src/tls/pkcs5.c

   1 /*
   2  * PKCS #5 (Password-based Encryption)
   3  * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "crypto/crypto.h"
  19 #include "crypto/md5.h"
  20 #include "asn1.h"
  21 #include "pkcs5.h"
  22
  23
  24 struct pkcs5_params {
  25         enum pkcs5_alg {
  26                 PKCS5_ALG_UNKNOWN,
  27                 PKCS5_ALG_MD5_DES_CBC
  28         } alg;
  29         u8 salt[8];
  30         size_t salt_len;
  31         unsigned int iter_count;
  32 };
  33
  34
  35 enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
  36 {
  37         if (oid->len == 7 &&
  38             oid->oid[0] == 1 /* iso */ &&
  39             oid->oid[1] == 2 /* member-body */ &&
  40             oid->oid[2] == 840 /* us */ &&
  41             oid->oid[3] == 113549 /* rsadsi */ &&
  42             oid->oid[4] == 1 /* pkcs */ &&
  43             oid->oid[5] == 5 /* pkcs-5 */ &&
  44             oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)
  45                 return PKCS5_ALG_MD5_DES_CBC;
  46
  47         return PKCS5_ALG_UNKNOWN;
  48 }
  49
  50
  51 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
  52                             struct pkcs5_params *params)
  53 {
  54         struct asn1_hdr hdr;
  55         const u8 *enc_alg_end, *pos, *end;
  56         struct asn1_oid oid;
  57         char obuf[80];
  58
  59         /* AlgorithmIdentifier */
  60
  61         enc_alg_end = enc_alg + enc_alg_len;
  62
  63         os_memset(params, 0, sizeof(*params));
  64
  65         if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
  66                 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
  67                            "(algorithm)");
  68                 return -1;
  69         }
  70
  71         asn1_oid_to_str(&oid, obuf, sizeof(obuf));
  72         wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
  73         params->alg = pkcs5_get_alg(&oid);
  74         if (params->alg == PKCS5_ALG_UNKNOWN) {
  75                 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
  76                            "algorithm %s", obuf);
  77                 return -1;
  78         }
  79
  80         /*
  81          * PKCS#5, Section 8
  82          * PBEParameter ::= SEQUENCE {
  83          *   salt OCTET STRING SIZE(8),
  84          *   iterationCount INTEGER }
  85          */
  86
  87         if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
  88             hdr.class != ASN1_CLASS_UNIVERSAL ||
  89             hdr.tag != ASN1_TAG_SEQUENCE) {
  90                 wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
  91                            "(PBEParameter) - found class %d tag 0x%x",
  92                            hdr.class, hdr.tag);
  93                 return -1;
  94         }
  95         pos = hdr.payload;
  96         end = hdr.payload + hdr.length;
  97
  98         /* salt OCTET STRING SIZE(8) */
  99         if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
 100             hdr.class != ASN1_CLASS_UNIVERSAL ||
 101             hdr.tag != ASN1_TAG_OCTETSTRING ||
 102             hdr.length != 8) {
 103                 wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
 104                            "(salt) - found class %d tag 0x%x size %d",
 105                            hdr.class, hdr.tag, hdr.length);
 106                 return -1;
 107         }
 108         pos = hdr.payload + hdr.length;
 109         os_memcpy(params->salt, hdr.payload, hdr.length);
 110         params->salt_len = hdr.length;
 111         wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
 112                     params->salt, params->salt_len);
 113
 114         /* iterationCount INTEGER */
 115         if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
 116             hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
 117                 wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
 118                            "class %d tag 0x%x", hdr.class, hdr.tag);
 119                 return -1;
 120         }
 121         if (hdr.length == 1)
 122                 params->iter_count = *hdr.payload;
 123         else if (hdr.length == 2)
 124                 params->iter_count = WPA_GET_BE16(hdr.payload);
 125         else if (hdr.length == 4)
 126                 params->iter_count = WPA_GET_BE32(hdr.payload);
 127         else {
 128                 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
 129                             " (iterationCount)",
 130                             hdr.payload, hdr.length);
 131                 return -1;
 132         }
 133         wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
 134                    params->iter_count);
 135         if (params->iter_count == 0 || params->iter_count > 0xffff) {
 136                 wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
 137                            "iterationCount=0x%x", params->iter_count);
 138                 return -1;
 139         }
 140
 141         return 0;
 142 }
 143
 144
 145 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
 146                                                 const char *passwd)
 147 {
 148         unsigned int i;
 149         u8 hash[MD5_MAC_LEN];
 150         const u8 *addr[2];
 151         size_t len[2];
 152
 153         if (params->alg != PKCS5_ALG_MD5_DES_CBC)
 154                 return NULL;
 155
 156         addr[0] = (const u8 *) passwd;
 157         len[0] = os_strlen(passwd);
 158         addr[1] = params->salt;
 159         len[1] = params->salt_len;
 160         if (md5_vector(2, addr, len, hash) < 0)
 161                 return NULL;
 162         addr[0] = hash;
 163         len[0] = MD5_MAC_LEN;
 164         for (i = 1; i < params->iter_count; i++) {
 165                 if (md5_vector(1, addr, len, hash) < 0)
 166                         return NULL;
 167         }
 168         /* TODO: DES key parity bits(?) */
 169         wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
 170         wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
 171
 172         return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
 173 }
 174
 175
 176 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
 177                    const u8 *enc_data, size_t enc_data_len,
 178                    const char *passwd, size_t *data_len)
 179 {
 180         struct crypto_cipher *ctx;
 181         u8 *eb, pad;
 182         struct pkcs5_params params;
 183         unsigned int i;
 184
 185         if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
 186                 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
 187                 return NULL;
 188         }
 189
 190         ctx = pkcs5_crypto_init(&params, passwd);
 191         if (ctx == NULL) {
 192                 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
 193                 return NULL;
 194         }
 195
 196         /* PKCS #5, Section 7 - Decryption process */
 197         if (enc_data_len < 16 || enc_data_len % 8) {
 198                 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
 199                            "%d", (int) enc_data_len);
 200                 crypto_cipher_deinit(ctx);
 201                 return NULL;
 202         }
 203
 204         eb = os_malloc(enc_data_len);
 205         if (eb == NULL) {
 206                 crypto_cipher_deinit(ctx);
 207                 return NULL;
 208         }
 209
 210         if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
 211                 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
 212                 crypto_cipher_deinit(ctx);
 213                 os_free(eb);
 214                 return NULL;
 215         }
 216         crypto_cipher_deinit(ctx);
 217
 218         pad = eb[enc_data_len - 1];
 219         if (pad > 8) {
 220                 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
 221                 os_free(eb);
 222                 return NULL;
 223         }
 224         for (i = enc_data_len - pad; i < enc_data_len; i++) {
 225                 if (eb[i] != pad) {
 226                         wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
 227                                     eb + enc_data_len - pad, pad);
 228                         os_free(eb);
 229                         return NULL;
 230                 }
 231         }
 232
 233         wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
 234                         eb, enc_data_len - pad);
 235
 236         *data_len = enc_data_len - pad;
 237         return eb;
 238 }