/work/mbedtls-2.28.8/library/pkcs12.c
Line | Count | Source |
1 | | /* |
2 | | * PKCS#12 Personal Information Exchange Syntax |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | /* |
8 | | * The PKCS #12 Personal Information Exchange Syntax Standard v1.1 |
9 | | * |
10 | | * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf |
11 | | * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn |
12 | | */ |
13 | | |
14 | | #include "common.h" |
15 | | |
16 | | #if defined(MBEDTLS_PKCS12_C) |
17 | | |
18 | | #include "mbedtls/pkcs12.h" |
19 | | #include "mbedtls/asn1.h" |
20 | | #include "mbedtls/cipher.h" |
21 | | #include "mbedtls/platform_util.h" |
22 | | #include "mbedtls/error.h" |
23 | | |
24 | | #include <string.h> |
25 | | |
26 | | #if defined(MBEDTLS_ARC4_C) |
27 | | #include "mbedtls/arc4.h" |
28 | | #endif |
29 | | |
30 | | #if defined(MBEDTLS_DES_C) |
31 | | #include "mbedtls/des.h" |
32 | | #endif |
33 | | |
34 | | #if defined(MBEDTLS_ASN1_PARSE_C) |
35 | | |
36 | | static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params, |
37 | | mbedtls_asn1_buf *salt, int *iterations) |
38 | 0 | { |
39 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
40 | 0 | unsigned char **p = ¶ms->p; |
41 | 0 | const unsigned char *end = params->p + params->len; |
42 | | |
43 | | /* |
44 | | * pkcs-12PbeParams ::= SEQUENCE { |
45 | | * salt OCTET STRING, |
46 | | * iterations INTEGER |
47 | | * } |
48 | | * |
49 | | */ |
50 | 0 | if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) { |
51 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, |
52 | 0 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); |
53 | 0 | } |
54 | | |
55 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
56 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret); |
57 | 0 | } |
58 | | |
59 | 0 | salt->p = *p; |
60 | 0 | *p += salt->len; |
61 | |
|
62 | 0 | if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) { |
63 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret); |
64 | 0 | } |
65 | | |
66 | 0 | if (*p != end) { |
67 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, |
68 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
69 | 0 | } |
70 | | |
71 | 0 | return 0; |
72 | 0 | } |
73 | | |
74 | 0 | #define PKCS12_MAX_PWDLEN 128 |
75 | | |
76 | | static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, |
77 | | const unsigned char *pwd, size_t pwdlen, |
78 | | unsigned char *key, size_t keylen, |
79 | | unsigned char *iv, size_t ivlen) |
80 | 0 | { |
81 | 0 | int ret, iterations = 0; |
82 | 0 | mbedtls_asn1_buf salt; |
83 | 0 | size_t i; |
84 | 0 | unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; |
85 | |
|
86 | 0 | if (pwdlen > PKCS12_MAX_PWDLEN) { |
87 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
88 | 0 | } |
89 | | |
90 | 0 | memset(&salt, 0, sizeof(mbedtls_asn1_buf)); |
91 | 0 | memset(&unipwd, 0, sizeof(unipwd)); |
92 | |
|
93 | 0 | if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt, |
94 | 0 | &iterations)) != 0) { |
95 | 0 | return ret; |
96 | 0 | } |
97 | | |
98 | 0 | for (i = 0; i < pwdlen; i++) { |
99 | 0 | unipwd[i * 2 + 1] = pwd[i]; |
100 | 0 | } |
101 | |
|
102 | 0 | if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2, |
103 | 0 | salt.p, salt.len, md_type, |
104 | 0 | MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) { |
105 | 0 | return ret; |
106 | 0 | } |
107 | | |
108 | 0 | if (iv == NULL || ivlen == 0) { |
109 | 0 | return 0; |
110 | 0 | } |
111 | | |
112 | 0 | if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2, |
113 | 0 | salt.p, salt.len, md_type, |
114 | 0 | MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) { |
115 | 0 | return ret; |
116 | 0 | } |
117 | 0 | return 0; |
118 | 0 | } |
119 | | |
120 | | #undef PKCS12_MAX_PWDLEN |
121 | | |
122 | | int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode, |
123 | | const unsigned char *pwd, size_t pwdlen, |
124 | | const unsigned char *data, size_t len, |
125 | | unsigned char *output) |
126 | 0 | { |
