xref: /freebsd/contrib/wpa/src/tls/pkcs5.c (revision 13ea0450a9c8742119d36f3bf8f47accdce46e54)
1 /*
2  * PKCS #5 (Password-based Encryption)
3  * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "asn1.h"
16 #include "pkcs5.h"
17 
18 
19 struct pkcs5_params {
20 	enum pkcs5_alg {
21 		PKCS5_ALG_UNKNOWN,
22 		PKCS5_ALG_MD5_DES_CBC,
23 		PKCS5_ALG_PBES2,
24 		PKCS5_ALG_SHA1_3DES_CBC,
25 	} alg;
26 	u8 salt[64];
27 	size_t salt_len;
28 	unsigned int iter_count;
29 	enum pbes2_enc_alg {
30 		PBES2_ENC_ALG_UNKNOWN,
31 		PBES2_ENC_ALG_DES_EDE3_CBC,
32 	} enc_alg;
33 	u8 iv[8];
34 	size_t iv_len;
35 };
36 
37 
38 static int oid_is_rsadsi(struct asn1_oid *oid)
39 {
40 	return oid->len >= 4 &&
41 		oid->oid[0] == 1 /* iso */ &&
42 		oid->oid[1] == 2 /* member-body */ &&
43 		oid->oid[2] == 840 /* us */ &&
44 		oid->oid[3] == 113549 /* rsadsi */;
45 }
46 
47 
48 static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg)
49 {
50 	return oid->len == 7 &&
51 		oid_is_rsadsi(oid) &&
52 		oid->oid[4] == 1 /* pkcs */ &&
53 		oid->oid[5] == 5 /* pkcs-5 */ &&
54 		oid->oid[6] == alg;
55 }
56 
57 
58 static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg)
59 {
60 	return oid->len == 6 &&
61 		oid_is_rsadsi(oid) &&
62 		oid->oid[4] == 3 /* encryptionAlgorithm */ &&
63 		oid->oid[5] == alg;
64 }
65 
66 
67 static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg)
68 {
69 	return oid->len == 8 &&
70 		oid_is_rsadsi(oid) &&
71 		oid->oid[4] == 1 /* pkcs */ &&
72 		oid->oid[5] == 12 /* pkcs-12 */ &&
73 		oid->oid[6] == 1 /* pkcs-12PbeIds */ &&
74 		oid->oid[7] == alg;
75 }
76 
77 
78 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
79 {
80 	if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */
81 		return PKCS5_ALG_MD5_DES_CBC;
82 	if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */
83 		return PKCS5_ALG_SHA1_3DES_CBC;
84 	if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */
85 		return PKCS5_ALG_PBES2;
86 	return PKCS5_ALG_UNKNOWN;
87 }
88 
89 
90 static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
91 				  const u8 *enc_alg_end)
92 {
93 	struct asn1_hdr hdr;
94 	const u8 *end, *kdf_end;
95 	struct asn1_oid oid;
96 	char obuf[80];
97 
98 	/*
99 	 * RFC 2898, Ch. A.4
100 	 *
101 	 * PBES2-params ::= SEQUENCE {
102 	 *     keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
103 	 *     encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
104 	 *
105 	 * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
106 	 *     { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
107 	 */
108 
109 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
110 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
111 	    hdr.tag != ASN1_TAG_SEQUENCE) {
112 		wpa_printf(MSG_DEBUG,
113 			   "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x",
114 			   hdr.class, hdr.tag);
115 		return -1;
116 	}
117 	pos = hdr.payload;
118 	end = hdr.payload + hdr.length;
119 
120 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
121 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
122 	    hdr.tag != ASN1_TAG_SEQUENCE) {
123 		wpa_printf(MSG_DEBUG,
124 			   "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x",
125 			   hdr.class, hdr.tag);
126 		return -1;
127 	}
128 
129 	pos = hdr.payload;
130 	kdf_end = end = hdr.payload + hdr.length;
131 
132 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
133 		wpa_printf(MSG_DEBUG,
134 			   "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)");
135 		return -1;
136 	}
137 
138 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
139 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s",
140 		   obuf);
141 	if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ {
142 		wpa_printf(MSG_DEBUG,
143 			   "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s",
144 			   obuf);
145 		return -1;
146 	}
147 
148 	/*
149 	 * RFC 2898, C.
