blob: 712488233f5fe15b8eb1ced67e6812b47964ff64 [file] [log] [blame]
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02001/*
2 * PKCS#12 Personal Information Exchange Syntax
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Dave Rodgman0f2971a2023-11-03 12:04:52 +00005 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02006 */
7/*
8 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1
9 *
10 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
11 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +020014#include "common.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020015
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020016#if defined(MBEDTLS_PKCS12_C)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020017
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000018#include "mbedtls/pkcs12.h"
19#include "mbedtls/asn1.h"
20#include "mbedtls/cipher.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050021#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +000022#include "mbedtls/error.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020023
Rich Evans00ab4702015-02-06 13:43:58 +000024#include <string.h>
25
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020026#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000027#include "mbedtls/arc4.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020028#endif
29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020030#if defined(MBEDTLS_DES_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000031#include "mbedtls/des.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020032#endif
33
Hanno Becker8a89f9f2018-10-12 10:46:32 +010034#if defined(MBEDTLS_ASN1_PARSE_C)
35
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010036static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
37 mbedtls_asn1_buf *salt, int *iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020038{
Janos Follath24eed8d2019-11-22 13:21:35 +000039 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Waleed Elmelegyf9193932023-09-12 14:05:10 +010040 unsigned char **p = &params->p;
Paul Bakkerf8d018a2013-06-29 12:16:17 +020041 const unsigned char *end = params->p + params->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020042
43 /*
44 * pkcs-12PbeParams ::= SEQUENCE {
45 * salt OCTET STRING,
46 * iterations INTEGER
47 * }
48 *
49 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010050 if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
51 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
52 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
53 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020054
Waleed Elmelegyf9193932023-09-12 14:05:10 +010055 if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010056 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
57 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020058
Waleed Elmelegyf9193932023-09-12 14:05:10 +010059 salt->p = *p;
60 *p += salt->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020061
Waleed Elmelegyf9193932023-09-12 14:05:10 +010062 if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010063 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
64 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020065
Waleed Elmelegyf9193932023-09-12 14:05:10 +010066 if (*p != end) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010067 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
68 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
69 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020070
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010071 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020072}
73
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +020074#define PKCS12_MAX_PWDLEN 128
75
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010076static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
77 const unsigned char *pwd, size_t pwdlen,
78 unsigned char *key, size_t keylen,
79 unsigned char *iv, size_t ivlen)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020080{
Nicholas Wilson409401c2016-04-13 11:48:25 +010081 int ret, iterations = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020082 mbedtls_asn1_buf salt;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020083 size_t i;
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +020084 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
85
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010086 if (pwdlen > PKCS12_MAX_PWDLEN) {
87 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
88 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020089
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010090 memset(&salt, 0, sizeof(mbedtls_asn1_buf));
91 memset(&unipwd, 0, sizeof(unipwd));
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020092
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010093 if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
94 &iterations)) != 0) {
95 return ret;
96 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020097
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010098 for (i = 0; i < pwdlen; i++) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +020099 unipwd[i * 2 + 1] = pwd[i];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200100 }
101
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100102 if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
103 salt.p, salt.len, md_type,
104 MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
105 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200106 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100107
108 if (iv == NULL || ivlen == 0) {
109 return 0;
110 }
111
112 if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
113 salt.p, salt.len, md_type,
114 MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
115 return ret;
116 }
117 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200118}
119
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200120#undef PKCS12_MAX_PWDLEN
121
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100122int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
123 const unsigned char *pwd, size_t pwdlen,
124 const unsigned char *data, size_t len,
125 unsigned char *output)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200126{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200127#if !defined(MBEDTLS_ARC4_C)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200128 ((void) pbe_params);
129 ((void) mode);
130 ((void) pwd);
131 ((void) pwdlen);
132 ((void) data);
133 ((void) len);
134 ((void) output);
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100135 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200136#else
Janos Follath24eed8d2019-11-22 13:21:35 +0000137 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200138 unsigned char key[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200139 mbedtls_arc4_context ctx;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200140 ((void) mode);
141
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100142 mbedtls_arc4_init(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200143
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100144 if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, MBEDTLS_MD_SHA1,
145 pwd, pwdlen,
146 key, 16, NULL, 0)) != 0) {
147 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200148 }
149
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100150 mbedtls_arc4_setup(&ctx, key, 16);
151 if ((ret = mbedtls_arc4_crypt(&ctx, len, data, output)) != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200152 goto exit;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100153 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200154
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200155exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100156 mbedtls_platform_zeroize(key, sizeof(key));
157 mbedtls_arc4_free(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200158
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100159 return ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200160#endif /* MBEDTLS_ARC4_C */
Paul Bakker531e2942013-06-24 19:23:12 +0200161}
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200162
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100163#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
164int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
165 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
166 const unsigned char *pwd, size_t pwdlen,
167 const unsigned char *data, size_t len,
168 unsigned char *output, size_t output_size,
169 size_t *output_len);
170#endif
171
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100172int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
173 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
174 const unsigned char *pwd, size_t pwdlen,
175 const unsigned char *data, size_t len,
176 unsigned char *output)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200177{
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100178 size_t output_len = 0;
179
180 /* We assume caller of the function is providing a big enough output buffer
181 * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
182 * for the output size actually being correct.
