TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e3c05853d6a9a6895d5ce690fbf8a485bc91ab97 / . / library / pkcs12.c
blob: 374e8e81c33c545565764403486ed53c6c5dcd3a [file] [log] [blame]
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]1/*
2 * PKCS#12 Personal Information Exchange Syntax
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgmane3c05852023-11-03 12:21:36 +0000[diff] [blame^]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]6 */
7/*
8 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1
9 *
10 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
11 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]15
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]16#if defined(MBEDTLS_PKCS12_C)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]17
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]18#include "mbedtls/pkcs12.h"
19#include "mbedtls/asn1.h"
20#include "mbedtls/cipher.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]21#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]22#include "mbedtls/error.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]23
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]24#include <string.h>
25
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]26#if defined(MBEDTLS_DES_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]27#include "mbedtls/des.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]28#endif
29
Manuel Pégourié-Gonnard2be8c632023-06-07 13:07:21 +0200[diff] [blame]30#include "psa_util_internal.h"
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]31
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100[diff] [blame]32#if defined(MBEDTLS_ASN1_PARSE_C)
33
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]34static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
35 mbedtls_asn1_buf *salt, int *iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]36{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]37 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]38 unsigned char **p = &params->p;
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200[diff] [blame]39 const unsigned char *end = params->p + params->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]40
41 /*
42 * pkcs-12PbeParams ::= SEQUENCE {
43 * salt OCTET STRING,
44 * iterations INTEGER
45 * }
46 *
47 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]48 if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
49 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
50 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
51 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]52
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]53 if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]54 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
55 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]56
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]57 salt->p = *p;
58 *p += salt->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]59
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]60 if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
62 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]63
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]64 if (*p != end) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
66 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
67 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]68
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]69 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]70}
71
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]72#define PKCS12_MAX_PWDLEN 128
73
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]74static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
75 const unsigned char *pwd, size_t pwdlen,
76 unsigned char *key, size_t keylen,
77 unsigned char *iv, size_t ivlen)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]78{
Nicholas Wilson409401c2016-04-13 11:48:25 +0100[diff] [blame]79 int ret, iterations = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80 mbedtls_asn1_buf salt;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]81 size_t i;
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]82 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
83
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]84 if (pwdlen > PKCS12_MAX_PWDLEN) {
85 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
86 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]87
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]88 memset(&salt, 0, sizeof(mbedtls_asn1_buf));
89 memset(&unipwd, 0, sizeof(unipwd));
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]90
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]91 if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
92 &iterations)) != 0) {
93 return ret;
94 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]95
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]96 for (i = 0; i < pwdlen; i++) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]97 unipwd[i * 2 + 1] = pwd[i];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]98 }
99
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]100 if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
101 salt.p, salt.len, md_type,
102 MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
103 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]104 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]105
106 if (iv == NULL || ivlen == 0) {
107 return 0;
108 }
109
110 if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
111 salt.p, salt.len, md_type,
112 MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
113 return ret;
114 }
115 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]116}
117
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]118#undef PKCS12_MAX_PWDLEN
119
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]120#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
121int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
122 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
123 const unsigned char *pwd, size_t pwdlen,
124 const unsigned char *data, size_t len,
125 unsigned char *output, size_t output_size,
126 size_t *output_len);
127#endif
128
Waleed Elmelegyd5278962023-09-12 14:42:49 +0100[diff] [blame]129#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]130int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
131 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
132 const unsigned char *pwd, size_t pwdlen,
133 const unsigned char *data, size_t len,
134 unsigned char *output)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]135{
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]136 size_t output_len = 0;
137
138 /* We assume caller of the function is providing a big enough output buffer
139 * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
140 * for the output size actually being correct.