127 | | #if !defined(MBEDTLS_ARC4_C) |
128 | | ((void) pbe_params); |
129 | | ((void) mode); |
130 | | ((void) pwd); |
131 | | ((void) pwdlen); |
132 | | ((void) data); |
133 | | ((void) len); |
134 | | ((void) output); |
135 | | return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE; |
136 | | #else |
137 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
138 | 0 | unsigned char key[16]; |
139 | 0 | mbedtls_arc4_context ctx; |
140 | 0 | ((void) mode); |
141 | |
|
142 | 0 | mbedtls_arc4_init(&ctx); |
143 | |
|
144 | 0 | if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, MBEDTLS_MD_SHA1, |
145 | 0 | pwd, pwdlen, |
146 | 0 | key, 16, NULL, 0)) != 0) { |
147 | 0 | return ret; |
148 | 0 | } |
149 | | |
150 | 0 | mbedtls_arc4_setup(&ctx, key, 16); |
151 | 0 | if ((ret = mbedtls_arc4_crypt(&ctx, len, data, output)) != 0) { |
152 | 0 | goto exit; |
153 | 0 | } |
154 | | |
155 | 0 | exit: |
156 | 0 | mbedtls_platform_zeroize(key, sizeof(key)); |
157 | 0 | mbedtls_arc4_free(&ctx); |
158 | |
|
159 | 0 | return ret; |
160 | 0 | #endif /* MBEDTLS_ARC4_C */ |
161 | 0 | } |
162 | | |
163 | | #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
164 | | int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode, |
165 | | mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, |
166 | | const unsigned char *pwd, size_t pwdlen, |
167 | | const unsigned char *data, size_t len, |
168 | | unsigned char *output, size_t output_size, |
169 | | size_t *output_len); |
170 | | #endif |
171 | | |
172 | | int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode, |
173 | | mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, |
174 | | const unsigned char *pwd, size_t pwdlen, |
175 | | const unsigned char *data, size_t len, |
176 | | unsigned char *output) |
177 | 0 | { |
178 | 0 | size_t output_len = 0; |
179 | | |
180 | | /* We assume caller of the function is providing a big enough output buffer |
181 | | * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees |
182 | | * for the output size actually being correct. |
183 | | */ |
184 | 0 | return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type, |
185 | 0 | pwd, pwdlen, data, len, output, SIZE_MAX, |
186 | 0 | &output_len); |
187 | 0 | } |
188 | | |
189 | | int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode, |
190 | | mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, |
191 | | const unsigned char *pwd, size_t pwdlen, |
192 | | const unsigned char *data, size_t len, |
193 | | unsigned char *output, size_t output_size, |
194 | | size_t *output_len) |
195 | 0 | { |
196 | 0 | int ret, keylen = 0; |
197 | 0 | unsigned char key[32]; |
198 | 0 | unsigned char iv[16]; |
199 | 0 | const mbedtls_cipher_info_t *cipher_info; |
200 | 0 | mbedtls_cipher_context_t cipher_ctx; |
201 | 0 | size_t finish_olen = 0; |
202 | 0 | unsigned int padlen = 0; |
203 | |
|
204 | 0 | if (pwd == NULL && pwdlen != 0) { |
205 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
206 | 0 | } |
207 | | |
208 | 0 | cipher_info = mbedtls_cipher_info_from_type(cipher_type); |
209 | 0 | if (cipher_info == NULL) { |
210 | 0 | return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE; |
211 | 0 | } |
212 | | |
213 | 0 | keylen = cipher_info->key_bitlen / 8; |
214 | |
|
215 | 0 | if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) { |
216 | 0 | if (output_size < len) { |
217 | 0 | return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; |
218 | 0 | } |
219 | 0 | } |
220 | | |
221 | 0 | if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) { |
222 | 0 | padlen = cipher_info->block_size - (len % cipher_info->block_size); |
223 | 0 | if (output_size < (len + padlen)) { |
224 | 0 | return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; |
225 | 0 | } |
226 | 0 | } |
227 | | |
228 | 0 | if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen, |
229 | 0 | key, keylen, |
230 | 0 | iv, cipher_info->iv_size)) != 0) { |
231 | 0 | return ret; |
232 | 0 | } |
233 | | |
234 | 0 | mbedtls_cipher_init(&cipher_ctx); |
