TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/master / . / library / pkcs12.c
blob: a3467b98208926c19060cd9c8eb2a9f30ad7e893 [file] [log] [blame]
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]1/*
2 * PKCS#12 Personal Information Exchange Syntax
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]6 */
7/*
8 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1
9 *
10 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
11 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]15
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]16#if defined(MBEDTLS_PKCS12_C)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]17
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]18#include "mbedtls/pkcs12.h"
19#include "mbedtls/asn1.h"
Valerio Settia69e8722023-12-21 16:37:29 +0100[diff] [blame]20#if defined(MBEDTLS_CIPHER_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]21#include "mbedtls/cipher.h"
Valerio Settia69e8722023-12-21 16:37:29 +0100[diff] [blame]22#endif /* MBEDTLS_CIPHER_C */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]23#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]24#include "mbedtls/error.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]25
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]26#include <string.h>
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_DES_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/des.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]30#endif
31
Manuel Pégourié-Gonnard2be8c632023-06-07 13:07:21 +0200[diff] [blame]32#include "psa_util_internal.h"
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]33
Valerio Settia69e8722023-12-21 16:37:29 +0100[diff] [blame]34#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100[diff] [blame]35
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]36static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
37 mbedtls_asn1_buf *salt, int *iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]38{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]39 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]40 unsigned char **p = &params->p;
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200[diff] [blame]41 const unsigned char *end = params->p + params->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]42
43 /*
44 * pkcs-12PbeParams ::= SEQUENCE {
45 * salt OCTET STRING,
46 * iterations INTEGER
47 * }
48 *
49 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]50 if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
51 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
52 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
53 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]54
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]55 if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]56 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
57 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]58
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]59 salt->p = *p;
60 *p += salt->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]61
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]62 if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
64 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]65
Waleed Elmelegy57d09b72023-09-12 14:05:10 +0100[diff] [blame]66 if (*p != end) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
68 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
69 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]70
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]71 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]72}
73
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]74#define PKCS12_MAX_PWDLEN 128
75
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]76static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
77 const unsigned char *pwd, size_t pwdlen,
78 unsigned char *key, size_t keylen,
79 unsigned char *iv, size_t ivlen)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]80{
Nicholas Wilson409401c2016-04-13 11:48:25 +0100[diff] [blame]81 int ret, iterations = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82 mbedtls_asn1_buf salt;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]83 size_t i;
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]84 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
85
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]86 if (pwdlen > PKCS12_MAX_PWDLEN) {
87 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
88 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]89
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]90 memset(&salt, 0, sizeof(mbedtls_asn1_buf));
91 memset(&unipwd, 0, sizeof(unipwd));
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]92
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
94 &iterations)) != 0) {
95 return ret;
96 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 for (i = 0; i < pwdlen; i++) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]99 unipwd[i * 2 + 1] = pwd[i];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]100 }
101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102 if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
103 salt.p, salt.len, md_type,
104 MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
105 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]106 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107
108 if (iv == NULL || ivlen == 0) {
109 return 0;
110 }
111
112 if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
113 salt.p, salt.len, md_type,
114 MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
115 return ret;
116 }
117 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]118}
119
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]120#undef PKCS12_MAX_PWDLEN
121
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]122#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
123int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
124 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
125 const unsigned char *pwd, size_t pwdlen,
126 const unsigned char *data, size_t len,
127 unsigned char *output, size_t output_size,
128 size_t *output_len);
129#endif
130
Waleed Elmelegyd5278962023-09-12 14:42:49 +0100[diff] [blame]131#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]132int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
133 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
134 const unsigned char *pwd, size_t pwdlen,
135 const unsigned char *data, size_t len,
136 unsigned char *output)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]137{
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]138 size_t output_len = 0;
139
140 /* We assume caller of the function is providing a big enough output buffer
141 * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
142 * for the output size actually being correct.
