/src/mbedtls/library/pkcs12.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PKCS#12 Personal Information Exchange Syntax |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | /* |
8 | | * The PKCS #12 Personal Information Exchange Syntax Standard v1.1 |
9 | | * |
10 | | * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf |
11 | | * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn |
12 | | */ |
13 | | |
14 | | #include "common.h" |
15 | | |
16 | | #if defined(MBEDTLS_PKCS12_C) |
17 | | |
18 | | #include "mbedtls/pkcs12.h" |
19 | | #include "mbedtls/asn1.h" |
20 | | #if defined(MBEDTLS_CIPHER_C) |
21 | | #include "mbedtls/cipher.h" |
22 | | #endif /* MBEDTLS_CIPHER_C */ |
23 | | #include "mbedtls/platform_util.h" |
24 | | #include "mbedtls/error.h" |
25 | | |
26 | | #include <string.h> |
27 | | |
28 | | #if defined(MBEDTLS_DES_C) |
29 | | #include "mbedtls/des.h" |
30 | | #endif |
31 | | |
32 | | #include "psa_util_internal.h" |
33 | | |
34 | | #if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C) |
35 | | |
36 | | static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params, |
37 | | mbedtls_asn1_buf *salt, int *iterations) |
38 | 0 | { |
39 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
40 | 0 | unsigned char **p = ¶ms->p; |
41 | 0 | const unsigned char *end = params->p + params->len; |
42 | | |
43 | | /* |
44 | | * pkcs-12PbeParams ::= SEQUENCE { |
45 | | * salt OCTET STRING, |
46 | | * iterations INTEGER |
47 | | * } |
48 | | * |
49 | | */ |
50 | 0 | if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) { |
51 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, |
52 | 0 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); |
53 | 0 | } |
54 | | |
55 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
56 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret); |
57 | 0 | } |
58 | | |
59 | 0 | salt->p = *p; |
60 | 0 | *p += salt->len; |
61 | |
|
62 | 0 | if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) { |
63 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret); |
64 | 0 | } |
65 | | |
66 | 0 | if (*p != end) { |
67 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, |
68 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
69 | 0 | } |
70 | | |
71 | 0 | return 0; |
72 | 0 | } |
73 | | |
74 | 0 | #define PKCS12_MAX_PWDLEN 128 |
75 | | |
76 | | static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, |
77 | | const unsigned char *pwd, size_t pwdlen, |
78 | | unsigned char *key, size_t keylen, |
79 | | unsigned char *iv, size_t ivlen) |
80 | 0 | { |
81 | 0 | int ret, iterations = 0; |
82 | 0 | mbedtls_asn1_buf salt; |
83 | 0 | size_t i; |
84 | 0 | unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; |
85 | |
|
86 | 0 | if (pwdlen > PKCS12_MAX_PWDLEN) { |
87 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
88 | 0 | } |
89 | | |
90 | 0 | memset(&salt, 0, sizeof(mbedtls_asn1_buf)); |
91 | 0 | memset(&unipwd, 0, sizeof(unipwd)); |
92 | |
|
93 | 0 | if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt, |
94 | 0 | &iterations)) != 0) { |
95 | 0 | return ret; |
96 | 0 | } |
97 | | |
98 | 0 | for (i = 0; i < pwdlen; i++) { |
99 | 0 | unipwd[i * 2 + 1] = pwd[i]; |
100 | 0 | } |
101 | |
|
102 | 0 | if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2, |
103 | 0 | salt.p, salt.len, md_type, |
104 | 0 | MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) { |
105 | 0 | return ret; |
106 | 0 | } |
107 | | |
108 | 0 | if (iv == NULL || ivlen == 0) { |
109 | 0 | return 0; |
110 | 0 | } |
111 | | |
112 | 0 | if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2, |
113 | 0 | salt.p, salt.len, md_type, |
114 | 0 | MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) { |
115 | 0 | return ret; |
116 | 0 | } |
117 | 0 | return 0; |
118 | 0 | } |
119 | | |