235 | |
|
236 | 0 | if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) { |
237 | 0 | goto exit; |
238 | 0 | } |
239 | | |
240 | 0 | if ((ret = |
241 | 0 | mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen, |
242 | 0 | (mbedtls_operation_t) mode)) != 0) { |
243 | 0 | goto exit; |
244 | 0 | } |
245 | | |
246 | 0 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) |
247 | 0 | { |
248 | | /* PKCS12 uses CBC with PKCS7 padding */ |
249 | 0 | mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7; |
250 | | #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
251 | | /* For historical reasons, when decrypting, this function works when |
252 | | * decrypting even when support for PKCS7 padding is disabled. In this |
253 | | * case, it ignores the padding, and so will never report a |
254 | | * password mismatch. |
255 | | */ |
256 | | if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) { |
257 | | padding = MBEDTLS_PADDING_NONE; |
258 | | } |
259 | | #endif |
260 | 0 | if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) { |
261 | 0 | goto exit; |
262 | 0 | } |
263 | 0 | } |
264 | 0 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ |
265 | | |
266 | 0 | if ((ret = mbedtls_cipher_set_iv(&cipher_ctx, iv, cipher_info->iv_size)) != 0) { |
267 | 0 | goto exit; |
268 | 0 | } |
269 | | |
270 | 0 | if ((ret = mbedtls_cipher_reset(&cipher_ctx)) != 0) { |
271 | 0 | goto exit; |
272 | 0 | } |
273 | | |
274 | 0 | if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len, |
275 | 0 | output, output_len)) != 0) { |
276 | 0 | goto exit; |
277 | 0 | } |
278 | | |
279 | 0 | if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + (*output_len), &finish_olen)) != 0) { |
280 | 0 | ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; |
281 | 0 | } |
282 | |
|
283 | 0 | *output_len += finish_olen; |
284 | |
|
285 | 0 | exit: |
286 | 0 | mbedtls_platform_zeroize(key, sizeof(key)); |
287 | 0 | mbedtls_platform_zeroize(iv, sizeof(iv)); |
288 | 0 | mbedtls_cipher_free(&cipher_ctx); |
289 | |
|
290 | 0 | return ret; |
291 | 0 | } |
292 | | |
293 | | #endif /* MBEDTLS_ASN1_PARSE_C */ |
294 | | |
295 | | static void pkcs12_fill_buffer(unsigned char *data, size_t data_len, |
296 | | const unsigned char *filler, size_t fill_len) |
297 | 0 | { |
298 | 0 | unsigned char *p = data; |
299 | 0 | size_t use_len; |
300 | |
|
301 | 0 | if (filler != NULL && fill_len != 0) { |
302 | 0 | while (data_len > 0) { |
303 | 0 | use_len = (data_len > fill_len) ? fill_len : data_len; |
304 | 0 | memcpy(p, filler, use_len); |
305 | 0 | p += use_len; |
306 | 0 | data_len -= use_len; |
307 | 0 | } |
308 | 0 | } else { |
309 | | /* If either of the above are not true then clearly there is nothing |
310 | | * that this function can do. The function should *not* be called |
311 | | * under either of those circumstances, as you could end up with an |
312 | | * incorrect output but for safety's sake, leaving the check in as |
313 | | * otherwise we could end up with memory corruption.*/ |
314 | 0 | } |
315 | 0 | } |
316 | | |
317 | | int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen, |
318 | | const unsigned char *pwd, size_t pwdlen, |
319 | | const unsigned char *salt, size_t saltlen, |
320 | | mbedtls_md_type_t md_type, int id, int iterations) |
321 | 0 | { |
322 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
323 | 0 | unsigned int j; |
324 | |
|
325 | 0 | unsigned char diversifier[128]; |
326 | 0 | unsigned char salt_block[128], pwd_block[128], hash_block[128]; |
327 | 0 | unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; |
328 | 0 | unsigned char *p; |
329 | 0 | unsigned char c; |
330 | 0 | int use_password = 0; |
331 | 0 | int use_salt = 0; |
332 | |
|
333 | 0 | size_t hlen, use_len, v, i; |
334 | |
|
335 | 0 | const mbedtls_md_info_t *md_info; |
336 | 0 | mbedtls_md_context_t md_ctx; |
337 | | |
338 | | // This version only allows max of 64 bytes of password or salt |
339 | 0 | if (datalen > 128 || pwdlen > 64 || saltlen > 64) { |
