1/* 2 * PKCS #5 (Password-based Encryption) 3 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/crypto.h" 13#include "crypto/md5.h" 14#include "asn1.h" 15#include "pkcs5.h" 16 17 18struct pkcs5_params { 19 enum pkcs5_alg { 20 PKCS5_ALG_UNKNOWN, 21 PKCS5_ALG_MD5_DES_CBC 22 } alg; 23 u8 salt[8]; 24 size_t salt_len; 25 unsigned int iter_count; 26}; 27 28 29static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid) 30{ 31 if (oid->len == 7 && 32 oid->oid[0] == 1 /* iso */ && 33 oid->oid[1] == 2 /* member-body */ && 34 oid->oid[2] == 840 /* us */ && 35 oid->oid[3] == 113549 /* rsadsi */ && 36 oid->oid[4] == 1 /* pkcs */ && 37 oid->oid[5] == 5 /* pkcs-5 */ && 38 oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */) 39 return PKCS5_ALG_MD5_DES_CBC; 40 41 return PKCS5_ALG_UNKNOWN; 42} 43 44 45static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, 46 struct pkcs5_params *params) 47{ 48 struct asn1_hdr hdr; 49 const u8 *enc_alg_end, *pos, *end; 50 struct asn1_oid oid; 51 char obuf[80]; 52 53 /* AlgorithmIdentifier */ 54 55 enc_alg_end = enc_alg + enc_alg_len; 56 57 os_memset(params, 0, sizeof(*params)); 58 59 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) { 60 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID " 61 "(algorithm)"); 62 return -1; 63 } 64 65 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 66 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf); 67 params->alg = pkcs5_get_alg(&oid); 68 if (params->alg == PKCS5_ALG_UNKNOWN) { 69 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption " 70 "algorithm %s", obuf); 71 return -1; 72 } 73 74 /* 75 * PKCS#5, Section 8 76 * PBEParameter ::= SEQUENCE { 77 * salt OCTET STRING SIZE(8), 78 * iterationCount INTEGER } 79 */ 80 81 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || 82 hdr.class != ASN1_CLASS_UNIVERSAL || 83 hdr.tag != ASN1_TAG_SEQUENCE) { 84 wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE " 85 "(PBEParameter) - found class %d tag 0x%x", 86 hdr.class, hdr.tag); 87 return -1; 88 } 89 pos = hdr.payload; 90 end = hdr.payload + hdr.length; 91 92 /* salt OCTET STRING SIZE(8) */ 93 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 94 hdr.class != ASN1_CLASS_UNIVERSAL || 95 hdr.tag != ASN1_TAG_OCTETSTRING || 96 hdr.length != 8) { 97 wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) " 98 "(salt) - found class %d tag 0x%x size %d", 99 hdr.class, hdr.tag, hdr.length); 100 return -1; 101 } 102 pos = hdr.payload + hdr.length; 103 os_memcpy(params->salt, hdr.payload, hdr.length); 104 params->salt_len = hdr.length; 105 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", 106 params->salt, params->salt_len); 107 108 /* iterationCount INTEGER */ 109 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 110 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { 111 wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found " 112 "class %d tag 0x%x", hdr.class, hdr.tag); 113 return -1; 114 } 115 if (hdr.length == 1) 116 params->iter_count = *hdr.payload; 117 else if (hdr.length == 2) 118 params->iter_count = WPA_GET_BE16(hdr.payload); 119 else if (hdr.length == 4) 120 params->iter_count = WPA_GET_BE32(hdr.payload); 121 else { 122 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value " 123 " (iterationCount)", 124 hdr.payload, hdr.length); 125 return -1; 126 } 127 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x", 128 params->iter_count); 129 if (params->iter_count == 0 || params->iter_count > 0xffff) { 130 wpa_printf(MSG_INFO, "PKCS #5: Unsupported " 131 "iterationCount=0x%x", params->iter_count); 132 return -1; 133 } 134 135 return 0; 136} 137 138 139static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params, 140 const char *passwd) 141{ 142 unsigned int i; 143 u8 hash[MD5_MAC_LEN]; 144 const u8 *addr[2]; 145 size_t len[2]; 146 147 if (params->alg != PKCS5_ALG_MD5_DES_CBC) 148 return NULL; 149 150 addr[0] = (const u8 *) passwd; 151 len[0] = os_strlen(passwd); 152 addr[1] = params->salt; 153 len[1] = params->salt_len; 154 if (md5_vector(2, addr, len, hash) < 0) 155 return NULL; 156 addr[0] = hash; 157 len[0] = MD5_MAC_LEN; 158 for (i = 1; i < params->iter_count; i++) { 159 if (md5_vector(1, addr, len, hash) < 0) 160 return NULL; 161 } 162 /* TODO: DES key parity bits(?) */ 163 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8); 164 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8); 165 166 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8); 167} 168 169 170u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len, 171 const u8 *enc_data, size_t enc_data_len, 172 const char *passwd, size_t *data_len) 173{ 174 struct crypto_cipher *ctx; 175 u8 *eb, pad; 176 struct pkcs5_params params; 177 unsigned int i; 178 179 if (pkcs5_get_params(enc_alg, enc_alg_len, ¶ms) < 0) { 180 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters"); 181 return NULL; 182 } 183 184 ctx = pkcs5_crypto_init(¶ms, passwd); 185 if (ctx == NULL) { 186 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto"); 187 return NULL; 188 } 189 190 /* PKCS #5, Section 7 - Decryption process */ 191 if (enc_data_len < 16 || enc_data_len % 8) { 192 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext " 193 "%d", (int) enc_data_len); 194 crypto_cipher_deinit(ctx); 195 return NULL; 196 } 197 198 eb = os_malloc(enc_data_len); 199 if (eb == NULL) { 200 crypto_cipher_deinit(ctx); 201 return NULL; 202 } 203 204 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) { 205 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB"); 206 crypto_cipher_deinit(ctx); 207 os_free(eb); 208 return NULL; 209 } 210 crypto_cipher_deinit(ctx); 211 212 pad = eb[enc_data_len - 1]; 213 if (pad > 8) { 214 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad); 215 os_free(eb); 216 return NULL; 217 } 218 for (i = enc_data_len - pad; i < enc_data_len; i++) { 219 if (eb[i] != pad) { 220 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS", 221 eb + enc_data_len - pad, pad); 222 os_free(eb); 223 return NULL; 224 } 225 } 226 227 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)", 228 eb, enc_data_len - pad); 229 230 *data_len = enc_data_len - pad; 231 return eb; 232} 233