 292 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID " 293 "(algorithm)"); 294 return -1; 295 } 296 297 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 298 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf); 299 params->alg = pkcs5_get_alg(&oid); 300 if (params->alg == PKCS5_ALG_UNKNOWN) { 301 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption " 302 "algorithm %s", obuf); 303 return -1; 304 } 305 306 if (params->alg == PKCS5_ALG_PBES2) 307 return pkcs5_get_params_pbes2(params, pos, enc_alg_end); 308 309 /* PBES1 */ 310 311 /* 312 * PKCS#5, Section 8 313 * PBEParameter ::= SEQUENCE { 314 * salt OCTET STRING SIZE(8), 315 * iterationCount INTEGER } 316 * 317 * Note: The same implementation can be used to parse the PKCS #12 318 * version described in RFC 7292, C: 319 * pkcs-12PbeParams ::= SEQUENCE { 320 * salt OCTET STRING, 321 * iterations INTEGER 322 * } 323 */ 324 325 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 326 hdr.class != ASN1_CLASS_UNIVERSAL || 327 hdr.tag != ASN1_TAG_SEQUENCE) { 328 wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE " 329 "(PBEParameter) - found class %d tag 0x%x", 330 hdr.class, hdr.tag); 331 return -1; 332 } 333 pos = hdr.payload; 334 end = hdr.payload + hdr.length; 335 336 /* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */ 337 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 338 hdr.class != ASN1_CLASS_UNIVERSAL || 339 hdr.tag != ASN1_TAG_OCTETSTRING || 340 hdr.length > sizeof(params->salt)) { 341 wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) " 342 "(salt) - found class %d tag 0x%x size %d", 343 hdr.class, hdr.tag, hdr.length); 344 return -1; 345 } 346 pos = hdr.payload + hdr.length; 347 os_memcpy(params->salt, hdr.payload, hdr.length); 348 params->salt_len = hdr.length; 349 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", 350 params->salt, params->salt_len); 351 352 /* iterationCount INTEGER */ 353 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 354 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { 355 wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found " 356 "class %d tag 0x%x", hdr.class, hdr.tag); 357 return -1; 358 } 359 if (hdr.length == 1) 360 params->iter_count = *hdr.payload; 361 else if (hdr.length == 2) 362 params->iter_count = WPA_GET_BE16(hdr.payload); 363 else if (hdr.length == 4) 364 params->iter_count = WPA_GET_BE32(hdr.payload); 365 else { 366 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value " 367 " (iterationCount)", 368 hdr.payload, hdr.length); 369 return -1; 370 } 371 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", 372 params->iter_count); 373 if (params->iter_count == 0 || params->iter_count > 0xffff) { 374 wpa_printf(MSG_INFO, "PKCS #5: Unsupported " 375 "iterationCount=0x%x", params->iter_count); 376 return -1; 377 } 378 379 return 0; 380 } 381 382 383 static struct crypto_cipher * 384 pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd) 385 { 386 u8 key[24]; 387 388 if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC || 389 params->iv_len != 8) 390 return NULL; 391 392 wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2", 393 passwd, os_strlen(passwd)); 394 wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2", 395 params->salt, params->salt_len); 396 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u", 397 params->iter_count); 398 if (pbkdf2_sha1(passwd, params->salt, params->salt_len, 399 params->iter_count, key, sizeof(key)) < 0) 400 return NULL; 401 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key)); 402 wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len); 403 404 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv, 405 key, sizeof(key)); 406 } 407 408 409 static void add_byte_array_mod(u8 *a, const u8 *b, size_t len) 410 { 411 size_t i; 412 unsigned int carry = 0; 413 414 for (i = len - 1; i < len; i--) { 415 carry = carry + a[i] + b[i]; 416 a[i] = carry & 0xff; 417 carry >>= 8; 418 } 419 } 420 421 422 static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt, 423 size_t salt_len, u8 id, unsigned int iter, 424 size_t out_len, u8 *out) 425 { 426 unsigned int u, v, S_len, P_len, i; 427 u8 *D = NULL, *I = NULL, *B = NULL, *pos; 428 int res = -1; 429 430 /* RFC 7292, B.2 */ 431 u = SHA1_MAC_LEN; 432 v = 64; 433 434 /* D = copies of ID */ 435 D = os_malloc(v); 436 if (!D) 437 goto done; 438 os_memset(D, id, v); 439 440 /* S = copies of salt; P = copies of password, I = S || P */ 441 S_len = v * ((salt_len + v - 1) / v); 442 P_len = v * ((pw_len + v - 1) / v); 443 I = os_malloc(S_len + P_len); 444 if (!I) 445 goto done; 446 pos = I; 447 if (salt_len) { 448 for (i = 0; i < S_len; i++) 449 *pos++ = salt[i % salt_len]; 450 } 451 if (pw_len) { 452 for (i = 0; i < P_len; i++) 453 *pos++ = pw[i % pw_len]; 454 } 455 