2 * PKCS #5 (Password-based Encryption)
3 * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
25 unsigned int iter_count;
29 static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
32 oid->oid[0] == 1 /* iso */ &&
33 oid->oid[1] == 2 /* member-body */ &&
34 oid->oid[2] == 840 /* us */ &&
35 oid->oid[3] == 113549 /* rsadsi */ &&
36 oid->oid[4] == 1 /* pkcs */ &&
37 oid->oid[5] == 5 /* pkcs-5 */ &&
38 oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)
39 return PKCS5_ALG_MD5_DES_CBC;
41 return PKCS5_ALG_UNKNOWN;
45 static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
46 struct pkcs5_params *params)
49 const u8 *enc_alg_end, *pos, *end;
53 /* AlgorithmIdentifier */
55 enc_alg_end = enc_alg + enc_alg_len;
57 os_memset(params, 0, sizeof(*params));
59 if (asn1_get_oid(enc_alg, enc_alg_end - enc_alg, &oid, &pos)) {
60 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to parse OID "
65 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
66 wpa_printf(MSG_DEBUG, "PKCS #5: encryption algorithm %s", obuf);
67 params->alg = pkcs5_get_alg(&oid);
68 if (params->alg == PKCS5_ALG_UNKNOWN) {
69 wpa_printf(MSG_INFO, "PKCS #5: unsupported encryption "
70 "algorithm %s", obuf);
76 * PBEParameter ::= SEQUENCE {
77 * salt OCTET STRING SIZE(8),
78 * iterationCount INTEGER }
81 if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
82 hdr.class != ASN1_CLASS_UNIVERSAL ||
83 hdr.tag != ASN1_TAG_SEQUENCE) {
84 wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
85 "(PBEParameter) - found class %d tag 0x%x",
90 end = hdr.payload + hdr.length;
92 /* salt OCTET STRING SIZE(8) */
93 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
94 hdr.class != ASN1_CLASS_UNIVERSAL ||
95 hdr.tag != ASN1_TAG_OCTETSTRING ||
97 wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
98 "(salt) - found class %d tag 0x%x size %d",
99 hdr.class, hdr.tag, hdr.length);
102 pos = hdr.payload + hdr.length;
103 os_memcpy(params->salt, hdr.payload, hdr.length);
104 params->salt_len = hdr.length;
105 wpa_hexdump(MSG_DEBUG, "PKCS #5: salt",
106 params->salt, params->salt_len);
108 /* iterationCount INTEGER */
109 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
110 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
111 wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
112 "class %d tag 0x%x", hdr.class, hdr.tag);
116 params->iter_count = *hdr.payload;
117 else if (hdr.length == 2)
118 params->iter_count = WPA_GET_BE16(hdr.payload);
119 else if (hdr.length == 4)
120 params->iter_count = WPA_GET_BE32(hdr.payload);
122 wpa_hexdump(MSG_DEBUG, "PKCS #5: Unsupported INTEGER value "
124 hdr.payload, hdr.length);
127 wpa_printf(MSG_DEBUG, "PKCS #5: iterationCount=0x%x",
129 if (params->iter_count == 0 || params->iter_count > 0xffff) {
130 wpa_printf(MSG_INFO, "PKCS #5: Unsupported "
131 "iterationCount=0x%x", params->iter_count);
139 static struct crypto_cipher * pkcs5_crypto_init(struct pkcs5_params *params,
143 u8 hash[MD5_MAC_LEN];
147 if (params->alg != PKCS5_ALG_MD5_DES_CBC)
150 addr[0] = (const u8 *) passwd;
151 len[0] = os_strlen(passwd);
152 addr[1] = params->salt;
153 len[1] = params->salt_len;
154 if (md5_vector(2, addr, len, hash) < 0)
157 len[0] = MD5_MAC_LEN;
158 for (i = 1; i < params->iter_count; i++) {
159 if (md5_vector(1, addr, len, hash) < 0)
162 /* TODO: DES key parity bits(?) */
163 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES key", hash, 8);
164 wpa_hexdump_key(MSG_DEBUG, "PKCS #5: DES IV", hash + 8, 8);
166 return crypto_cipher_init(CRYPTO_CIPHER_ALG_DES, hash + 8, hash, 8);
170 u8 * pkcs5_decrypt(const u8 *enc_alg, size_t enc_alg_len,
171 const u8 *enc_data, size_t enc_data_len,
172 const char *passwd, size_t *data_len)
174 struct crypto_cipher *ctx;
176 struct pkcs5_params params;
179 if (pkcs5_get_params(enc_alg, enc_alg_len, ¶ms) < 0) {
180 wpa_printf(MSG_DEBUG, "PKCS #5: Unsupported parameters");
184 ctx = pkcs5_crypto_init(¶ms, passwd);
186 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to initialize crypto");
190 /* PKCS #5, Section 7 - Decryption process */
191 if (enc_data_len < 16 || enc_data_len % 8) {
192 wpa_printf(MSG_INFO, "PKCS #5: invalid length of ciphertext "
193 "%d", (int) enc_data_len);
194 crypto_cipher_deinit(ctx);
198 eb = os_malloc(enc_data_len);
200 crypto_cipher_deinit(ctx);
204 if (crypto_cipher_decrypt(ctx, enc_data, eb, enc_data_len) < 0) {
205 wpa_printf(MSG_DEBUG, "PKCS #5: Failed to decrypt EB");
206 crypto_cipher_deinit(ctx);
210 crypto_cipher_deinit(ctx);
212 pad = eb[enc_data_len - 1];
214 wpa_printf(MSG_INFO, "PKCS #5: Invalid PS octet 0x%x", pad);
218 for (i = enc_data_len - pad; i < enc_data_len; i++) {
220 wpa_hexdump(MSG_INFO, "PKCS #5: Invalid PS",
221 eb + enc_data_len - pad, pad);
227 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #5: message M (encrypted key)",
228 eb, enc_data_len - pad);
230 *data_len = enc_data_len - pad;