141 */
142 return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
143 pwd, pwdlen, data, len, output, SIZE_MAX,
144 &output_len);
145}
Waleed Elmelegyd5278962023-09-12 14:42:49 +0100[diff] [blame]146#endif
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]147
148int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
149 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
150 const unsigned char *pwd, size_t pwdlen,
151 const unsigned char *data, size_t len,
152 unsigned char *output, size_t output_size,
153 size_t *output_len)
154{
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]155 int ret, keylen = 0;
156 unsigned char key[32];
157 unsigned char iv[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]158 const mbedtls_cipher_info_t *cipher_info;
159 mbedtls_cipher_context_t cipher_ctx;
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]160 size_t finish_olen = 0;
161 unsigned int padlen = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]162
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]163 if (pwd == NULL && pwdlen != 0) {
164 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
165 }
Paul Elliott853c0da2021-11-11 19:00:38 +0000[diff] [blame]166
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]167 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
168 if (cipher_info == NULL) {
169 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
170 }
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]171
Dave Rodgmane59b9d42023-06-24 16:53:13 +0100[diff] [blame]172 keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]173
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]174 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
175 if (output_size < len) {
176 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
177 }
178 }
179
180 if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
181 padlen = cipher_info->block_size - (len % cipher_info->block_size);
182 if (output_size < (len + padlen)) {
183 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
184 }
185 }
186
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]187 if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
188 key, keylen,
Dave Rodgmanbb521fd2023-06-24 11:21:25 +0100[diff] [blame]189 iv, mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]190 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]191 }
192
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193 mbedtls_cipher_init(&cipher_ctx);
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]194
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]195 if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]196 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]197 }
198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]199 if ((ret =
200 mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
201 (mbedtls_operation_t) mode)) != 0) {
202 goto exit;
203 }
204
Waleed Elmelegy255db802023-09-04 15:11:22 +0100[diff] [blame]205#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
206 /* PKCS12 uses CBC with PKCS7 padding */
207
208 mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
209#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
210 /* For historical reasons, when decrypting, this function works when
211 * decrypting even when support for PKCS7 padding is disabled. In this
212 * case, it ignores the padding, and so will never report a
213 * password mismatch.
214 */
215 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
216 padding = MBEDTLS_PADDING_NONE;
217 }
218#endif
219 if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
220 goto exit;
221 }
222#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
223
Dave Rodgman3b46b772023-06-24 13:25:06 +0100[diff] [blame]224 if ((ret =
225 mbedtls_cipher_set_iv(&cipher_ctx, iv,
226 mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 goto exit;
228 }
229
230 if ((ret = mbedtls_cipher_reset(&cipher_ctx)) != 0) {
231 goto exit;
232 }
233
234 if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len,
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]235 output, output_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]236 goto exit;
237 }
238
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]239 if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + (*output_len), &finish_olen)) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]240 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]242
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]243 *output_len += finish_olen;
244
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]245exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]246 mbedtls_platform_zeroize(key, sizeof(key));
247 mbedtls_platform_zeroize(iv, sizeof(iv));
248 mbedtls_cipher_free(&cipher_ctx);
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]249
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]250 return ret;
Paul Bakker531e2942013-06-24 19:23:12 +0200[diff] [blame]251}
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]252
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100[diff] [blame]253#endif /* MBEDTLS_ASN1_PARSE_C */
254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]255static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
256 const unsigned char *filler, size_t fill_len)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]257{
258 unsigned char *p = data;
259 size_t use_len;
260
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]261 if (filler != NULL && fill_len != 0) {
262 while (data_len > 0) {
263 use_len = (data_len > fill_len) ? fill_len : data_len;
264 memcpy(p, filler, use_len);
Paul Elliott853c0da2021-11-11 19:00:38 +0000[diff] [blame]265 p += use_len;
266 data_len -= use_len;
267 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 } else {
Paul Elliott7298bef2021-12-02 17:51:34 +0000[diff] [blame]269 /* If either of the above are not true then clearly there is nothing
270 * that this function can do. The function should *not* be called
271 * under either of those circumstances, as you could end up with an
272 * incorrect output but for safety's sake, leaving the check in as
273 * otherwise we could end up with memory corruption.*/
274 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]275}
276
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278static int calculate_hashes(mbedtls_md_type_t md_type, int iterations,
279 unsigned char *diversifier, unsigned char *salt_block,
280 unsigned char *pwd_block, unsigned char *hash_output, int use_salt,
281 int use_password, size_t hlen, size_t v)
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]282{
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]283 int ret = -1;
284 size_t i;
285 const mbedtls_md_info_t *md_info;
286 mbedtls_md_context_t md_ctx;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 md_info = mbedtls_md_info_from_type(md_type);
