pkcs5.c revision 1f69aa52ea2e0a73ac502565df8c666ee49cab6a
1/*
2 * PKCS #5 (Password-based Encryption)
3 * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "crypto/crypto.h"
19#include "crypto/md5.h"
20#include "asn1.h"
21#include "pkcs5.h"
22
23
24struct pkcs5_params {
25	enum pkcs5_alg {
26		PKCS5_ALG_UNKNOWN,
27		PKCS5_ALG_MD5_DES_CBC
28	} alg;
29	u8 salt[8];
30	size_t salt_len;
31	unsigned int iter_count;
32};
33
34
35static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
36{
37	if (oid->len == 7 &&
38	    oid->oid[0] == 1 /* iso */ &&
39	    oid->oid[1] == 2 /* member-body */ &&
40	    oid->oid[2] == 840 /* us */ &&
41	    oid->oid[3] == 113549 /* rsadsi */ &&
42	    oid->oid[4] == 1 /* pkcs */ &&
43	    oid->oid[5] == 5 /* pkcs-5 */ &&
44	    oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)
45		return PKCS5_ALG_MD5_DES_CBC;
46
47	return PKCS5_ALG_UNKNOWN;
48}
49
50
51static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
52			    struct pkcs5_params *params)
53{
54	struct asn1_hdr hdr;
55	const u8 *enc_alg_end, *pos, *end;
56	struct asn1_oid oid;
57	char obuf[80];
58
59	/* AlgorithmIdentifier */
60
61	enc_alg_end = enc_alg + enc_alg_len;
62
63	os_memset(params, 0, sizeof(*params));
64
65	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
66		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
67			   "(algorithm)");
68		return -1;
69	}
70
71	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
72	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
73	params->alg = pkcs5_get_alg(&oid);
74	if (params->alg == PKCS5_ALG_UNKNOWN) {
75		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
76			   "algorithm %s", obuf);
77		return -1;
78	}
79
80	/*
81	 * PKCS#5, Section 8
82	 * PBEParameter ::= SEQUENCE {
83	 *   salt OCTET STRING SIZE(8),
84	 *   iterationCount INTEGER }
85	 */
86
87	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
88	    hdr.class != ASN1_CLASS_UNIVERSAL ||
89	    hdr.tag != ASN1_TAG_SEQUENCE) {
90		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
91			   "(PBEParameter) - found class %d tag 0x%x",
92			   hdr.class, hdr.tag);
93		return -1;
94	}
95	pos = hdr.payload;
96	end = hdr.payload + hdr.length;
97
98	/* salt OCTET STRING SIZE(8) */
99	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
100	    hdr.class != ASN1_CLASS_UNIVERSAL ||
101	    hdr.tag != ASN1_TAG_OCTETSTRING ||
102	    hdr.length != 8) {
103		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
104			   "(salt) - found class %d tag 0x%x size %d",
105			   hdr.class, hdr.tag, hdr.length);
106		return -1;
107	}
108	pos = hdr.payload + hdr.length;
109	os_memcpy(params->salt, hdr.payload, hdr.length);
110	params->salt_len = hdr.length;
111	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
112		    params->salt, params->salt_len);
113
114	/* iterationCount INTEGER */
115	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
116	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
117		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
118			   "class %d tag 0x%x", hdr.class, hdr.tag);
119		return -1;
120	}
121	if (hdr.length == 1)
122		params->iter_count = *hdr.payload;
123	else if (hdr.length == 2)
124		params->iter_count = WPA_GET_BE16(hdr.payload);
125	else if (hdr.length == 4)
126		params->iter_count = WPA_GET_BE32(hdr.payload);
127	else {
128		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
129			    " (iterationCount)",
130			    hdr.payload, hdr.length);
131		return -1;
132	}
133	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
134		   params->iter_count);
135	if (params->iter_count == 0 || params->iter_count > 0xffff) {
136		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
137			   "iterationCount=0x%x", params->iter_count);
138		return -1;
139	}
140
141	return 0;
142}
143
144
145static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
146						const char *passwd)
147{
148	unsigned int i;
149	u8 hash[MD5_MAC_LEN];
150	const u8 *addr[2];
151	size_t len[2];
152
153	if (params->alg != PKCS5_ALG_MD5_DES_CBC)
154		return NULL;
155
156	addr[0] = (const u8 *) passwd;
157	len[0] = os_strlen(passwd);
158	addr[1] = params->salt;
159	len[1] = params->salt_len;
160	if (md5_vector(2, addr, len, hash) < 0)
161		return NULL;
162	addr[0] = hash;
163	len[0] = MD5_MAC_LEN;
164	for (i = 1; i < params->iter_count; i++) {
165		if (md5_vector(1, addr, len, hash) < 0)
166			return NULL;
167	}
168	/* TODO: DES key parity bits(?) */
169	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
170	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
171
172	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
173}
174
175
176u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
177		   const u8 *enc_data, size_t enc_data_len,
178		   const char *passwd, size_t *data_len)
179{
180	struct crypto_cipher *ctx;
181	u8 *eb, pad;
182	struct pkcs5_params params;
183	unsigned int i;
184
185	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
186		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
187		return NULL;
188	}
189
190	ctx = pkcs5_crypto_init(&params, passwd);
191	if (ctx == NULL) {
192		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
193		return NULL;
194	}
195
196	/* PKCS #5, Section 7 - Decryption process */
197	if (enc_data_len < 16 || enc_data_len % 8) {
198		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
199			   "%d", (int) enc_data_len);
200		crypto_cipher_deinit(ctx);
201		return NULL;
202	}
203
204	eb = os_malloc(enc_data_len);
205	if (eb == NULL) {
206		crypto_cipher_deinit(ctx);
207		return NULL;
208	}
209
210	if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
211		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
212		crypto_cipher_deinit(ctx);
213		os_free(eb);
214		return NULL;
215	}
216	crypto_cipher_deinit(ctx);
217
218	pad = eb[enc_data_len - 1];
219	if (pad > 8) {
220		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
221		os_free(eb);
222		return NULL;
223	}
224	for (i = enc_data_len - pad; i < enc_data_len; i++) {
225		if (eb[i] != pad) {
226			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
227				    eb + enc_data_len - pad, pad);
228			os_free(eb);
229			return NULL;
230		}
231	}
232
233	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
234			eb, enc_data_len - pad);
235
236	*data_len = enc_data_len - pad;
237	return eb;
238}
239