150 	 *
151 	 * PBKDF2-params ::= SEQUENCE {
152 	 *     salt CHOICE {
153 	 *       specified OCTET STRING,
154 	 *       otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
155 	 *     },
156 	 *     iterationCount INTEGER (1..MAX),
157 	 *     keyLength INTEGER (1..MAX) OPTIONAL,
158 	 *     prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
159 	 *     algid-hmacWithSHA1
160 	 * }
161 	 */
162 
163 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
164 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
165 	    hdr.tag != ASN1_TAG_SEQUENCE) {
166 		wpa_printf(MSG_DEBUG,
167 			   "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x",
168 			   hdr.class, hdr.tag);
169 		return -1;
170 	}
171 
172 	pos = hdr.payload;
173 	end = hdr.payload + hdr.length;
174 
175 	/* For now, only support the salt CHOICE specified (OCTET STRING) */
176 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
177 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
178 	    hdr.tag != ASN1_TAG_OCTETSTRING ||
179 	    hdr.length > sizeof(params->salt)) {
180 		wpa_printf(MSG_DEBUG,
181 			   "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d",
182 			   hdr.class, hdr.tag, hdr.length);
183 		return -1;
184 	}
185 	pos = hdr.payload + hdr.length;
186 	os_memcpy(params->salt, hdr.payload, hdr.length);
187 	params->salt_len = hdr.length;
188 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
189 
190 	/* iterationCount INTEGER */
191 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
192 	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
193 		wpa_printf(MSG_DEBUG,
194 			   "PKCS #5: Expected INTEGER - found class %d tag 0x%x",
195 			   hdr.class, hdr.tag);
196 		return -1;
197 	}
198 	if (hdr.length == 1) {
199 		params->iter_count = *hdr.payload;
200 	} else if (hdr.length == 2) {
201 		params->iter_count = WPA_GET_BE16(hdr.payload);
202 	} else if (hdr.length == 4) {
203 		params->iter_count = WPA_GET_BE32(hdr.payload);
204 	} else {
205 		wpa_hexdump(MSG_DEBUG,
206 			    "PKCS #5: Unsupported INTEGER value (iterationCount)",
207 			    hdr.payload, hdr.length);
208 		return -1;
209 	}
210 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
211 		   params->iter_count);
212 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
213 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x",
214 			   params->iter_count);
215 		return -1;
216 	}
217 
218 	/* For now, ignore optional keyLength and prf */
219 
220 	pos = kdf_end;
221 
222 	/* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
223 
224 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
225 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
226 	    hdr.tag != ASN1_TAG_SEQUENCE) {
227 		wpa_printf(MSG_DEBUG,
228 			   "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x",
229 			   hdr.class, hdr.tag);
230 		return -1;
231 	}
232 
233 	pos = hdr.payload;
234 	end = hdr.payload + hdr.length;
235 
236 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
237 		wpa_printf(MSG_DEBUG,
238 			   "PKCS #5: Failed to parse OID (encryptionScheme algorithm)");
239 		return -1;
240 	}
241 
242 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
243 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s",
244 		   obuf);
245 	if (enc_alg_is_oid(&oid, 7)) {
246 		params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC;
247 	} else {
248 		wpa_printf(MSG_DEBUG,
249 			   "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s",
250 			   obuf);
251 		return -1;
252 	}
253 
254 	/*
255 	 * RFC 2898, B.2.2:
256 	 * The parameters field associated with this OID in an
257 	 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
258 	 * specifying the initialization vector for CBC mode.
