1 /*
2  * PKCS #5 (Password-based Encryption)
3  * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "asn1.h"
15 #include "pkcs5.h"
16 
17 
18 struct pkcs5_params {
19 	enum pkcs5_alg {
20 		PKCS5_ALG_UNKNOWN,
21 		PKCS5_ALG_MD5_DES_CBC
22 	} alg;
23 	u8 salt[8];
24 	size_t salt_len;
25 	unsigned int iter_count;
26 };
27 
28 
29 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
30 {
31 	if (oid->len == 7 &&
32 	    oid->oid[0] == 1 /* iso */ &&
33 	    oid->oid[1] == 2 /* member-body */ &&
34 	    oid->oid[2] == 840 /* us */ &&
35 	    oid->oid[3] == 113549 /* rsadsi */ &&
36 	    oid->oid[4] == 1 /* pkcs */ &&
37 	    oid->oid[5] == 5 /* pkcs-5 */ &&
38 	    oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)
39 		return PKCS5_ALG_MD5_DES_CBC;
40 
41 	return PKCS5_ALG_UNKNOWN;
42 }
43 
44 
45 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
46 			    struct pkcs5_params *params)
47 {
48 	struct asn1_hdr hdr;
49 	const u8 *enc_alg_end, *pos, *end;
50 	struct asn1_oid oid;
51 	char obuf[80];
52 
53 	/* AlgorithmIdentifier */
54 
55 	enc_alg_end = enc_alg + enc_alg_len;
56 
57 	os_memset(params, 0, sizeof(*params));
58 
59 	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
60 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
61 			   "(algorithm)");
62 		return -1;
63 	}
64 
65 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
66 	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
67 	params->alg = pkcs5_get_alg(&oid);
68 	if (params->alg == PKCS5_ALG_UNKNOWN) {
69 		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
70 			   "algorithm %s", obuf);
71 		return -1;
72 	}
73 
74 	/*
75 	 * PKCS#5, Section 8
76 	 * PBEParameter ::= SEQUENCE {
77 	 *   salt OCTET STRING SIZE(8),
78 	 *   iterationCount INTEGER }
79 	 */
80 
81 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
82 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
83 	    hdr.tag != ASN1_TAG_SEQUENCE) {
84 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
85 			   "(PBEParameter) - found class %d tag 0x%x",
86 			   hdr.class, hdr.tag);
87 		return -1;
88 	}
89 	pos = hdr.payload;
90 	end = hdr.payload + hdr.length;
91 
92 	/* salt OCTET STRING SIZE(8) */
93 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
94 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
95 	    hdr.tag != ASN1_TAG_OCTETSTRING ||
96 	    hdr.length != 8) {
97 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
98 			   "(salt) - found class %d tag 0x%x size %d",
99 			   hdr.class, hdr.tag, hdr.length);
100 		return -1;
101 	}
102 	pos = hdr.payload + hdr.length;
103 	os_memcpy(params->salt, hdr.payload, hdr.length);
104 	params->salt_len = hdr.length;
105 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
106 		    params->salt, params->salt_len);
107 
108 	/* iterationCount INTEGER */
109 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
110 	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
111 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
112 			   "class %d tag 0x%x", hdr.class, hdr.tag);
113 		return -1;
114 	}
115 	if (hdr.length == 1)
116 		params->iter_count = *hdr.payload;
117 	else if (hdr.length == 2)
118 		params->iter_count = WPA_GET_BE16(hdr.payload);
119 	else if (hdr.length == 4)
120 		params->iter_count = WPA_GET_BE32(hdr.payload);
121 	else {
122 		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
123 			    " (iterationCount)",
124 			    hdr.payload, hdr.length);
125 		return -1;
126 	}
127 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
128 		   params->iter_count);
129 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
130 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
131 			   "iterationCount=0x%x", params->iter_count);
132 		return -1;
133 	}
134 
135 	return 0;
136 }
137 
138 
139 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
140 						const char *passwd)
141 {
142 	unsigned int i;
143 	u8 hash[MD5_MAC_LEN];
144 	const u8 *addr[2];
145 	size_t len[2];
146 
147 	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
148 		return NULL;
149 
150 	addr[0] = (const u8 *) passwd;
151 	len[0] = os_strlen(passwd);
152 	addr[1] = params->salt;
153 	len[1] = params->salt_len;
154 	if (md5_vector(2, addr, len, hash) < 0)
155 		return NULL;
156 	addr[0] = hash;
157 	len[0] = MD5_MAC_LEN;
158 	for (i = 1; i < params->iter_count; i++) {
159 		if (md5_vector(1, addr, len, hash) < 0)
160 			return NULL;
161 	}
162 	/* TODO: DES key parity bits(?) */
163 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
164 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
165 
166 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
167 }
168 
169 
170 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
171 		   const u8 *enc_data, size_t enc_data_len,
172 		   const char *passwd, size_t *data_len)
173 {
174 	struct crypto_cipher *ctx;
175 	u8 *eb, pad;
176 	struct pkcs5_params params;
177 	unsigned int i;
178 
179 	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
180 		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
181 		return NULL;
182 	}
183 
184 	ctx = pkcs5_crypto_init(&params, passwd);
185 	if (ctx == NULL) {
186 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
187 		return NULL;
188 	}
189 
190 	/* PKCS #5, Section 7 - Decryption process */
191 	if (enc_data_len < 16 || enc_data_len % 8) {
192 		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
193 			   "%d", (int) enc_data_len);
194 		crypto_cipher_deinit(ctx);
195 		return NULL;
196 	}
197 
198 	eb = os_malloc(enc_data_len);
199 	if (eb == NULL) {
200 		crypto_cipher_deinit(ctx);
201 		return NULL;
202 	}
203 
204 	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
205 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
206 		crypto_cipher_deinit(ctx);
207 		os_free(eb);
208 		return NULL;
209 	}
210 	crypto_cipher_deinit(ctx);
211 
212 	pad = eb[enc_data_len - 1];
213 	if (pad > 8) {
214 		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
215 		os_free(eb);
216 		return NULL;
217 	}
218 	for (i = enc_data_len - pad; i < enc_data_len; i++) {
219 		if (eb[i] != pad) {
220 			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
221 				    eb + enc_data_len - pad, pad);
222 			os_free(eb);
223 			return NULL;
224 		}
225 	}
226 
227 	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
228 			eb, enc_data_len - pad);
229 
230 	*data_len = enc_data_len - pad;
231 	return eb;
232 }
233