1 /* 2 * PKCS #5 (Password-based Encryption) 3 * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/crypto.h" 13 #include "crypto/md5.h" 14 #include "crypto/sha1.h" 15 #include "asn1.h" 16 #include "pkcs5.h" 17 18 19 struct pkcs5_params { 20 enum pkcs5_alg { 21 PKCS5_ALG_UNKNOWN, 22 PKCS5_ALG_MD5_DES_CBC, 23 PKCS5_ALG_PBES2, 24 PKCS5_ALG_SHA1_3DES_CBC, 25 } alg; 26 u8 salt[64]; 27 size_t salt_len; 28 unsigned int iter_count; 29 enum pbes2_enc_alg { 30 PBES2_ENC_ALG_UNKNOWN, 31 PBES2_ENC_ALG_DES_EDE3_CBC, 32 } enc_alg; 33 u8 iv[8]; 34 size_t iv_len; 35 }; 36 37 38 static int oid_is_rsadsi(struct asn1_oid *oid) 39 { 40 return oid->len >= 4 && 41 oid->oid[0] == 1 /* iso */ && 42 oid->oid[1] == 2 /* member-body */ && 43 oid->oid[2] == 840 /* us */ && 44 oid->oid[3] == 113549 /* rsadsi */; 45 } 46 47 48 static int pkcs5_is_oid(struct asn1_oid *oid, unsigned long alg) 49 { 50 return oid->len == 7 && 51 oid_is_rsadsi(oid) && 52 oid->oid[4] == 1 /* pkcs */ && 53 oid->oid[5] == 5 /* pkcs-5 */ && 54 oid->oid[6] == alg; 55 } 56 57 58 static int enc_alg_is_oid(struct asn1_oid *oid, unsigned long alg) 59 { 60 return oid->len == 6 && 61 oid_is_rsadsi(oid) && 62 oid->oid[4] == 3 /* encryptionAlgorithm */ && 63 oid->oid[5] == alg; 64 } 65 66 67 static int pkcs12_is_pbe_oid(struct asn1_oid *oid, unsigned long alg) 68 { 69 return oid->len == 8 && 70 oid_is_rsadsi(oid) && 71 oid->oid[4] == 1 /* pkcs */ && 72 oid->oid[5] == 12 /* pkcs-12 */ && 73 oid->oid[6] == 1 /* pkcs-12PbeIds */ && 74 oid->oid[7] == alg; 75 } 76 77 78 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid) 79 { 80 if (pkcs5_is_oid(oid, 3)) /* pbeWithMD5AndDES-CBC (PBES1) */ 81 return PKCS5_ALG_MD5_DES_CBC; 82 if (pkcs12_is_pbe_oid(oid, 3)) /* pbeWithSHAAnd3-KeyTripleDES-CBC */ 83 return PKCS5_ALG_SHA1_3DES_CBC; 84 if (pkcs5_is_oid(oid, 13)) /* id-PBES2 (PBES2) */ 85 return PKCS5_ALG_PBES2; 86 return PKCS5_ALG_UNKNOWN; 87 } 88 89 90 static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, 91 const u8 *enc_alg_end) 92 { 93 struct asn1_hdr hdr; 94 const u8 *end, *kdf_end; 95 struct asn1_oid oid; 96 char obuf[80]; 97 98 /* 99 * RFC 2898, Ch. A.4 100 * 101 * PBES2-params ::= SEQUENCE { 102 * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, 103 * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} } 104 * 105 * PBES2-KDFs ALGORITHM-IDENTIFIER ::= 106 * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... } 107 */ 108 109 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 110 !asn1_is_sequence(&hdr)) { 111 asn1_unexpected(&hdr, 112 "PKCS #5: Expected SEQUENCE (PBES2-params)"); 113 return -1; 114 } 115 pos = hdr.payload; 116 end = hdr.payload + hdr.length; 117 118 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 119 !asn1_is_sequence(&hdr)) { 120 asn1_unexpected(&hdr, 121 "PKCS #5: Expected SEQUENCE (keyDerivationFunc)"); 122 return -1; 123 } 124 125 pos = hdr.payload; 126 kdf_end = end = hdr.payload + hdr.length; 127 128 if (asn1_get_oid(pos, end - pos, &oid, &pos)) { 129 wpa_printf(MSG_DEBUG, 130 "PKCS #5: Failed to parse OID (keyDerivationFunc algorithm)"); 131 return -1; 132 } 133 134 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 135 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 keyDerivationFunc algorithm %s", 136 obuf); 137 if (!pkcs5_is_oid(&oid, 12)) /* id-PBKDF2 */ { 138 wpa_printf(MSG_DEBUG, 139 "PKCS #5: Unsupported