259 	 */
260 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
261 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
262 	    hdr.tag != ASN1_TAG_OCTETSTRING ||
263 	    hdr.length != 8) {
264 		wpa_printf(MSG_DEBUG,
265 			   "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d",
266 			   hdr.class, hdr.tag, hdr.length);
267 		return -1;
268 	}
269 	os_memcpy(params->iv, hdr.payload, hdr.length);
270 	params->iv_len = hdr.length;
271 	wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len);
272 
273 	return 0;
274 }
275 
276 
277 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
278 			    struct pkcs5_params *params)
279 {
280 	struct asn1_hdr hdr;
281 	const u8 *enc_alg_end, *pos, *end;
282 	struct asn1_oid oid;
283 	char obuf[80];
284 
285 	/* AlgorithmIdentifier */
286 
287 	enc_alg_end = enc_alg + enc_alg_len;
288 
289 	os_memset(params, 0, sizeof(*params));
290 
291 	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
292 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
293 			   "(algorithm)");
294 		return -1;
295 	}
296 
297 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
298 	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
299 	params->alg = pkcs5_get_alg(&oid);
300 	if (params->alg == PKCS5_ALG_UNKNOWN) {
301 		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
302 			   "algorithm %s", obuf);
303 		return -1;
304 	}
305 
306 	if (params->alg == PKCS5_ALG_PBES2)
307 		return pkcs5_get_params_pbes2(params, pos, enc_alg_end);
308 
309 	/* PBES1 */
310 
311 	/*
312 	 * PKCS#5, Section 8
313 	 * PBEParameter ::= SEQUENCE {
314 	 *   salt OCTET STRING SIZE(8),
315 	 *   iterationCount INTEGER }
316 	 *
317 	 * Note: The same implementation can be used to parse the PKCS #12
318 	 * version described in RFC 7292, C:
319 	 * pkcs-12PbeParams ::= SEQUENCE {
320 	 *     salt        OCTET STRING,
321 	 *     iterations  INTEGER
322 	 * }
323 	 */
324 
325 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
326 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
327 	    hdr.tag != ASN1_TAG_SEQUENCE) {
328 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
329 			   "(PBEParameter) - found class %d tag 0x%x",
330 			   hdr.class, hdr.tag);
331 		return -1;
332 	}
333 	pos = hdr.payload;
334 	end = hdr.payload + hdr.length;
335 
336 	/* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
337 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
338 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
339 	    hdr.tag != ASN1_TAG_OCTETSTRING ||
340 	    hdr.length > sizeof(params->salt)) {
341 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
342 			   "(salt) - found class %d tag 0x%x size %d",
343 			   hdr.class, hdr.tag, hdr.length);
344 		return -1;
345 	}
346 	pos = hdr.payload + hdr.length;
347 	os_memcpy(params->salt, hdr.payload, hdr.length);
348 	params->salt_len = hdr.length;
349 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
350 		    params->salt, params->salt_len);
351 
352 	/* iterationCount INTEGER */
353 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
354 	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
355 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
356 			   "class %d tag 0x%x", hdr.class, hdr.tag);
357 		return -1;
358 	}
359 	if (hdr.length == 1)
360 		params->iter_count = *hdr.payload;
361 	else if (hdr.length == 2)
362 		params->iter_count = WPA_GET_BE16(hdr.payload);
363 	else if (hdr.length == 4)
364 		params->iter_count = WPA_GET_BE32(hdr.payload);
365 	else {
366 		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
367 			    " (iterationCount)",
368 			    hdr.payload, hdr.length);
369 		return -1;
370 	}