183 */
184 return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
185 pwd, pwdlen, data, len, output, SIZE_MAX,
186 &output_len);
187}
188
189int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
190 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
191 const unsigned char *pwd, size_t pwdlen,
192 const unsigned char *data, size_t len,
193 unsigned char *output, size_t output_size,
194 size_t *output_len)
195{
Paul Bakker38b50d72013-06-24 19:33:27 +0200196 int ret, keylen = 0;
197 unsigned char key[32];
198 unsigned char iv[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200199 const mbedtls_cipher_info_t *cipher_info;
200 mbedtls_cipher_context_t cipher_ctx;
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100201 size_t finish_olen = 0;
202 unsigned int padlen = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200203
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100204 if (pwd == NULL && pwdlen != 0) {
205 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
206 }
Paul Elliottfe724fe2021-11-11 19:00:38 +0000207
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100208 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
209 if (cipher_info == NULL) {
210 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
211 }
Paul Bakker38b50d72013-06-24 19:33:27 +0200212
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200213 keylen = cipher_info->key_bitlen / 8;
Paul Bakker38b50d72013-06-24 19:33:27 +0200214
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100215 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
216 if (output_size < len) {
217 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
218 }
219 }
220
221 if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
222 padlen = cipher_info->block_size - (len % cipher_info->block_size);
223 if (output_size < (len + padlen)) {
224 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
225 }
226 }
227
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100228 if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
229 key, keylen,
230 iv, cipher_info->iv_size)) != 0) {
231 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200232 }
233
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100234 mbedtls_cipher_init(&cipher_ctx);
Paul Bakker84bbeb52014-07-01 14:53:22 +0200235
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100236 if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200237 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200238 }
239
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100240 if ((ret =
241 mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
242 (mbedtls_operation_t) mode)) != 0) {
243 goto exit;
244 }
245
Waleed Elmelegy38a89ad2023-09-04 15:11:22 +0100246#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
247 /* PKCS12 uses CBC with PKCS7 padding */
248
249 mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
250#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
251 /* For historical reasons, when decrypting, this function works when
252 * decrypting even when support for PKCS7 padding is disabled. In this
253 * case, it ignores the padding, and so will never report a
254 * password mismatch.
255 */
256 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
257 padding = MBEDTLS_PADDING_NONE;
258 }
259#endif
260 if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
261 goto exit;
262 }
263#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
264
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100265 if ((ret = mbedtls_cipher_set_iv(&cipher_ctx, iv, cipher_info->iv_size)) != 0) {
266 goto exit;
267 }
268
269 if ((ret = mbedtls_cipher_reset(&cipher_ctx)) != 0) {
270 goto exit;
271 }
272
273 if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len,
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100274 output, output_len)) != 0) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100275 goto exit;
276 }
277
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100278 if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + (*output_len), &finish_olen)) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200279 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100280 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200281
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100282 *output_len += finish_olen;
283
Paul Bakkerbd552442013-07-03 14:44:40 +0200284exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100285 mbedtls_platform_zeroize(key, sizeof(key));
286 mbedtls_platform_zeroize(iv, sizeof(iv));
287 mbedtls_cipher_free(&cipher_ctx);
Paul Bakkerbd552442013-07-03 14:44:40 +0200288
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100289 return ret;
Paul Bakker531e2942013-06-24 19:23:12 +0200290}
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200291
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100292#endif /* MBEDTLS_ASN1_PARSE_C */
293
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100294static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
295 const unsigned char *filler, size_t fill_len)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200296{
297 unsigned char *p = data;
298 size_t use_len;
299
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100300 if (filler != NULL && fill_len != 0) {
301 while (data_len > 0) {
302 use_len = (data_len > fill_len) ? fill_len : data_len;
303 memcpy(p, filler, use_len);
Paul Elliottfe724fe2021-11-11 19:00:38 +0000304 p += use_len;
305 data_len -= use_len;
306 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100307 } else {
Paul Elliott8d7eef42021-12-02 17:51:34 +0000308 /* If either of the above are not true then clearly there is nothing
309 * that this function can do. The function should *not* be called
310 * under either of those circumstances, as you could end up with an
311 * incorrect output but for safety's sake, leaving the check in as
312 * otherwise we could end up with memory corruption.*/
