1 /* 2 * PKCS#12 Personal Information Exchange Syntax 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 * 46 * This file is part of mbed TLS (https://tls.mbed.org) 47 */ 48 /* 49 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1 50 * 51 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf 52 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn 53 */ 54 55 #if !defined(MBEDTLS_CONFIG_FILE) 56 #include "mbedtls/config.h" 57 #else 58 #include MBEDTLS_CONFIG_FILE 59 #endif 60 61 #if defined(MBEDTLS_PKCS12_C) 62 63 #include "mbedtls/pkcs12.h" 64 #include "mbedtls/asn1.h" 65 #include "mbedtls/cipher.h" 66 67 #include <string.h> 68 69 #if defined(MBEDTLS_ARC4_C) 70 #include "mbedtls/arc4.h" 71 #endif 72 73 #if defined(MBEDTLS_DES_C) 74 #include "mbedtls/des.h" 75 #endif 76 77 /* Implementation that should never be optimized out by the compiler */ 78 static void mbedtls_zeroize( void *v, size_t n ) { 79 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 80 } 81 82 #if defined(MBEDTLS_ASN1_PARSE_C) 83 84 static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params, 85 mbedtls_asn1_buf *salt, int *iterations ) 86 { 87 int ret; 88 unsigned char **p = ¶ms->p; 89 const unsigned char *end = params->p + params->len; 90 91 /* 92 * pkcs-12PbeParams ::= SEQUENCE { 93 * salt OCTET STRING, 94 * iterations INTEGER 95 * } 96 * 97 */ 98 if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 99 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 100 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 101 102 if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 103 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 104 105 salt->p = *p; 106 *p += salt->len; 107 108 if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 ) 109 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 110 111 if( *p != end ) 112 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 113 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 114 115 return( 0 ); 116 } 117 118 #define PKCS12_MAX_PWDLEN 128 119 120 static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, 121 const unsigned char *pwd, size_t pwdlen, 122 unsigned char *key, size_t keylen, 123 unsigned char *iv, size_t ivlen ) 124 { 125 int ret, iterations = 0; 126 mbedtls_asn1_buf salt; 127 size_t i; 128 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; 129 130 if( pwdlen > PKCS12_MAX_PWDLEN ) 131 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 132 133 memset( &salt, 0, sizeof(mbedtls_asn1_buf) ); 134 memset( &unipwd, 0, sizeof(unipwd) ); 135 136 if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt, 137 &iterations ) ) != 0 ) 138 return( ret ); 139 140 for( i = 0; i < pwdlen; i++ ) 141 unipwd[i * 2 + 1] = pwd[i]; 142 143 if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2, 144 salt.p, salt.len, md_type, 145 MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 ) 146 { 147 return( ret ); 148 } 149 150 if( iv == NULL || ivlen == 0 ) 151 return( 0 ); 152 153 if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2, 154 salt.p, salt.len, md_type, 155 MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 ) 156 { 157 return( ret ); 158 } 159 return( 0 ); 160 } 161 162 #undef PKCS12_MAX_PWDLEN 163 164 int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode, 165 const unsigned char *pwd, size_t pwdlen, 166 const unsigned char *data, size_t len, 167 unsigned char *output ) 168 { 169 #if !defined(MBEDTLS_ARC4_C) 170 ((void) pbe_params); 171 ((void) mode); 172 ((void) pwd); 173 ((void) pwdlen); 174 ((void) data); 175 ((void) len); 176 ((void) output); 177 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 178 #else 179 int ret; 180 unsigned char key[16]; 181 mbedtls_arc4_context ctx; 182 ((void) mode); 183 184 mbedtls_arc4_init( &ctx ); 185 186 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1, 187 pwd, pwdlen, 188 key, 16, NULL, 0 ) ) != 0 ) 189 { 190 return( ret ); 191 } 192 193 mbedtls_arc4_setup( &ctx, key, 16 ); 194 if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 ) 195 goto exit; 196 197 exit: 198 mbedtls_zeroize( key, sizeof( key ) ); 199 mbedtls_arc4_free( &ctx ); 200 201 return( ret ); 202 #endif /* MBEDTLS_ARC4_C */ 203 } 204 205 int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, 206 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, 207 const unsigned char *pwd, size_t pwdlen, 208 const unsigned char *data, size_t len, 209 unsigned char *output ) 210 { 211 int ret, keylen = 0; 212 unsigned char key[32]; 213 unsigned char iv[16]; 214 const mbedtls_cipher_info_t *cipher_info; 215 mbedtls_cipher_context_t cipher_ctx; 216 size_t olen = 0; 217 218 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 