371 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
372 		   params->iter_count);
373 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
374 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
375 			   "iterationCount=0x%x", params->iter_count);
376 		return -1;
377 	}
378 
379 	return 0;
380 }
381 
382 
383 static struct crypto_cipher *
384 pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd)
385 {
386 	u8 key[24];
387 
388 	if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC ||
389 	    params->iv_len != 8)
390 		return NULL;
391 
392 	wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2",
393 			      passwd, os_strlen(passwd));
394 	wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2",
395 		    params->salt, params->salt_len);
396 	wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u",
397 		   params->iter_count);
398 	if (pbkdf2_sha1(passwd, params->salt, params->salt_len,
399 			params->iter_count, key, sizeof(key)) < 0)
400 		return NULL;
401 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key));
402 	wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len);
403 
404 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv,
405 				  key, sizeof(key));
406 }
407 
408 
409 static void add_byte_array_mod(u8 *a, const u8 *b, size_t len)
410 {
411 	size_t i;
412 	unsigned int carry = 0;
413 
414 	for (i = len - 1; i < len; i--) {
415 		carry = carry + a[i] + b[i];
416 		a[i] = carry & 0xff;
417 		carry >>= 8;
418 	}
419 }
420 
421 
422 static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt,
423 			  size_t salt_len, u8 id, unsigned int iter,
424 			  size_t out_len, u8 *out)
425 {
426 	unsigned int u, v, S_len, P_len, i;
427 	u8 *D = NULL, *I = NULL, *B = NULL, *pos;
428 	int res = -1;
429 
430 	/* RFC 7292, B.2 */
431 	u = SHA1_MAC_LEN;
432 	v = 64;
433 
434 	/* D = copies of ID */
435 	D = os_malloc(v);
436 	if (!D)
437 		goto done;
438 	os_memset(D, id, v);
439 
440 	/* S = copies of salt; P = copies of password, I = S || P */
441 	S_len = v * ((salt_len + v - 1) / v);
442 	P_len = v * ((pw_len + v - 1) / v);
443 	I = os_malloc(S_len + P_len);
444 	if (!I)
445 		goto done;
446 	pos = I;
447 	if (salt_len) {
448 		for (i = 0; i < S_len; i++)
449 			*pos++ = salt[i % salt_len];
450 	}
451 	if (pw_len) {
452 		for (i = 0; i < P_len; i++)
453 			*pos++ = pw[i % pw_len];
454 	}
455 
456 	B = os_malloc(v);
457 	if (!B)
458 		goto done;
459 
460 	for (;;) {
461 		u8 hash[SHA1_MAC_LEN];
462 		const u8 *addr[2];
463 		size_t len[2];
464 
465 		addr[0] = D;
466 		len[0] = v;
467 		addr[1] = I;
468 		len[1] = S_len + P_len;
469 		if (sha1_vector(2, addr, len, hash) < 0)
470 			goto done;
471 
472 		addr[0] = hash;
473 		len[0] = SHA1_MAC_LEN;
474 		for (i = 1; i < iter; i++) {
475 			if (sha1_vector(1, addr, len, hash) < 0)
476 				goto done;
477 		}
478 
479 		if (out_len <= u) {
480 			os_memcpy(out, hash, out_len);
481 			res = 0;
482 			goto done;
483 		}
484 
485 		os_memcpy(out, hash, u);
486 		out += u;
487 		out_len -= u;
488 
489 		/* I_j = (I_j + B + 1) mod 2^(v*8) */
490 		/* B = copies of Ai (final hash value) */
491 		for (i = 0; i < v; i++)
492 			B[i] = hash[i % u];
493 		inc_byte_array(B, v);
494 		for (i = 0; i < S_len + P_len; i += v)
495 			add_byte_array_mod(&I[i], B, v);
496 	}
497 
498 done:
499 	os_free(B);
500 	os_free(I);
501 	os_free(D);
502 	return res;
503 }
504 
505 
506 #define PKCS12_ID_ENC 1
507 #define PKCS12_ID_IV 2
508 #define PKCS12_ID_MAC 3
509 
510 static struct crypto_cipher *
511 pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd)
512 {
513 	unsigned int i;
514 	u8 *pw;
515 	size_t pw_len;
516 	u8 key[24];
517 	u8 iv[8];
518 
519 	if (params->alg != PKCS5_ALG_SHA1_3DES_CBC)