340 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
341 | 0 | } |
342 | | |
343 | 0 | if (pwd == NULL && pwdlen != 0) { |
344 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
345 | 0 | } |
346 | | |
347 | 0 | if (salt == NULL && saltlen != 0) { |
348 | 0 | return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; |
349 | 0 | } |
350 | | |
351 | 0 | use_password = (pwd && pwdlen != 0); |
352 | 0 | use_salt = (salt && saltlen != 0); |
353 | |
|
354 | 0 | md_info = mbedtls_md_info_from_type(md_type); |
355 | 0 | if (md_info == NULL) { |
356 | 0 | return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE; |
357 | 0 | } |
358 | | |
359 | 0 | mbedtls_md_init(&md_ctx); |
360 | |
|
361 | 0 | if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) { |
362 | 0 | return ret; |
363 | 0 | } |
364 | 0 | hlen = mbedtls_md_get_size(md_info); |
365 | |
|
366 | 0 | if (hlen <= 32) { |
367 | 0 | v = 64; |
368 | 0 | } else { |
369 | 0 | v = 128; |
370 | 0 | } |
371 | |
|
372 | 0 | memset(diversifier, (unsigned char) id, v); |
373 | |
|
374 | 0 | if (use_salt != 0) { |
375 | 0 | pkcs12_fill_buffer(salt_block, v, salt, saltlen); |
376 | 0 | } |
377 | |
|
378 | 0 | if (use_password != 0) { |
379 | 0 | pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen); |
380 | 0 | } |
381 | |
|
382 | 0 | p = data; |
383 | 0 | while (datalen > 0) { |
384 | | // Calculate hash( diversifier || salt_block || pwd_block ) |
385 | 0 | if ((ret = mbedtls_md_starts(&md_ctx)) != 0) { |
386 | 0 | goto exit; |
387 | 0 | } |
388 | | |
389 | 0 | if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) { |
390 | 0 | goto exit; |
391 | 0 | } |
392 | | |
393 | 0 | if (use_salt != 0) { |
394 | 0 | if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) { |
395 | 0 | goto exit; |
396 | 0 | } |
397 | 0 | } |
398 | | |
399 | 0 | if (use_password != 0) { |
400 | 0 | if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) { |
401 | 0 | goto exit; |
402 | 0 | } |
403 | 0 | } |
404 | | |
405 | 0 | if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) { |
406 | 0 | goto exit; |
407 | 0 | } |
408 | | |
409 | | // Perform remaining ( iterations - 1 ) recursive hash calculations |
410 | 0 | for (i = 1; i < (size_t) iterations; i++) { |
411 | 0 | if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output)) != 0) { |
412 | 0 | goto exit; |
413 | 0 | } |
414 | 0 | } |
415 | | |
416 | 0 | use_len = (datalen > hlen) ? hlen : datalen; |
417 | 0 | memcpy(p, hash_output, use_len); |
418 | 0 | datalen -= use_len; |
419 | 0 | p += use_len; |
420 | |
|
421 | 0 | if (datalen == 0) { |
422 | 0 | break; |
423 | 0 | } |
424 | | |
425 | | // Concatenating copies of hash_output into hash_block (B) |
426 | 0 | pkcs12_fill_buffer(hash_block, v, hash_output, hlen); |
427 | | |
428 | | // B += 1 |
429 | 0 | for (i = v; i > 0; i--) { |
430 | 0 | if (++hash_block[i - 1] != 0) { |
431 | 0 | break; |
432 | 0 | } |
433 | 0 | } |
434 | |
|
435 | 0 | if (use_salt != 0) { |
436 | | // salt_block += B |
437 | 0 | c = 0; |
438 | 0 | for (i = v; i > 0; i--) { |
439 | 0 | j = salt_block[i - 1] + hash_block[i - 1] + c; |
440 | 0 | c = MBEDTLS_BYTE_1(j); |
441 | 0 | salt_block[i - 1] = MBEDTLS_BYTE_0(j); |
442 | 0 | } |
443 | 0 | } |
444 | |
|
445 | 0 | if (use_password != 0) { |
446 | | // pwd_block += B |
447 | 0 | c = 0; |
448 | 0 | for (i = v; i > 0; i--) { |
449 | 0 | j = pwd_block[i - 1] + hash_block[i - 1] + c; |
450 | 0 | c = MBEDTLS_BYTE_1(j); |
451 | 0 | pwd_block[i - 1] = MBEDTLS_BYTE_0(j); |
452 | 0 | } |
453 | 0 | } |
454 | 0 | } |
455 | | |
456 | 0 | ret = 0; |
457 | |
|
458 | 0 | exit: |
459 | 0 | mbedtls_platform_zeroize(salt_block, sizeof(salt_block)); |
460 | 0 | mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block)); |
461 | 0 | mbedtls_platform_zeroize(hash_block, sizeof(hash_block)); |
462 | 0 | mbedtls_platform_zeroize(hash_output, sizeof(hash_output)); |
463 | |
|
464 | 0 | mbedtls_md_free(&md_ctx); |
465 | |
|
466 | 0 | return ret; |
467 | 0 | } |
468 | | |
469 | | #endif /* MBEDTLS_PKCS12_C */ |