288 if (md_info == NULL) {
289 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
290 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]292 mbedtls_md_init(&md_ctx);
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]294 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
295 return ret;
296 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]297 // Calculate hash( diversifier || salt_block || pwd_block )
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]298 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]299 goto exit;
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]300 }
301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302 if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
303 goto exit;
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]304 }
305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 if (use_salt != 0) {
307 if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
308 goto exit;
309 }
310 }
311
312 if (use_password != 0) {
313 if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
314 goto exit;
315 }
316 }
317
318 if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]319 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]320 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]321
322 // Perform remaining ( iterations - 1 ) recursive hash calculations
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]323 for (i = 1; i < (size_t) iterations; i++) {
324 if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output))
325 != 0) {
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]326 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]327 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]328 }
329
330exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 mbedtls_md_free(&md_ctx);
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]332 return ret;
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]333}
334
335
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]336int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
337 const unsigned char *pwd, size_t pwdlen,
338 const unsigned char *salt, size_t saltlen,
339 mbedtls_md_type_t md_type, int id, int iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]340{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]341 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]342 unsigned int j;
343
344 unsigned char diversifier[128];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345 unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]346 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]347 unsigned char *p;
348 unsigned char c;
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]349 int use_password = 0;
350 int use_salt = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]351
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]352 size_t hlen, use_len, v, i;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]353
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]354 // This version only allows max of 64 bytes of password or salt
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]355 if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
356 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]357 }
358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 if (pwd == NULL && pwdlen != 0) {
360 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
361 }
362
363 if (salt == NULL && saltlen != 0) {
364 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
365 }
366
367 use_password = (pwd && pwdlen != 0);
368 use_salt = (salt && saltlen != 0);
369
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +0200[diff] [blame]370 hlen = mbedtls_md_get_size_from_type(md_type);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371
372 if (hlen <= 32) {
373 v = 64;
374 } else {
375 v = 128;
376 }
377
378 memset(diversifier, (unsigned char) id, v);
379
380 if (use_salt != 0) {
381 pkcs12_fill_buffer(salt_block, v, salt, saltlen);
382 }
383
384 if (use_password != 0) {
385 pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen);
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]386 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]387
388 p = data;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 while (datalen > 0) {
390 if (calculate_hashes(md_type, iterations, diversifier, salt_block,
391 pwd_block, hash_output, use_salt, use_password, hlen,
392 v) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]393 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]394 }
395
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]396 use_len = (datalen > hlen) ? hlen : datalen;
397 memcpy(p, hash_output, use_len);
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]398 datalen -= use_len;
399 p += use_len;
400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]401 if (datalen == 0) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]402 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]403 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]404
405 // Concatenating copies of hash_output into hash_block (B)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]407
408 // B += 1
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]409 for (i = v; i > 0; i--) {
410 if (++hash_block[i - 1] != 0) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]411 break;
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]412 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]413 }
414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 if (use_salt != 0) {
416 // salt_block += B
417 c = 0;
418 for (i = v; i > 0; i--) {
419 j = salt_block[i - 1] + hash_block[i - 1] + c;
420 c = MBEDTLS_BYTE_1(j);
421 salt_block[i - 1] = MBEDTLS_BYTE_0(j);
422 }
423 }
424
425 if (use_password != 0) {
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]426 // pwd_block += B
427 c = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]428 for (i = v; i > 0; i--) {
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]429 j = pwd_block[i - 1] + hash_block[i - 1] + c;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]430 c = MBEDTLS_BYTE_1(j);
431 pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]432 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]433 }
434 }
435
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]436 ret = 0;
437
438exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439 mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
440 mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
441 mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
442 mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
Paul Bakker91c301a2014-06-18 13:59:38 +0200[diff] [blame]443
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]444 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]445}
446
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]447#endif /* MBEDTLS_PKCS12_C */