456 B = os_malloc(v); 457 if (!B) 458 goto done; 459 460 for (;;) { 461 u8 hash[SHA1_MAC_LEN]; 462 const u8 *addr[2]; 463 size_t len[2]; 464 465 addr[0] = D; 466 len[0] = v; 467 addr[1] = I; 468 len[1] = S_len + P_len; 469 if (sha1_vector(2, addr, len, hash) < 0) 470 goto done; 471 472 addr[0] = hash; 473 len[0] = SHA1_MAC_LEN; 474 for (i = 1; i < iter; i++) { 475 if (sha1_vector(1, addr, len, hash) < 0) 476 goto done; 477 } 478 479 if (out_len <= u) { 480 os_memcpy(out, hash, out_len); 481 res = 0; 482 goto done; 483 } 484 485 os_memcpy(out, hash, u); 486 out += u; 487 out_len -= u; 488 489 /* I_j = (I_j + B + 1) mod 2^(v*8) */ 490 /* B = copies of Ai (final hash value) */ 491 for (i = 0; i < v; i++) 492 B[i] = hash[i % u]; 493 inc_byte_array(B, v); 494 for (i = 0; i < S_len + P_len; i += v) 495 add_byte_array_mod(&I[i], B, v); 496 } 497 498 done: 499 os_free(B); 500 os_free(I); 501 os_free(D); 502 return res; 503 } 504 505 506 #define PKCS12_ID_ENC 1 507 #define PKCS12_ID_IV 2 508 #define PKCS12_ID_MAC 3 509 510 static struct crypto_cipher * 511 pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd) 512 { 513 unsigned int i; 514 u8 *pw; 515 size_t pw_len; 516 u8 key[24]; 517 u8 iv[8]; 518 519 if (params->alg != PKCS5_ALG_SHA1_3DES_CBC) 520 return NULL; 521 522 pw_len = passwd ? os_strlen(passwd) : 0; 523 pw = os_malloc(2 * (pw_len + 1)); 524 if (!pw) 525 return NULL; 526 if (pw_len) { 527 for (i = 0; i <= pw_len; i++) 528 WPA_PUT_BE16(&pw[2 * i], passwd[i]); 529 pw_len = 2 * (pw_len + 1); 530 } 531 532 if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len, 533 PKCS12_ID_ENC, params->iter_count, 534 sizeof(key), key) < 0 || 535 pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len, 536 PKCS12_ID_IV, params->iter_count, 537 sizeof(iv), iv) < 0) { 538 os_free(pw); 539 return NULL; 540 } 541 542 os_free(pw); 543 544 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key)); 545 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv)); 546 547 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key)); 548 } 549 550 551 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params, 552 const char *passwd) 553 { 554 unsigned int i; 555 u8 hash[MD5_MAC_LEN]; 556 const u8 *addr[2]; 557 size_t len[2]; 558 559 if (params->alg == PKCS5_ALG_PBES2) 560 return pkcs5_crypto_init_pbes2(params, passwd); 561 562 if (params->alg == PKCS5_ALG_SHA1_3DES_CBC) 563 return pkcs12_crypto_init_sha1(params, passwd); 564 565 if (params->alg != PKCS5_ALG_MD5_DES_CBC) 566 return NULL; 567 568 addr[0] = (const u8 *) passwd; 569 len[0] = os_strlen(passwd); 570 addr[1] = params->salt; 571 len[1] = params->salt_len; 572 if (md5_vector(2, addr, len, hash) < 0) 573 return NULL; 574 addr[0] = hash; 575 len[0] = MD5_MAC_LEN; 576 for (i = 1; i < params->iter_count; i++) { 577 if (md5_vector(1, addr, len, hash) < 0) 578 return NULL; 579 } 580 /* TODO: DES key parity bits(?) */ 581 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8); 582 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8); 583 584 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8); 585 } 586 587 588 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len, 589 const u8 *enc_data, size_t enc_data_len, 590 const char *passwd, size_t *data_len) 591 { 592 struct crypto_cipher *ctx; 593 u8 *eb, pad; 594 struct pkcs5_params params; 595 unsigned int i; 596 597 if (pkcs5_get_params(enc_alg, enc_alg_len, ¶ms) < 0) { 598 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters"); 599 return NULL; 600 } 601 602 ctx = pkcs5_crypto_init(¶ms, passwd); 603 if (ctx == NULL) { 604 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto"); 605 return NULL; 606 } 607 608 /* PKCS #5, Section 7 - Decryption process */ 609 if (enc_data_len < 16 || enc_data_len % 8) { 610 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext " 611 "%d", (int) enc_data_len); 612 crypto_cipher_deinit(ctx); 613 return NULL; 614 } 615 616 eb = os_malloc(enc_data_len); 617 if (eb == NULL) { 618 crypto_cipher_deinit(ctx); 619 return NULL; 620 } 621 622 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) { 623 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB"); 624 crypto_cipher_deinit(ctx); 625 os_free(eb); 626 return NULL; 627 } 628 crypto_cipher_deinit(ctx); 629 630 pad = eb[enc_data_len - 1]; 631 if (pad > 8) { 632 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad); 633 os_free(eb); 634 return NULL; 635 } 636 for (i = enc_data_len - pad; i < enc_data_len; i++) { 637 if (eb[i] != pad) { 638 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS", 639 eb + enc_data_len - pad, pad); 640 os_free(eb); 641 return NULL; 642 } 643 } 644 645 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)", 646 eb, enc_data_len - pad); 647 648 *data_len = enc_data_len - pad; 649 return eb; 650 } 651