PBES2 keyDerivationFunc algorithm %s", 140 obuf); 141 return -1; 142 } 143 144 /* 145 * RFC 2898, C. 146 * 147 * PBKDF2-params ::= SEQUENCE { 148 * salt CHOICE { 149 * specified OCTET STRING, 150 * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} 151 * }, 152 * iterationCount INTEGER (1..MAX), 153 * keyLength INTEGER (1..MAX) OPTIONAL, 154 * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT 155 * algid-hmacWithSHA1 156 * } 157 */ 158 159 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 160 !asn1_is_sequence(&hdr)) { 161 asn1_unexpected(&hdr, 162 "PKCS #5: Expected SEQUENCE (PBKDF2-params)"); 163 return -1; 164 } 165 166 pos = hdr.payload; 167 end = hdr.payload + hdr.length; 168 169 /* For now, only support the salt CHOICE specified (OCTET STRING) */ 170 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 171 !asn1_is_octetstring(&hdr) || 172 hdr.length > sizeof(params->salt)) { 173 asn1_unexpected(&hdr, 174 "PKCS #5: Expected OCTET STRING (salt.specified)"); 175 return -1; 176 } 177 pos = hdr.payload + hdr.length; 178 os_memcpy(params->salt, hdr.payload, hdr.length); 179 params->salt_len = hdr.length; 180 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len); 181 182 /* iterationCount INTEGER */ 183 if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) { 184 asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER"); 185 return -1; 186 } 187 if (hdr.length == 1) { 188 params->iter_count = *hdr.payload; 189 } else if (hdr.length == 2) { 190 params->iter_count = WPA_GET_BE16(hdr.payload); 191 } else if (hdr.length == 4) { 192 params->iter_count = WPA_GET_BE32(hdr.payload); 193 } else { 194 wpa_hexdump(MSG_DEBUG, 195 "PKCS #5: Unsupported INTEGER value (iterationCount)", 196 hdr.payload, hdr.length); 197 return -1; 198 } 199 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", 200 params->iter_count); 201 if (params->iter_count == 0 || params->iter_count > 0xffff) { 202 wpa_printf(MSG_INFO, "PKCS #5: Unsupported iterationCount=0x%x", 203 params->iter_count); 204 return -1; 205 } 206 207 /* For now, ignore optional keyLength and prf */ 208 209 pos = kdf_end; 210 211 /* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */ 212 213 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 214 !asn1_is_sequence(&hdr)) { 215 asn1_unexpected(&hdr, 216 "PKCS #5: Expected SEQUENCE (encryptionScheme)"); 217 return -1; 218 } 219 220 pos = hdr.payload; 221 end = hdr.payload + hdr.length; 222 223 if (asn1_get_oid(pos, end - pos, &oid, &pos)) { 224 wpa_printf(MSG_DEBUG, 225 "PKCS #5: Failed to parse OID (encryptionScheme algorithm)"); 226 return -1; 227 } 228 229 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 230 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 encryptionScheme algorithm %s", 231 obuf); 232 if (enc_alg_is_oid(&oid, 7)) { 233 params->enc_alg = PBES2_ENC_ALG_DES_EDE3_CBC; 234 } else { 235 wpa_printf(MSG_DEBUG, 236 "PKCS #5: Unsupported PBES2 encryptionScheme algorithm %s", 237 obuf); 238 return -1; 239 } 240 241 /* 242 * RFC 2898, B.2.2: 243 * The parameters field associated with this OID in an 244 * AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), 245 * specifying the initialization vector for CBC mode. 246 */ 247 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 248 !asn1_is_octetstring(&hdr) || hdr.length != 8) { 249 asn1_unexpected(&hdr, 250 "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV)"); 251 return -1; 252 } 253 os_memcpy(params->iv, hdr.payload, hdr.length); 254 params->iv_len = hdr.length; 255 wpa_hexdump(MSG_DEBUG, "PKCS #5: IV", params->iv, params->iv_len); 256 257 return 0; 258 } 259 260 261 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, 262 struct pkcs5_params *params) 263 { 264 struct asn1_hdr hdr; 265 const u8 *enc_alg_end, *pos, *end; 266 struct asn1_oid oid; 267 char obuf[80]; 268 269 /* AlgorithmIdentifier */ 270 271 enc_alg_end = enc_alg + enc_alg_len; 272 273 os_memset(params, 0, sizeof(*params)); 274 275 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) { 276 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID " 277 "(algorithm)"); 278 return -1; 279 } 280 281 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 282 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf); 283 params->alg = pkcs5_get_alg(&oid); 284 if (params->alg == PKCS5_ALG_UNKNOWN) { 285 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption " 286 "algorithm %s", obuf); 287 return -1; 288 } 289 290 if (params->alg == PKCS5_ALG_PBES2) 291 return pkcs5_get_params_pbes2(params, pos, enc_alg_end); 292 293 /* PBES1 */ 294 295 /* 296 * PKCS#5, Section 8 297 * PBEParameter ::= SEQUENCE { 298 * salt OCTET STRING SIZE(8), 299 * iterationCount INTEGER } 300 * 301 * Note: The same implementation can be used to parse the PKCS #12 302 * version described in RFC 7292, C: 303 * pkcs-12PbeParams ::= SEQUENCE { 304 * salt OCTET STRING, 305 * iterations INTEGER 306 * } 307 */ 308 309 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 310 !asn1_is_sequence(&hdr)) { 311 asn1_unexpected(&hdr, 312 "PKCS #5: Expected SEQUENCE (PBEParameter)"); 313 return -1; 314 } 315 pos = hdr.payload; 316 end = hdr.payload + hdr.length; 317 318 /* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */ 319 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 320 !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) { 321 asn1_unexpected(&hdr, 322 "PKCS #5: Expected OCTETSTRING SIZE(8) (salt)"); 323 return -1; 324 } 325 pos = hdr.payload + hdr.length; 326 os_memcpy(params->salt, hdr.payload, hdr.length); 327 params->salt_len = hdr.length; 328 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", 329 params->salt, params->salt_len); 330 331 /* iterationCount INTEGER */ 332 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 333 !asn1_is_integer(&hdr)) { 334 asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER"); 335 return -1; 336 } 337 if (hdr.length == 1) 338 params->iter_count = *hdr.payload; 339 else if (hdr.length == 2) 340 params->iter_count = WPA_GET_BE16(hdr.payload); 341 else if (hdr.length == 4) 342 params->iter_count = WPA_GET_BE32(hdr.payload); 343 else { 344 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value " 345 " (iterationCount)", 346 hdr.payload, hdr.length); 347 return -1; 348 } 349 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", 350 params->iter_count); 351 if (params->iter_count == 0 || params->iter_count > 0xffff) { 352 wpa_printf(MSG_INFO, "PKCS #5: Unsupported " 353 "iterationCount=0x%x", params->iter_count); 354 return -1; 355 } 356 357 return 0; 358 } 359 360 361 static struct crypto_cipher * 362 pkcs5_crypto_init_pbes2(struct pkcs5_params *params, const char *passwd) 363 { 364 u8 key[24]; 365 366 if (params->enc_alg != PBES2_ENC_ALG_DES_EDE3_CBC || 367 params->iv_len != 8) 368 return NULL; 369 370 wpa_hexdump_ascii_key(MSG_DEBUG, "PKCS #5: PBES2 password for PBKDF2", 371 passwd, os_strlen(passwd)); 372 wpa_hexdump(MSG_DEBUG, "PKCS #5: PBES2 salt for PBKDF2", 373 params->salt, params->salt_len); 374 wpa_printf(MSG_DEBUG, "PKCS #5: PBES2 PBKDF2 iterations: %u", 375 params->iter_count); 376 if (pbkdf2_sha1(passwd, params->salt, params->salt_len, 377 params->iter_count, key, sizeof(key)) < 0) 378 return NULL; 379 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES EDE3 key", key, sizeof(key)); 380 wpa_hexdump(MSG_DEBUG, "PKCS #5: DES IV", params->iv, params->iv_len); 381 382 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, params->iv, 383 key, sizeof(key)); 384 } 385 386 387 static void add_byte_array_mod(u8 *a, const u8 *b, size_t len) 388 { 389 size_t i; 390 unsigned int carry = 0; 391 392 for (i = len - 1; i < len; i--) { 393 carry = carry + a[i] + b[i]; 394 a[i] = carry & 0xff; 395 carry >>= 8; 396 } 397 } 398 399 400 static int pkcs12_key_gen(const u8 *pw, size_t pw_len, const u8 *salt, 401 size_t salt_len, u8 id, unsigned int iter, 402 size_t out_len, u8 *out) 403 { 404 unsigned int u, v, S_len, P_len, i; 405 u8 *D = NULL, *I = NULL, *B = NULL, *pos; 406 int res = -1; 407 408 /* RFC 7292, B.2 */ 409 u = SHA1_MAC_LEN; 410 v = 64; 411 412 /* D = copies of ID */ 413 D = os_malloc(v); 414 if (!D) 415 goto done; 416 os_memset(D, id, v); 417 418 /* S = copies of salt; P = copies of password, I = S || P */ 419 S_len = v * ((salt_len + v - 1) / v); 420 P_len = v * ((pw_len + v - 1) / v); 421 I = os_malloc(S_len + P_len); 422 if (!I) 423 goto done; 424 pos = I; 425 if (salt_len) { 426 for (i = 0; i < S_len; i++) 427 *pos++ = salt[i % salt_len]; 428 } 429 if (pw_len) { 430 for (i = 0; i < P_len; i++) 431 *pos++ = pw[i % pw_len]; 432 } 433 434 B = os_malloc(v); 435 if (!B) 436 goto done; 437 438 for (;;) { 439 u8 hash[SHA1_MAC_LEN]; 440 const u8 *addr[2]; 441 size_t len[2]; 442 443 addr[0] = D; 444 len[0] = v; 445 addr[1] = I; 446 len[1] = S_len + P_len; 447 if (sha1_vector(2, addr, len, hash) < 0) 448 goto done; 449 450 addr[0] = hash; 451 len[0] = SHA1_MAC_LEN; 452 for (i = 1; i < iter; i++) { 453 if (sha1_vector(1, addr, len, hash) < 0) 454 goto done; 455 } 456 457 if (out_len <= u) { 458 os_memcpy(out, hash, out_len); 459 res = 0; 460 goto done; 461 } 462 463 os_memcpy(out, hash, u); 464 out += u; 465 out_len -= u; 466 467 /* I_j = (I_j + B + 1) mod 2^(v*8) */ 468 /* B = copies of Ai (final hash value) */ 469 for (i = 0; i < v; i++) 470 B[i] = hash[i % u]; 471 inc_byte_array(B, v); 472 for (i = 0; i < S_len + P_len; i += v) 473 add_byte_array_mod(&I[i], B, v); 474 } 475 476 done: 477 os_free(B); 478 os_free(I); 479 os_free(D); 480 return res; 481 } 482 483 484 #define PKCS12_ID_ENC 1 485 #define PKCS12_ID_IV 2 486 #define PKCS12_ID_MAC 3 487 488 static struct crypto_cipher * 489 pkcs12_crypto_init_sha1(struct pkcs5_params *params, const char *passwd) 490 { 491 unsigned int i; 492 u8 *pw; 493 size_t pw_len; 494 u8 key[24]; 495 u8 iv[8]; 496 497 if (params->alg != PKCS5_ALG_SHA1_3DES_CBC) 498 return NULL; 499 500 pw_len = passwd ? os_strlen(passwd) : 0; 501 pw = os_malloc(2 * (pw_len + 1)); 502 if (!pw) 503 return NULL; 504 if (pw_len) { 505 for (i = 0; i <= pw_len; i++) 506 WPA_PUT_BE16(&pw[2 * i], passwd[i]); 507 