120 | | #undef PKCS12_MAX_PWDLEN |
121 | | |
122 | | #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
123 | | int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode, |
124 | | mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, |
125 | | const unsigned char *pwd, size_t pwdlen, |
126 | | const unsigned char *data, size_t len, |
127 | | unsigned char *output, size_t output_size, |
128 | | size_t *output_len); |
129 | | #endif |
130 | | |
131 | | #if !defined(MBEDTLS_DEPRECATED_REMOVED) |
132 | | int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode, |
133 | | mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, |
134 | | const unsigned char *pwd, size_t pwdlen, |
135 | | const unsigned char *data, size_t len, |
136 | | unsigned char *output) |
137 | 0 | { |
138 | 0 | size_t output_len = 0; |
139 | | |
140 | | /* We assume caller of the function is providing a big enough output buffer |
141 | | * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees |
142 | | * for the output size actually being correct. |
143 | | */ |
144 | 0 | return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type, |
145 | 0 | pwd, pwdlen, data, len, output, SIZE_MAX, |
146 | 0 | &output_len); |
147 | 0 | } |
148 | | #endif |
149 | | |
150 | | int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode, |
151 | | mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, |
152 | | const unsigned char *pwd, size_t pwdlen, |
153 | | const unsigned char *data, size_t len, |
154 | | unsigned char *output, size_t output_size, |
155 | | size_t *output_len) |
156 | 0 | { |
157 | 0 | int ret, keylen = 0; |
158 | 0 | unsigned char key[32]; |
159 | 0 | unsigned char iv[16]; |
160 | 0 | const mbedtls_cipher_info_t *cipher_info; |
161 | 0 | mbedtls_cipher_context_t cipher_ctx; |
162 | 0 | size_t iv_len = 0; |
163 | 0 | size_t finish_olen = 0; |
164 | 0 | unsigned int padlen = 0; |
165 | |
|
166 | 0 | if (pwd == NULL && pwdlen != 0) { |
167 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
168 | 0 | } |
169 | | |
170 | 0 | cipher_info = mbedtls_cipher_info_from_type(cipher_type); |
171 | 0 | if (cipher_info == NULL) { |
172 | 0 | return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE; |
173 | 0 | } |
174 | | |
175 | 0 | keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; |
176 | |
|
177 | 0 | if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) { |
178 | 0 | if (output_size < len) { |
179 | 0 | return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; |
180 | 0 | } |
181 | 0 | } |
182 | | |
183 | 0 | if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) { |
184 | 0 | padlen = cipher_info->block_size - (len % cipher_info->block_size); |
185 | 0 | if (output_size < (len + padlen)) { |
186 | 0 | return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; |
187 | 0 | } |
188 | 0 | } |
189 | | |
190 | 0 | iv_len = mbedtls_cipher_info_get_iv_size(cipher_info); |
191 | 0 | if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen, |
192 | 0 | key, keylen, |
193 | 0 | iv, iv_len)) != 0) { |
194 | 0 | return ret; |
195 | 0 | } |
196 | | |
197 | 0 | mbedtls_cipher_init(&cipher_ctx); |
198 | |
|
199 | 0 | if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) { |
200 | 0 | goto exit; |
201 | 0 | } |
202 | | |
203 | 0 | if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen, |
204 | 0 | (mbedtls_operation_t) mode)) != 0) { |
205 | 0 | goto exit; |
206 | 0 | } |
207 | | |
208 | 0 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) |
209 | 0 | { |
210 | | /* PKCS12 uses CBC with PKCS7 padding */ |
211 | 0 | mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7; |
212 | | #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
213 | | /* For historical reasons, when decrypting, this function works when |
214 | | * decrypting even when support for PKCS7 padding is disabled. In this |
