1 /*
2  * PKCS #5 (Password-based Encryption)
3  * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "tls/asn1.h"
15 #include "tls/pkcs5.h"
16 
17 #include "eap_peer/eap_i.h"
18 
19 struct pkcs5_params {
20 	enum pkcs5_alg {
21 		PKCS5_ALG_UNKNOWN,
22 		PKCS5_ALG_MD5_DES_CBC
23 	} alg;
24 	u8 salt[8];
25 	size_t salt_len;
26 	unsigned int iter_count;
27 };
28 
29 
pkcs5_get_alg(struct asn1_oid * oid)30 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
31 {
32 	if (oid->len == 7 &&
33 	    oid->oid[0] == 1 /* iso */ &&
34 	    oid->oid[1] == 2 /* member-body */ &&
35 	    oid->oid[2] == 840 /* us */ &&
36 	    oid->oid[3] == 113549 /* rsadsi */ &&
37 	    oid->oid[4] == 1 /* pkcs */ &&
38 	    oid->oid[5] == 5 /* pkcs-5 */ &&
39 	    oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)
40 		return PKCS5_ALG_MD5_DES_CBC;
41 
42 	return PKCS5_ALG_UNKNOWN;
43 }
44 
45 
pkcs5_get_params(const u8 * enc_alg,size_t enc_alg_len,struct pkcs5_params * params)46 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
47 			    struct pkcs5_params *params)
48 {
49 	struct asn1_hdr hdr;
50 	const u8 *enc_alg_end, *pos, *end;
51 	struct asn1_oid oid;
52 	char obuf[80];
53 
54 	/* AlgorithmIdentifier */
55 
56 	enc_alg_end = enc_alg + enc_alg_len;
57 
58 	os_memset(params, 0, sizeof(*params));
59 
60 	if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
61 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
62 			   "(algorithm)");
63 		return -1;
64 	}
65 
66 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
67 	wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
68 	params->alg = pkcs5_get_alg(&oid);
69 	if (params->alg == PKCS5_ALG_UNKNOWN) {
70 		wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
71 			   "algorithm %s", obuf);
72 		return -1;
73 	}
74 
75 	/*
76 	 * PKCS#5, Section 8
77 	 * PBEParameter ::= SEQUENCE {
78 	 *   salt OCTET STRING SIZE(8),
79 	 *   iterationCount INTEGER }
80 	 */
81 
82 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
83 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
84 	    hdr.tag != ASN1_TAG_SEQUENCE) {
85 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
86 			   "(PBEParameter) - found class %d tag 0x%x",
87 			   hdr.class, hdr.tag);
88 		return -1;
89 	}
90 	pos = hdr.payload;
91 	end = hdr.payload + hdr.length;
92 
93 	/* salt OCTET STRING SIZE(8) */
94 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
95 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
96 	    hdr.tag != ASN1_TAG_OCTETSTRING ||
97 	    hdr.length != 8) {
98 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
99 			   "(salt) - found class %d tag 0x%x size %d",
100 			   hdr.class, hdr.tag, hdr.length);
101 		return -1;
102 	}
103 	pos = hdr.payload + hdr.length;
104 	os_memcpy(params->salt, hdr.payload, hdr.length);
105 	params->salt_len = hdr.length;
106 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
107 		    params->salt, params->salt_len);
108 
109 	/* iterationCount INTEGER */
110 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
111 	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
112 		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
113 			   "class %d tag 0x%x", hdr.class, hdr.tag);
114 		return -1;
115 	}
116 	if (hdr.length == 1)
117 		params->iter_count = *hdr.payload;
118 	else if (hdr.length == 2)
119 		params->iter_count = WPA_GET_BE16(hdr.payload);
120 	else if (hdr.length == 4)
121 		params->iter_count = WPA_GET_BE32(hdr.payload);
122 	else {
123 		wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
124 			    " (iterationCount)",
125 			    hdr.payload, hdr.length);
126 		return -1;
127 	}
128 	wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
129 		   params->iter_count);
130 	if (params->iter_count == 0 || params->iter_count > 0xffff) {
131 		wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
132 			   "iterationCount=0x%x", params->iter_count);
133 		return -1;
134 	}
135 
136 	return 0;
137 }
138 
139 
pkcs5_crypto_init(struct pkcs5_params * params,const char * passwd)140 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
141 						const char *passwd)
142 {
143 	unsigned int i;
144 	u8 hash[MD5_MAC_LEN];
145 	const u8 *addr[2];
146 	size_t len[2];
147 
148 	if (params->alg != PKCS5_ALG_MD5_DES_CBC) {
149 		return NULL;
150 	}
151 
152 	addr[0] = (const u8 *) passwd;
153 	len[0] = os_strlen(passwd);
154 	addr[1] = params->salt;
155 	len[1] = params->salt_len;
156 	if (md5_vector(2, addr, len, hash) < 0)
157 		return NULL;
158 	addr[0] = hash;
159 	len[0] = MD5_MAC_LEN;
160 	for (i = 1; i < params->iter_count; i++) {
161 		if (md5_vector(1, addr, len, hash) < 0)
162 			return NULL;
163 	}
164 	/* TODO: DES key parity bits(?) */
165 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
166 	wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
167 
168 	return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
169 
170 }
171 
pkcs5_decrypt(const u8 * enc_alg,size_t enc_alg_len,const u8 * enc_data,size_t enc_data_len,const char * passwd,size_t * data_len)172 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
173 		   const u8 *enc_data, size_t enc_data_len,
174 		   const char *passwd, size_t *data_len)
175 {
176 	struct crypto_cipher *ctx = NULL;
177 	u8 *eb, pad;
178 	struct pkcs5_params params;
179 	unsigned int i;
180 
181 	if (pkcs5_get_params(enc_alg, enc_alg_len, &params) < 0) {
182 		wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
183 		return NULL;
184 	}
185 
186 	ctx = pkcs5_crypto_init(&params, passwd);
187 
188 	if (ctx == NULL) {
189 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
190 		return NULL;
191 	}
192 
193 	/* PKCS #5, Section 7 - Decryption process */
194 	if (enc_data_len < 16 || enc_data_len % 8) {
195 		wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
196 			   "%d", (int) enc_data_len);
197 		crypto_cipher_deinit(ctx);
198 		return NULL;
199 	}
200 
201 	eb = os_malloc(enc_data_len);
202 	if (eb == NULL) {
203 		crypto_cipher_deinit(ctx);
204 		return NULL;
205 	}
206 
207 	if ((int)crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
208 		wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
209 		crypto_cipher_deinit(ctx);
210 		os_free(eb);
211 		return NULL;
212 	}
213 
214 	crypto_cipher_deinit(ctx);
215 
216 	pad = eb[enc_data_len - 1];
217 	if (pad > 8) {
218 		wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
219 		os_free(eb);
220 		return NULL;
221 	}
222 	for (i = enc_data_len - pad; i < enc_data_len; i++) {
223 		if (eb[i] != pad) {
224 			wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
225 				    eb + enc_data_len - pad, pad);
226 			os_free(eb);
227 			return NULL;
228 		}
229 	}
230 
231 	wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
232 			eb, enc_data_len - pad);
233 
234 	*data_len = enc_data_len - pad;
235 	return eb;
236 }
237