xref: /freebsd/contrib/wpa/src/tls/pkcs5.c (revision aa0a1e58) 
1 /*
2  * PKCS #5 (Password-based Encryption)
3  * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "crypto/crypto.h"
19 #include "crypto/md5.h"
20 #include "asn1.h"
21 #include "pkcs5.h"
22 
23 
24 struct pkcs5_params {
25 	enum pkcs5_alg {
26 		PKCS5_ALG_UNKNOWN,
27 		PKCS5_ALG_MD5_DES_CBC
28 	} alg;
29 	u8 salt[8];
30 	size_t salt_len;
31 	unsigned int iter_count;
32 };
33 
34 
35 enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
36 {
37 	if (oid->len == 7 &&
38 	    oid->oid[0] == 1 /* iso */ &&
39 	    oid->oid[1] == 2 /* member-body */ &&
40 	    oid->oid[2] == 840 /* us */ &&
41 	    oid->oid[3] == 113549 /* rsadsi */ &&
42 	    oid->oid[4] == 1 /* pkcs */ &&
43 	    oid->oid[5] == 5 /* pkcs-5 */ &&
44 	    oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)
45 		return PKCS5_ALG_MD5_DES_CBC;
46 
47 	return PKCS5_ALG_UNKNOWN;
48 }
49 
50 
51 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
52 			    struct pkcs5_params *params)
53 {
54 	struct asn1_hdr hdr;
55 	const u8 *enc_alg_end, *pos, *end;
56 	struct asn1_oid oid;
57 	char obuf[80];
58 
59 	/* AlgorithmIdentifier */
60 
61 	enc_alg_end = enc_alg + enc_alg_len;
62 
63 	os_memset(params, 0, sizeof(*params));
64 
65 	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
66 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
67 			   "(algorithm)");
68 		return -1;
69 	}
70 
71 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
72 	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
73 	params->alg = pkcs5_get_alg(&oid);
74 	if (params->alg == PKCS5_ALG_UNKNOWN) {
75 		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
76 			   "algorithm %s", obuf);
77 		return -1;
78 	}
79 
80 	/*
81 	 * PKCS#5, Section 8
82 	 * PBEParameter ::= SEQUENCE {
83 	 *   salt OCTET STRING SIZE(8),
84 	 *   iterationCount INTEGER }
85 	 */
86 
87 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
88 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
89 	    hdr.tag != ASN1_TAG_SEQUENCE) {
90 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
91 			   "(PBEParameter) - found class %d tag 0x%x",
92 			   hdr.class, hdr.tag);
93 		return -1;
94 	}
95 	pos = hdr.payload;
96 	end = hdr.payload + hdr.length;
97 
98 	/* salt OCTET STRING SIZE(8) */
99 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
100 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
101 	    hdr.tag != ASN1_TAG_OCTETSTRING ||
102 	    hdr.length != 8) {
103 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
104 			   "(salt) - found class %d tag 0x%x size %d",
105 			   hdr.class, hdr.tag, hdr.length);
106 		return -1;
107 	}
108 	pos = hdr.payload + hdr.length;
109 	os_memcpy(params->salt, hdr.payload, hdr.length);
110 	params->salt_len = hdr.length;
111 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
112 		    params->salt, params->salt_len);
113 
114 	/* iterationCount INTEGER */
115 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
116 	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
117 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
118 			   "class %d tag 0x%x", hdr.class, hdr.tag);
119 		return -1;
120 	}
121 	if (hdr.length == 1)
122 		params->iter_count = *hdr.payload;
123 	else if (hdr.length == 2)
124 		params->iter_count = WPA_GET_BE16(hdr.payload);
125 	else if (hdr.length == 4)
126 		params->iter_count = WPA_GET_BE32(hdr.payload);
127 	else {
128 		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
129 			    " (iterationCount)",
130 			    hdr.payload, hdr.length);
131 		return -1;
132 	}
133 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
134 		   params->iter_count);
135 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
136 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
137 			   "iterationCount=0x%x", params->iter_count);
138 		return -1;
139 	}
140 
141 	return 0;
142 }
143 
144 
145 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
146 						const char *passwd)
147 {
148 	unsigned int i;
149 	u8 hash[MD5_MAC_LEN];
150 	const u8 *addr[2];
151 	size_t len[2];
152 
153 	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
154 		return NULL;
155 
156 	addr[0] = (const u8 *) passwd;
157 	len[0] = os_strlen(passwd);
158 	addr[1] = params->salt;
159 	len[1] = params->salt_len;
160 	if (md5_vector(2, addr, len, hash) < 0)
161 		return NULL;
162 	addr[0] = hash;
163 	len[0] = MD5_MAC_LEN;
164 	for (i = 1; i < params->iter_count; i++) {
165 		if (md5_vector(1, addr, len, hash) < 0)
166 			return NULL;
167 	}
168 	/* TODO: DES key parity bits(?) */
169 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
170 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
171 
172 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
173 }
174 
175 
176 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
177 		   const u8 *enc_data, size_t enc_data_len,
178 		   const char *passwd, size_t *data_len)
179 {
180 	struct crypto_cipher *ctx;
181 	u8 *eb, pad;
182 	struct pkcs5_params params;
183 	unsigned int i;
184 
185 	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
186 		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
187 		return NULL;
188 	}
189 
190 	ctx = pkcs5_crypto_init(&params, passwd);
191 	if (ctx == NULL) {
192 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
193 		return NULL;
194 	}
195 
196 	/* PKCS #5, Section 7 - Decryption process */
197 	if (enc_data_len < 16 || enc_data_len % 8) {
198 		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
199 			   "%d", (int) enc_data_len);
200 		crypto_cipher_deinit(ctx);
201 		return NULL;
202 	}
203 
204 	eb = os_malloc(enc_data_len);
205 	if (eb == NULL) {
206 		crypto_cipher_deinit(ctx);
207 		return NULL;
208 	}
209 
210 	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
211 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
212 		crypto_cipher_deinit(ctx);
213 		os_free(eb);
214 		return NULL;
215 	}
216 	crypto_cipher_deinit(ctx);
217 
218 	pad = eb[enc_data_len - 1];
219 	if (pad > 8) {
220 		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
221 		os_free(eb);
222 		return NULL;
223 	}
224 	for (i = enc_data_len - pad; i < enc_data_len; i++) {
225 		if (eb[i] != pad) {
226 			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
227 				    eb + enc_data_len - pad, pad);
228 			os_free(eb);
229 			return NULL;
230 		}
231 	}
232 
233 	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
234 			eb, enc_data_len - pad);
235 
236 	*data_len = enc_data_len - pad;
237 	return eb;
238 }
239