215 | | * case, it ignores the padding, and so will never report a |
216 | | * password mismatch. |
217 | | */ |
218 | | if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) { |
219 | | padding = MBEDTLS_PADDING_NONE; |
220 | | } |
221 | | #endif |
222 | 0 | if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) { |
223 | 0 | goto exit; |
224 | 0 | } |
225 | 0 | } |
226 | 0 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ |
227 | | |
228 | 0 | ret = mbedtls_cipher_crypt(&cipher_ctx, iv, iv_len, data, len, output, &finish_olen); |
229 | 0 | if (ret == MBEDTLS_ERR_CIPHER_INVALID_PADDING) { |
230 | 0 | ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; |
231 | 0 | } |
232 | |
|
233 | 0 | *output_len += finish_olen; |
234 | |
|
235 | 0 | exit: |
236 | 0 | mbedtls_platform_zeroize(key, sizeof(key)); |
237 | 0 | mbedtls_platform_zeroize(iv, sizeof(iv)); |
238 | 0 | mbedtls_cipher_free(&cipher_ctx); |
239 | |
|
240 | 0 | return ret; |
241 | 0 | } |
242 | | |
243 | | #endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */ |
244 | | |
245 | | static void pkcs12_fill_buffer(unsigned char *data, size_t data_len, |
246 | | const unsigned char *filler, size_t fill_len) |
247 | 0 | { |
248 | 0 | unsigned char *p = data; |
249 | 0 | size_t use_len; |
250 | |
|
251 | 0 | if (filler != NULL && fill_len != 0) { |
252 | 0 | while (data_len > 0) { |
253 | 0 | use_len = (data_len > fill_len) ? fill_len : data_len; |
254 | 0 | memcpy(p, filler, use_len); |
255 | 0 | p += use_len; |
256 | 0 | data_len -= use_len; |
257 | 0 | } |
258 | 0 | } else { |
259 | | /* If either of the above are not true then clearly there is nothing |
260 | | * that this function can do. The function should *not* be called |
261 | | * under either of those circumstances, as you could end up with an |
262 | | * incorrect output but for safety's sake, leaving the check in as |
263 | | * otherwise we could end up with memory corruption.*/ |
264 | 0 | } |
265 | 0 | } |
266 | | |
267 | | |
268 | | static int calculate_hashes(mbedtls_md_type_t md_type, int iterations, |
269 | | unsigned char *diversifier, unsigned char *salt_block, |
270 | | unsigned char *pwd_block, unsigned char *hash_output, int use_salt, |
271 | | int use_password, size_t hlen, size_t v) |
272 | 0 | { |
273 | 0 | int ret = -1; |
274 | 0 | size_t i; |
275 | 0 | const mbedtls_md_info_t *md_info; |
276 | 0 | mbedtls_md_context_t md_ctx; |
277 | 0 | md_info = mbedtls_md_info_from_type(md_type); |
278 | 0 | if (md_info == NULL) { |
279 | 0 | return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE; |
280 | 0 | } |
281 | | |
282 | 0 | mbedtls_md_init(&md_ctx); |
283 | |
|
284 | 0 | if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) { |
285 | 0 | return ret; |
286 | 0 | } |
287 | | // Calculate hash( diversifier || salt_block || pwd_block ) |
288 | 0 | if ((ret = mbedtls_md_starts(&md_ctx)) != 0) { |
289 | 0 | goto exit; |
290 | 0 | } |
291 | | |
292 | 0 | if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) { |
293 | 0 | goto exit; |
294 | 0 | } |
295 | | |
296 | 0 | if (use_salt != 0) { |
297 | 0 | if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) { |
298 | 0 | goto exit; |
299 | 0 | } |
300 | 0 | } |
301 | | |
302 | 0 | if (use_password != 0) { |
303 | 0 | if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) { |
304 | 0 | goto exit; |
305 | 0 | } |
306 | 0 | } |
307 | | |
308 | 0 | if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) { |
309 | 0 | goto exit; |
310 | 0 | } |
311 | | |
312 | | // Perform remaining ( iterations - 1 ) recursive hash calculations |
313 | 0 | for (i = 1; i < (size_t) iterations; i++) { |
314 | 0 | if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output)) |
315 | 0 | != 0) { |
316 | 0 | goto exit; |
317 | 0 | } |