520 		return NULL;
521 
522 	pw_len = passwd ? os_strlen(passwd) : 0;
523 	pw = os_malloc(2 * (pw_len + 1));
524 	if (!pw)
525 		return NULL;
526 	if (pw_len) {
527 		for (i = 0; i <= pw_len; i++)
528 			WPA_PUT_BE16(&pw[2 * i], passwd[i]);
529 		pw_len = 2 * (pw_len + 1);
530 	}
531 
532 	if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
533 			   PKCS12_ID_ENC, params->iter_count,
534 			   sizeof(key), key) < 0 ||
535 	    pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len,
536 			   PKCS12_ID_IV, params->iter_count,
537 			   sizeof(iv), iv) < 0) {
538 		os_free(pw);
539 		return NULL;
540 	}
541 
542 	os_free(pw);
543 
544 	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key));
545 	wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv));
546 
547 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key));
548 }
549 
550 
551 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
552 						const char *passwd)
553 {
554 	unsigned int i;
555 	u8 hash[MD5_MAC_LEN];
556 	const u8 *addr[2];
557 	size_t len[2];
558 
559 	if (params->alg == PKCS5_ALG_PBES2)
560 		return pkcs5_crypto_init_pbes2(params, passwd);
561 
562 	if (params->alg == PKCS5_ALG_SHA1_3DES_CBC)
563 		return pkcs12_crypto_init_sha1(params, passwd);
564 
565 	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
566 		return NULL;
567 
568 	addr[0] = (const u8 *) passwd;
569 	len[0] = os_strlen(passwd);
570 	addr[1] = params->salt;
571 	len[1] = params->salt_len;
572 	if (md5_vector(2, addr, len, hash) < 0)
573 		return NULL;
574 	addr[0] = hash;
575 	len[0] = MD5_MAC_LEN;
576 	for (i = 1; i < params->iter_count; i++) {
577 		if (md5_vector(1, addr, len, hash) < 0)
578 			return NULL;
579 	}
580 	/* TODO: DES key parity bits(?) */
581 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
582 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
583 
584 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
585 }
586 
587 
588 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
589 		   const u8 *enc_data, size_t enc_data_len,
590 		   const char *passwd, size_t *data_len)
591 {
592 	struct crypto_cipher *ctx;
593 	u8 *eb, pad;
594 	struct pkcs5_params params;
595 	unsigned int i;
596 
597 	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
598 		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
599 		return NULL;
600 	}
601 
602 	ctx = pkcs5_crypto_init(&params, passwd);
603 	if (ctx == NULL) {
604 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
605 		return NULL;
606 	}
607 
608 	/* PKCS #5, Section 7 - Decryption process */
609 	if (enc_data_len < 16 || enc_data_len % 8) {
610 		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
611 			   "%d", (int) enc_data_len);
612 		crypto_cipher_deinit(ctx);
613 		return NULL;
614 	}
615 
616 	eb = os_malloc(enc_data_len);
617 	if (eb == NULL) {
618 		crypto_cipher_deinit(ctx);
619 		return NULL;
620 	}
621 
622 	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
623 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
624 		crypto_cipher_deinit(ctx);
625 		os_free(eb);
626 		return NULL;
627 	}
628 	crypto_cipher_deinit(ctx);
629 
630 	pad = eb[enc_data_len - 1];
631 	if (pad > 8) {
632 		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
633 		os_free(eb);
634 		return NULL;
635 	}
636 	for (i = enc_data_len - pad; i < enc_data_len; i++) {
637 		if (eb[i] != pad) {
638 			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
639 				    eb + enc_data_len - pad, pad);
640 			os_free(eb);
641 			return NULL;
642 		}
643 	}
644 
645 	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
646 			eb, enc_data_len - pad);
647 
648 	*data_len = enc_data_len - pad;
649 	return eb;
650 }
651