1 /* 2 * PKCS #5 (Password-based Encryption) 3 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/crypto.h" 19 #include "crypto/md5.h" 20 #include "asn1.h" 21 #include "pkcs5.h" 22 23 24 struct pkcs5_params { 25 enum pkcs5_alg { 26 PKCS5_ALG_UNKNOWN, 27 PKCS5_ALG_MD5_DES_CBC 28 } alg; 29 u8 salt[8]; 30 size_t salt_len; 31 unsigned int iter_count; 32 }; 33 34 35 enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid) 36 { 37 if (oid->len == 7 && 38 oid->oid[0] == 1 /* iso */ && 39 oid->oid[1] == 2 /* member-body */ && 40 oid->oid[2] == 840 /* us */ && 41 oid->oid[3] == 113549 /* rsadsi */ && 42 oid->oid[4] == 1 /* pkcs */ && 43 oid->oid[5] == 5 /* pkcs-5 */ && 44 oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */) 45 return PKCS5_ALG_MD5_DES_CBC; 46 47 return PKCS5_ALG_UNKNOWN; 48 } 49 50 51 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, 52 struct pkcs5_params *params) 53 { 54 struct asn1_hdr hdr; 55 const u8 *enc_alg_end, *pos, *end; 56 struct asn1_oid oid; 57 char obuf[80]; 58 59 /* AlgorithmIdentifier */ 60 61 enc_alg_end = enc_alg + enc_alg_len; 62 63 os_memset(params, 0, sizeof(*params)); 64 65 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) { 66 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID " 67 "(algorithm)"); 68 return -1; 69 } 70 71 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 72 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf); 73 params->alg = pkcs5_get_alg(&oid); 74 if (params->alg == PKCS5_ALG_UNKNOWN) { 75 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption " 76 "algorithm %s", obuf); 77 return -1; 78 } 79 80 /* 81 * PKCS#5, Section 8 82 * PBEParameter ::= SEQUENCE { 83 * salt OCTET STRING SIZE(8), 84 * iterationCount INTEGER } 85 */ 86 87 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 88 hdr.class != ASN1_CLASS_UNIVERSAL || 89 hdr.tag != ASN1_TAG_SEQUENCE) { 90 wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE " 91 "(PBEParameter) - found class %d tag 0x%x", 92 hdr.class, hdr.tag); 93 return -1; 94 } 95 pos = hdr.payload; 96 end = hdr.payload + hdr.length; 97 98 /* salt OCTET STRING SIZE(8) */ 99 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 100 hdr.class != ASN1_CLASS_UNIVERSAL || 101 hdr.tag != ASN1_TAG_OCTETSTRING || 102 hdr.length != 8) { 103 wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) " 104 "(salt) - found class %d tag 0x%x size %d", 105 hdr.class, hdr.tag, hdr.length); 106 return -1; 107 } 108 pos = hdr.payload + hdr.length; 109 os_memcpy(params->salt, hdr.payload, hdr.length); 110 params->salt_len = hdr.length; 111 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", 112 params->salt, params->salt_len); 113 114 /* iterationCount INTEGER */ 115 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 116 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { 117 wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found " 118 "class %d tag 0x%x", hdr.class, hdr.tag); 119 return -1; 120 } 121 if (hdr.length == 1) 122 params->iter_count = *hdr.payload; 123 else if (hdr.length == 2) 124 params->iter_count = WPA_GET_BE16(hdr.payload); 125 else if (hdr.length == 4) 126 params->iter_count = WPA_GET_BE32(hdr.payload); 127 else { 128 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value " 129 " (iterationCount)", 130 hdr.payload, hdr.length); 131 return -1; 132 } 133 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", 134 params->iter_count); 135 if (params->iter_count == 0 || params->iter_count > 0xffff) { 136 wpa_printf(MSG_INFO, "PKCS #5: Unsupported " 137 "iterationCount=0x%x", params->iter_count); 138 return -1; 139 } 140 141 return 0; 142 } 143 144 145 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params, 146 const char *passwd) 147 { 148 unsigned int i; 149 u8 hash[MD5_MAC_LEN]; 150 const u8 *addr[2]; 151 size_t len[2]; 152 153 if (params->alg != PKCS5_ALG_MD5_DES_CBC) 154 return NULL; 155 156 addr[0] = (const u8 *) passwd; 157 len[0] = os_strlen(passwd); 158 addr[1] = params->salt; 159 len[1] = params->salt_len; 160 if (md5_vector(2, addr, len, hash) < 0) 161 return NULL; 162 addr[0] = hash; 163 len[0] = MD5_MAC_LEN; 164 for (i = 1; i < params->iter_count; i++) { 165 if (md5_vector(1, addr, len, hash) < 0) 166 return NULL; 167 } 168 /* TODO: DES key parity bits(?) */ 169 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8); 170 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8); 171 172 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8); 173 } 174 175 176 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len, 177 const u8 *enc_data, size_t enc_data_len, 178 const char *passwd, size_t *data_len) 179 { 180 struct crypto_cipher *ctx; 181 u8 *eb, pad; 182 struct pkcs5_params params; 183 unsigned int i; 184 185 if (pkcs5_get_params(enc_alg, enc_alg_len, ¶ms) < 0) { 186 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters"); 187 return NULL; 188 } 189 190 ctx = pkcs5_crypto_init(¶ms, passwd); 191 if (ctx == NULL) { 192 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto"); 193 return NULL; 194 } 195 196 /* PKCS #5, Section 7 - Decryption process */ 197 if (enc_data_len < 16 || enc_data_len % 8) { 198 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext " 199 "%d", (int) enc_data_len); 200 crypto_cipher_deinit(ctx); 201 return NULL; 202 } 203 204 eb = os_malloc(enc_data_len); 205 if (eb == NULL) { 206 crypto_cipher_deinit(ctx); 207 return NULL; 208 } 209 210 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) { 211 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB"); 212 crypto_cipher_deinit(ctx); 213 os_free(eb); 214 return NULL; 215 } 216 crypto_cipher_deinit(ctx); 217 218 pad = eb[enc_data_len - 1]; 219 if (pad > 8) { 220 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad); 221 os_free(eb); 222 return NULL; 223 } 224 for (i = enc_data_len - pad; i < enc_data_len; i++) { 225 if (eb[i] != pad) { 226 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS", 227 eb + enc_data_len - pad, pad); 228 os_free(eb); 229 return NULL; 230 } 231 } 232 233 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)", 234 eb, enc_data_len - pad); 235 236 *data_len = enc_data_len - pad; 237 return eb; 238 } 239