219 if( cipher_info == NULL ) 220 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 221 222 keylen = cipher_info->key_bitlen / 8; 223 224 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen, 225 key, keylen, 226 iv, cipher_info->iv_size ) ) != 0 ) 227 { 228 return( ret ); 229 } 230 231 mbedtls_cipher_init( &cipher_ctx ); 232 233 if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 ) 234 goto exit; 235 236 if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 ) 237 goto exit; 238 239 if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 ) 240 goto exit; 241 242 if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 ) 243 goto exit; 244 245 if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len, 246 output, &olen ) ) != 0 ) 247 { 248 goto exit; 249 } 250 251 if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) 252 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; 253 254 exit: 255 mbedtls_zeroize( key, sizeof( key ) ); 256 mbedtls_zeroize( iv, sizeof( iv ) ); 257 mbedtls_cipher_free( &cipher_ctx ); 258 259 return( ret ); 260 } 261 262 #endif /* MBEDTLS_ASN1_PARSE_C */ 263 264 static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, 265 const unsigned char *filler, size_t fill_len ) 266 { 267 unsigned char *p = data; 268 size_t use_len; 269 270 while( data_len > 0 ) 271 { 272 use_len = ( data_len > fill_len ) ? fill_len : data_len; 273 memcpy( p, filler, use_len ); 274 p += use_len; 275 data_len -= use_len; 276 } 277 } 278 279 int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, 280 const unsigned char *pwd, size_t pwdlen, 281 const unsigned char *salt, size_t saltlen, 282 mbedtls_md_type_t md_type, int id, int iterations ) 283 { 284 int ret; 285 unsigned int j; 286 287 unsigned char diversifier[128]; 288 unsigned char salt_block[128], pwd_block[128], hash_block[128]; 289 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; 290 unsigned char *p; 291 unsigned char c; 292 293 size_t hlen, use_len, v, i; 294 295 const mbedtls_md_info_t *md_info; 296 mbedtls_md_context_t md_ctx; 297 298 // This version only allows max of 64 bytes of password or salt 299 if( datalen > 128 || pwdlen > 64 || saltlen > 64 ) 300 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 301 302 md_info = mbedtls_md_info_from_type( md_type ); 303 if( md_info == NULL ) 304 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 305 306 mbedtls_md_init( &md_ctx ); 307 308 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 309 return( ret ); 310 hlen = mbedtls_md_get_size( md_info ); 311 312 if( hlen <= 32 ) 313 v = 64; 314 else 315 v = 128; 316 317 memset( diversifier, (unsigned char) id, v ); 318 319 pkcs12_fill_buffer( salt_block, v, salt, saltlen ); 320 pkcs12_fill_buffer( pwd_block, v, pwd, pwdlen ); 321 322 p = data; 323 while( datalen > 0 ) 324 { 325 // Calculate hash( diversifier || salt_block || pwd_block ) 326 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 327 goto exit; 328 329 if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) 330 goto exit; 331 332 if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 ) 333 goto exit; 334 335 if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 ) 336 goto exit; 337 338 if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) 339 goto exit; 340 341 // Perform remaining ( iterations - 1 ) recursive hash calculations 342 for( i = 1; i < (size_t) iterations; i++ ) 343 { 344 if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 ) 345 goto exit; 346 } 347 348 use_len = ( datalen > hlen ) ? hlen : datalen; 349 memcpy( p, hash_output, use_len ); 350 datalen -= use_len; 351 p += use_len; 352 353 if( datalen == 0 ) 354 break; 355 356 // Concatenating copies of hash_output into hash_block (B) 357 pkcs12_fill_buffer( hash_block, v, hash_output, hlen ); 358 359 // B += 1 360 for( i = v; i > 0; i-- ) 361 if( ++hash_block[i - 1] != 0 ) 362 break; 363 364 // salt_block += B 365 c = 0; 366 for( i = v; i > 0; i-- ) 367 { 368 j = salt_block[i - 1] + hash_block[i - 1] + c; 369 c = (unsigned char) (j >> 8); 370 salt_block[i - 1] = j & 0xFF; 371 } 372 373 // pwd_block += B 374 c = 0; 375 for( i = v; i > 0; i-- ) 376 { 377 j = pwd_block[i - 1] + hash_block[i - 1] + c; 378 c = (unsigned char) (j >> 8); 379 pwd_block[i - 1] = j & 0xFF; 380 } 381 } 382 383 ret = 0; 384 385 exit: 386 mbedtls_zeroize( salt_block, sizeof( salt_block ) ); 387 mbedtls_zeroize( pwd_block, sizeof( pwd_block ) ); 388 mbedtls_zeroize( hash_block, sizeof( hash_block ) ); 389 mbedtls_zeroize( hash_output, sizeof( hash_output ) ); 390 391 mbedtls_md_free( &md_ctx ); 392 393 return( ret ); 394 } 395 396 #endif /* MBEDTLS_PKCS12_C */ 397