318 | 0 | } |
319 | | |
320 | 0 | exit: |
321 | 0 | mbedtls_md_free(&md_ctx); |
322 | 0 | return ret; |
323 | 0 | } |
324 | | |
325 | | |
326 | | int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen, |
327 | | const unsigned char *pwd, size_t pwdlen, |
328 | | const unsigned char *salt, size_t saltlen, |
329 | | mbedtls_md_type_t md_type, int id, int iterations) |
330 | 0 | { |
331 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
332 | 0 | unsigned int j; |
333 | |
|
334 | 0 | unsigned char diversifier[128]; |
335 | 0 | unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 }; |
336 | 0 | unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; |
337 | 0 | unsigned char *p; |
338 | 0 | unsigned char c; |
339 | 0 | int use_password = 0; |
340 | 0 | int use_salt = 0; |
341 | |
|
342 | 0 | size_t hlen, use_len, v, i; |
343 | | |
344 | | // This version only allows max of 64 bytes of password or salt |
345 | 0 | if (datalen > 128 || pwdlen > 64 || saltlen > 64) { |
346 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
347 | 0 | } |
348 | | |
349 | 0 | if (pwd == NULL && pwdlen != 0) { |
350 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
351 | 0 | } |
352 | | |
353 | 0 | if (salt == NULL && saltlen != 0) { |
354 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
355 | 0 | } |
356 | | |
357 | 0 | use_password = (pwd && pwdlen != 0); |
358 | 0 | use_salt = (salt && saltlen != 0); |
359 | |
|
360 | 0 | hlen = mbedtls_md_get_size_from_type(md_type); |
361 | |
|
362 | 0 | if (hlen <= 32) { |
363 | 0 | v = 64; |
364 | 0 | } else { |
365 | 0 | v = 128; |
366 | 0 | } |
367 | |
|
368 | 0 | memset(diversifier, (unsigned char) id, v); |
369 | |
|
370 | 0 | if (use_salt != 0) { |
371 | 0 | pkcs12_fill_buffer(salt_block, v, salt, saltlen); |
372 | 0 | } |
373 | |
|
374 | 0 | if (use_password != 0) { |
375 | 0 | pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen); |
376 | 0 | } |
377 | |
|
378 | 0 | p = data; |
379 | 0 | while (datalen > 0) { |
380 | 0 | if (calculate_hashes(md_type, iterations, diversifier, salt_block, |
381 | 0 | pwd_block, hash_output, use_salt, use_password, hlen, |
382 | 0 | v) != 0) { |
383 | 0 | goto exit; |
384 | 0 | } |
385 | | |
386 | 0 | use_len = (datalen > hlen) ? hlen : datalen; |
387 | 0 | memcpy(p, hash_output, use_len); |
388 | 0 | datalen -= use_len; |
389 | 0 | p += use_len; |
390 | |
|
391 | 0 | if (datalen == 0) { |
392 | 0 | break; |
393 | 0 | } |
394 | | |
395 | | // Concatenating copies of hash_output into hash_block (B) |
396 | 0 | pkcs12_fill_buffer(hash_block, v, hash_output, hlen); |
397 | | |
398 | | // B += 1 |
399 | 0 | for (i = v; i > 0; i--) { |
400 | 0 | if (++hash_block[i - 1] != 0) { |
401 | 0 | break; |
402 | 0 | } |
403 | 0 | } |
404 | |
|
405 | 0 | if (use_salt != 0) { |
406 | | // salt_block += B |
407 | 0 | c = 0; |
408 | 0 | for (i = v; i > 0; i--) { |
409 | 0 | j = salt_block[i - 1] + hash_block[i - 1] + c; |
410 | 0 | c = MBEDTLS_BYTE_1(j); |
411 | 0 | salt_block[i - 1] = MBEDTLS_BYTE_0(j); |
412 | 0 | } |
413 | 0 | } |
414 | |
|
415 | 0 | if (use_password != 0) { |
416 | | // pwd_block += B |
417 | 0 | c = 0; |
418 | 0 | for (i = v; i > 0; i--) { |
419 | 0 | j = pwd_block[i - 1] + hash_block[i - 1] + c; |
420 | 0 | c = MBEDTLS_BYTE_1(j); |
421 | 0 | pwd_block[i - 1] = MBEDTLS_BYTE_0(j); |
422 | 0 | } |
423 | 0 | } |
424 | 0 | } |
425 | | |
426 | 0 | ret = 0; |
427 | |
|
428 | 0 | exit: |
429 | 0 | mbedtls_platform_zeroize(salt_block, sizeof(salt_block)); |
430 | 0 | mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block)); |
431 | 0 | mbedtls_platform_zeroize(hash_block, sizeof(hash_block)); |
432 | 0 | mbedtls_platform_zeroize(hash_output, sizeof(hash_output)); |
433 | |
|
434 | 0 | return ret; |
435 | 0 | } |
436 | | |
437 | | #endif /* MBEDTLS_PKCS12_C */ |