1 /* 2 * PKCS#12 Personal Information Exchange Syntax 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 /* 24 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1 25 * 26 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf 27 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn 28 */ 29 30 #if !defined(MBEDTLS_CONFIG_FILE) 31 #include "mbedtls/config.h" 32 #else 33 #include MBEDTLS_CONFIG_FILE 34 #endif 35 36 #if defined(MBEDTLS_PKCS12_C) 37 38 #include "mbedtls/pkcs12.h" 39 #include "mbedtls/asn1.h" 40 #include "mbedtls/cipher.h" 41 42 #include <string.h> 43 44 #if defined(MBEDTLS_ARC4_C) 45 #include "mbedtls/arc4.h" 46 #endif 47 48 #if defined(MBEDTLS_DES_C) 49 #include "mbedtls/des.h" 50 #endif 51 52 /* Implementation that should never be optimized out by the compiler */ 53 static void mbedtls_zeroize( void *v, size_t n ) { 54 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 55 } 56 57 #if defined(MBEDTLS_ASN1_PARSE_C) 58 59 static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params, 60 mbedtls_asn1_buf *salt, int *iterations ) 61 { 62 int ret; 63 unsigned char **p = ¶ms->p; 64 const unsigned char *end = params->p + params->len; 65 66 /* 67 * pkcs-12PbeParams ::= SEQUENCE { 68 * salt OCTET STRING, 69 * iterations INTEGER 70 * } 71 * 72 */ 73 if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 74 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 75 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 76 77 if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 78 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 79 80 salt->p = *p; 81 *p += salt->len; 82 83 if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 ) 84 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 85 86 if( *p != end ) 87 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 88 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 89 90 return( 0 ); 91 } 92 93 #define PKCS12_MAX_PWDLEN 128 94 95 static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, 96 const unsigned char *pwd, size_t pwdlen, 97 unsigned char *key, size_t keylen, 98 unsigned char *iv, size_t ivlen ) 99 { 100 int ret, iterations = 0; 101 mbedtls_asn1_buf salt; 102 size_t i; 103 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; 104 105 if( pwdlen > PKCS12_MAX_PWDLEN ) 106 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 107 108 memset( &salt, 0, sizeof(mbedtls_asn1_buf) ); 109 memset( &unipwd, 0, sizeof(unipwd) ); 110 111 if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt, 112 &iterations ) ) != 0 ) 113 return( ret ); 114 115 for( i = 0; i < pwdlen; i++ ) 116 unipwd[i * 2 + 1] = pwd[i]; 117 118 if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2, 119 salt.p, salt.len, md_type, 120 MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 ) 121 { 122 return( ret ); 123 } 124 125 if( iv == NULL || ivlen == 0 ) 126 return( 0 ); 127 128 if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2, 129 salt.p, salt.len, md_type, 130 MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 ) 131 { 132 return( ret ); 133 } 134 return( 0 ); 135 } 136 137 #undef PKCS12_MAX_PWDLEN 138 139 int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode, 140 const unsigned char *pwd, size_t pwdlen, 141 const unsigned char *data, size_t len, 142 unsigned char *output ) 143 { 144 #if !defined(MBEDTLS_ARC4_C) 145 ((void) pbe_params); 146 ((void) mode); 147 ((void) pwd); 148 ((void) pwdlen); 149 ((void) data); 150 ((void) len); 151 ((void) output); 152 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 153 #else 154 int ret; 155 unsigned char key[16]; 156 mbedtls_arc4_context ctx; 157 ((void) mode); 158 159 mbedtls_arc4_init( &ctx ); 160 161 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1, 162 pwd, pwdlen, 163 key, 16, NULL, 0 ) ) != 0 ) 164 { 165 return( ret ); 166 } 167 168 mbedtls_arc4_setup( &ctx, key, 16 ); 169 if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 ) 170 goto exit; 171 172 exit: 173 mbedtls_zeroize( key, sizeof( key ) ); 174 mbedtls_arc4_free( &ctx ); 175 176 return( ret ); 177 #endif /* MBEDTLS_ARC4_C */ 178 } 179 180 int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, 181 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, 182 const unsigned char *pwd, size_t pwdlen, 183 const unsigned char *data, size_t len, 184 unsigned char *output ) 185 { 186 int ret, keylen = 0; 187 unsigned char key[32]; 188 unsigned char iv[16]; 189 const mbedtls_cipher_info_t *cipher_info; 190 mbedtls_cipher_context_t cipher_ctx; 191 size_t olen = 0; 192 193 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 194 if( cipher_info == NULL ) 195 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 196 197 keylen = cipher_info->key_bitlen / 8; 198 199 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen, 200 key, keylen, 201 iv, cipher_info->iv_size ) ) != 0 ) 202 { 203 return( ret ); 204 } 205 206 mbedtls_cipher_init( &cipher_ctx ); 207 208 if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 ) 209 goto exit; 210 211 if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 ) 212 goto exit; 213 214 if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 ) 215 goto exit; 216 217 if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 ) 218 goto exit; 219 220 if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len, 221 output, &olen ) ) != 0 ) 222 { 223 goto exit; 224 } 225 226 if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) 227 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; 228 229 exit: 230 mbedtls_zeroize( key, sizeof( key ) ); 231 mbedtls_zeroize( iv, sizeof( iv ) ); 232 mbedtls_cipher_free( &cipher_ctx ); 233 234 return( ret ); 235 } 236 237 #endif /* MBEDTLS_ASN1_PARSE_C */ 238 239 static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, 240 const unsigned char *filler, size_t fill_len ) 241 { 242 unsigned char *p = data; 243 size_t use_len; 244 245 while( data_len > 0 ) 246 { 247 use_len = ( data_len > fill_len ) ? fill_len : data_len; 248 memcpy( p, filler, use_len ); 249 p += use_len; 250 data_len -= use_len; 251 } 252 } 253 254 int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, 255 const unsigned char *pwd, size_t pwdlen, 256 const unsigned char *salt, size_t saltlen, 257 mbedtls_md_type_t md_type, int id, int iterations ) 258 { 259 int ret; 260 unsigned int j; 261 262 unsigned char diversifier[128]; 263 unsigned char salt_block[128], pwd_block[128], hash_block[128]; 264 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; 265 unsigned char *p; 266 unsigned char c; 267 268 size_t hlen, use_len, v, i; 269 270 const mbedtls_md_info_t *md_info; 271 mbedtls_md_context_t md_ctx; 272 273 // This version only allows max of 64 bytes of password or salt 274 if( datalen > 128 || pwdlen > 64 || saltlen > 64 ) 275 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 276 277 md_info = mbedtls_md_info_from_type( md_type ); 278 if( md_info == NULL ) 279 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 280 281 mbedtls_md_init( &md_ctx ); 282 283 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 284 return( ret ); 285 hlen = mbedtls_md_get_size( md_info ); 286 287 if( hlen <= 32 ) 288 v = 64; 289 else 290 v = 128; 291 292 memset( diversifier, (unsigned char) id, v ); 293 294 pkcs12_fill_buffer( salt_block, v, salt, saltlen ); 295 pkcs12_fill_buffer( pwd_block, v, pwd, pwdlen ); 296 297 p = data; 298 while( datalen > 0 ) 299 { 300 // Calculate hash( diversifier || salt_block || pwd_block ) 301 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 302 goto exit; 303 304 if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) 305 goto exit; 306 307 if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 ) 308 goto exit; 309 310 if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 ) 311 goto exit; 312 313 if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) 314 goto exit; 315 316 // Perform remaining ( iterations - 1 ) recursive hash calculations 317 for( i = 1; i < (size_t) iterations; i++ ) 318 { 319 if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 ) 320 goto exit; 321 } 322 323 use_len = ( datalen > hlen ) ? hlen : datalen; 324 memcpy( p, hash_output, use_len ); 325 datalen -= use_len; 326 p += use_len; 327 328 if( datalen == 0 ) 329 break; 330 331 // Concatenating copies of hash_output into hash_block (B) 332 pkcs12_fill_buffer( hash_block, v, hash_output, hlen ); 333 334 // B += 1 335 for( i = v; i > 0; i-- ) 336 if( ++hash_block[i - 1] != 0 ) 337 break; 338 339 // salt_block += B 340 c = 0; 341 for( i = v; i > 0; i-- ) 342 { 343 j = salt_block[i - 1] + hash_block[i - 1] + c; 344 c = (unsigned char) (j >> 8); 345 salt_block[i - 1] = j & 0xFF; 346 } 347 348 // pwd_block += B 349 c = 0; 350 for( i = v; i > 0; i-- ) 351 { 352 j = pwd_block[i - 1] + hash_block[i - 1] + c; 353 c = (unsigned char) (j >> 8); 354 pwd_block[i - 1] = j & 0xFF; 355 } 356 } 357 358 ret = 0; 359 360 exit: 361 mbedtls_zeroize( salt_block, sizeof( salt_block ) ); 362 mbedtls_zeroize( pwd_block, sizeof( pwd_block ) ); 363 mbedtls_zeroize( hash_block, sizeof( hash_block ) ); 364 mbedtls_zeroize( hash_output, sizeof( hash_output ) ); 365 366 mbedtls_md_free( &md_ctx ); 367 368 return( ret ); 369 } 370 371 #endif /* MBEDTLS_PKCS12_C */ 372