pw_len = 2 * (pw_len + 1); 508 } 509 510 if (pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len, 511 PKCS12_ID_ENC, params->iter_count, 512 sizeof(key), key) < 0 || 513 pkcs12_key_gen(pw, pw_len, params->salt, params->salt_len, 514 PKCS12_ID_IV, params->iter_count, 515 sizeof(iv), iv) < 0) { 516 os_free(pw); 517 return NULL; 518 } 519 520 os_free(pw); 521 522 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES key", key, sizeof(key)); 523 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: DES IV", iv, sizeof(iv)); 524 525 return crypto_cipher_init(CRYPTO_CIPHER_ALG_3DES, iv, key, sizeof(key)); 526 } 527 528 529 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params, 530 const char *passwd) 531 { 532 unsigned int i; 533 u8 hash[MD5_MAC_LEN]; 534 const u8 *addr[2]; 535 size_t len[2]; 536 537 if (params->alg == PKCS5_ALG_PBES2) 538 return pkcs5_crypto_init_pbes2(params, passwd); 539 540 if (params->alg == PKCS5_ALG_SHA1_3DES_CBC) 541 return pkcs12_crypto_init_sha1(params, passwd); 542 543 if (params->alg != PKCS5_ALG_MD5_DES_CBC) 544 return NULL; 545 546 addr[0] = (const u8 *) passwd; 547 len[0] = os_strlen(passwd); 548 addr[1] = params->salt; 549 len[1] = params->salt_len; 550 if (md5_vector(2, addr, len, hash) < 0) 551 return NULL; 552 addr[0] = hash; 553 len[0] = MD5_MAC_LEN; 554 for (i = 1; i < params->iter_count; i++) { 555 if (md5_vector(1, addr, len, hash) < 0) 556 return NULL; 557 } 558 /* TODO: DES key parity bits(?) */ 559 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8); 560 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8); 561 562 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8); 563 } 564 565 566 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len, 567 const u8 *enc_data, size_t enc_data_len, 568 const char *passwd, size_t *data_len) 569 { 570 struct crypto_cipher *ctx; 571 u8 *eb, pad; 572 struct pkcs5_params params; 573 unsigned int i; 574 575 if (pkcs5_get_params(enc_alg, enc_alg_len, ¶ms) < 0) { 576 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters"); 577 return NULL; 578 } 579 580 ctx = pkcs5_crypto_init(¶ms, passwd); 581 if (ctx == NULL) { 582 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto"); 583 return NULL; 584 } 585 586 /* PKCS #5, Section 7 - Decryption process */ 587 if (enc_data_len < 16 || enc_data_len % 8) { 588 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext " 589 "%d", (int) enc_data_len); 590 crypto_cipher_deinit(ctx); 591 return NULL; 592 } 593 594 eb = os_malloc(enc_data_len); 595 if (eb == NULL) { 596 crypto_cipher_deinit(ctx); 597 return NULL; 598 } 599 600 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) { 601 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB"); 602 crypto_cipher_deinit(ctx); 603 os_free(eb); 604 return NULL; 605 } 606 crypto_cipher_deinit(ctx); 607 608 pad = eb[enc_data_len - 1]; 609 if (pad > 8) { 610 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad); 611 os_free(eb); 612 return NULL; 613 } 614 for (i = enc_data_len - pad; i < enc_data_len; i++) { 615 if (eb[i] != pad) { 616 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS", 617 eb + enc_data_len - pad, pad); 618 os_free(eb); 619 return NULL; 620 } 621 } 622 623 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)", 624 eb, enc_data_len - pad); 625 626 *data_len = enc_data_len - pad; 627 return eb; 628 } 629