313 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200314}
315
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100316int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
317 const unsigned char *pwd, size_t pwdlen,
318 const unsigned char *salt, size_t saltlen,
319 mbedtls_md_type_t md_type, int id, int iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200320{
Janos Follath24eed8d2019-11-22 13:21:35 +0000321 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200322 unsigned int j;
323
324 unsigned char diversifier[128];
325 unsigned char salt_block[128], pwd_block[128], hash_block[128];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200326 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200327 unsigned char *p;
328 unsigned char c;
Paul Elliott7412eb42021-11-18 14:02:21 +0000329 int use_password = 0;
330 int use_salt = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200331
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200332 size_t hlen, use_len, v, i;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200333
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200334 const mbedtls_md_info_t *md_info;
335 mbedtls_md_context_t md_ctx;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200336
337 // This version only allows max of 64 bytes of password or salt
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100338 if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
339 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
Paul Elliott7412eb42021-11-18 14:02:21 +0000340 }
341
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100342 if (pwd == NULL && pwdlen != 0) {
343 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
344 }
345
346 if (salt == NULL && saltlen != 0) {
347 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
348 }
349
350 use_password = (pwd && pwdlen != 0);
351 use_salt = (salt && saltlen != 0);
352
353 md_info = mbedtls_md_info_from_type(md_type);
354 if (md_info == NULL) {
355 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
356 }
357
358 mbedtls_md_init(&md_ctx);
359
360 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
361 return ret;
362 }
363 hlen = mbedtls_md_get_size(md_info);
364
365 if (hlen <= 32) {
366 v = 64;
367 } else {
368 v = 128;
369 }
370
371 memset(diversifier, (unsigned char) id, v);
372
373 if (use_salt != 0) {
374 pkcs12_fill_buffer(salt_block, v, salt, saltlen);
375 }
376
377 if (use_password != 0) {
378 pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen);
Paul Elliott7412eb42021-11-18 14:02:21 +0000379 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200380
381 p = data;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100382 while (datalen > 0) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200383 // Calculate hash( diversifier || salt_block || pwd_block )
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100384 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200385 goto exit;
Paul Elliott7412eb42021-11-18 14:02:21 +0000386 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200387
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100388 if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200389 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200390 }
391
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100392 if (use_salt != 0) {
393 if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
394 goto exit;
Paul Elliott7412eb42021-11-18 14:02:21 +0000395 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200396 }
397
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100398 if (use_password != 0) {
399 if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
400 goto exit;
401 }
402 }
403
404 if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
405 goto exit;
406 }
407
408 // Perform remaining ( iterations - 1 ) recursive hash calculations
409 for (i = 1; i < (size_t) iterations; i++) {
410 if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output)) != 0) {
411 goto exit;
412 }
413 }
414
415 use_len = (datalen > hlen) ? hlen : datalen;
416 memcpy(p, hash_output, use_len);
417 datalen -= use_len;
418 p += use_len;
419
420 if (datalen == 0) {
421 break;
422 }
423
424 // Concatenating copies of hash_output into hash_block (B)
425 pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
426
427 // B += 1
428 for (i = v; i > 0; i--) {
429 if (++hash_block[i - 1] != 0) {
430 break;
431 }
432 }
433
434 if (use_salt != 0) {
435 // salt_block += B
436 c = 0;
437 for (i = v; i > 0; i--) {
438 j = salt_block[i - 1] + hash_block[i - 1] + c;
439 c = MBEDTLS_BYTE_1(j);
440 salt_block[i - 1] = MBEDTLS_BYTE_0(j);
441 }
442 }
443
444 if (use_password != 0) {
Paul Elliott7412eb42021-11-18 14:02:21 +0000445 // pwd_block += B
446 c = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100447 for (i = v; i > 0; i--) {
Paul Elliott7412eb42021-11-18 14:02:21 +0000448 j = pwd_block[i - 1] + hash_block[i - 1] + c;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100449 c = MBEDTLS_BYTE_1(j);
450 pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
Paul Elliott7412eb42021-11-18 14:02:21 +0000451 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200452 }
453 }
454
Paul Bakkerbd552442013-07-03 14:44:40 +0200455 ret = 0;
456
457exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100458 mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
459 mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
460 mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
461 mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
Paul Bakker91c301a2014-06-18 13:59:38 +0200462
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100463 mbedtls_md_free(&md_ctx);
Paul Bakkerbd552442013-07-03 14:44:40 +0200464
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100465 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200466}
467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200468#endif /* MBEDTLS_PKCS12_C */