143 */
144 return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
145 pwd, pwdlen, data, len, output, SIZE_MAX,
146 &output_len);
147}
Waleed Elmelegyd5278962023-09-12 14:42:49 +0100[diff] [blame]148#endif
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]149
150int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
151 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
152 const unsigned char *pwd, size_t pwdlen,
153 const unsigned char *data, size_t len,
154 unsigned char *output, size_t output_size,
155 size_t *output_len)
156{
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]157 int ret, keylen = 0;
158 unsigned char key[32];
159 unsigned char iv[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]160 const mbedtls_cipher_info_t *cipher_info;
161 mbedtls_cipher_context_t cipher_ctx;
Valerio Settif4848842023-10-05 06:24:06 +0200[diff] [blame]162 size_t iv_len = 0;
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]163 size_t finish_olen = 0;
164 unsigned int padlen = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 if (pwd == NULL && pwdlen != 0) {
167 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
168 }
Paul Elliott853c0da2021-11-11 19:00:38 +0000[diff] [blame]169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
171 if (cipher_info == NULL) {
172 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
173 }
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]174
Dave Rodgmane59b9d42023-06-24 16:53:13 +0100[diff] [blame]175 keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]176
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]177 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
178 if (output_size < len) {
179 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
180 }
181 }
182
183 if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
184 padlen = cipher_info->block_size - (len % cipher_info->block_size);
185 if (output_size < (len + padlen)) {
186 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
187 }
188 }
189
Valerio Settif4848842023-10-05 06:24:06 +0200[diff] [blame]190 iv_len = mbedtls_cipher_info_get_iv_size(cipher_info);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
192 key, keylen,
Valerio Settif4848842023-10-05 06:24:06 +0200[diff] [blame]193 iv, iv_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]194 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]195 }
196
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]197 mbedtls_cipher_init(&cipher_ctx);
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]199 if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]200 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]201 }
202
Valerio Settif4848842023-10-05 06:24:06 +0200[diff] [blame]203 if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
204 (mbedtls_operation_t) mode)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 goto exit;
206 }
207
Waleed Elmelegy255db802023-09-04 15:11:22 +0100[diff] [blame]208#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Dave Rodgman515af1d2023-10-13 14:40:14 +0100[diff] [blame]209 {
210 /* PKCS12 uses CBC with PKCS7 padding */
211 mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
Waleed Elmelegy255db802023-09-04 15:11:22 +0100[diff] [blame]212#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
Dave Rodgman515af1d2023-10-13 14:40:14 +0100[diff] [blame]213 /* For historical reasons, when decrypting, this function works when
214 * decrypting even when support for PKCS7 padding is disabled. In this
215 * case, it ignores the padding, and so will never report a
216 * password mismatch.
217 */
218 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
219 padding = MBEDTLS_PADDING_NONE;
220 }
Waleed Elmelegy255db802023-09-04 15:11:22 +0100[diff] [blame]221#endif
Dave Rodgman515af1d2023-10-13 14:40:14 +0100[diff] [blame]222 if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
223 goto exit;
224 }
Waleed Elmelegy255db802023-09-04 15:11:22 +0100[diff] [blame]225 }
226#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
227
Valerio Settif4848842023-10-05 06:24:06 +0200[diff] [blame]228 ret = mbedtls_cipher_crypt(&cipher_ctx, iv, iv_len, data, len, output, &finish_olen);
229 if (ret == MBEDTLS_ERR_CIPHER_INVALID_PADDING) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]230 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]231 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]232
Waleed Elmelegye1cb35b2023-09-06 15:48:08 +0100[diff] [blame]233 *output_len += finish_olen;
234
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]235exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]236 mbedtls_platform_zeroize(key, sizeof(key));
237 mbedtls_platform_zeroize(iv, sizeof(iv));
238 mbedtls_cipher_free(&cipher_ctx);
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]239
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]240 return ret;
Paul Bakker531e2942013-06-24 19:23:12 +0200[diff] [blame]241}
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]242
Valerio Settia69e8722023-12-21 16:37:29 +0100[diff] [blame]243#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100[diff] [blame]244
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]245static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
246 const unsigned char *filler, size_t fill_len)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]247{
248 unsigned char *p = data;
249 size_t use_len;
250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]251 if (filler != NULL && fill_len != 0) {
252 while (data_len > 0) {
253 use_len = (data_len > fill_len) ? fill_len : data_len;
254 memcpy(p, filler, use_len);
Paul Elliott853c0da2021-11-11 19:00:38 +0000[diff] [blame]255 p += use_len;
256 data_len -= use_len;
257 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]258 } else {
Paul Elliott7298bef2021-12-02 17:51:34 +0000[diff] [blame]259 /* If either of the above are not true then clearly there is nothing
260 * that this function can do. The function should *not* be called
261 * under either of those circumstances, as you could end up with an
262 * incorrect output but for safety's sake, leaving the check in as
263 * otherwise we could end up with memory corruption.*/
264 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]265}
266
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268static int calculate_hashes(mbedtls_md_type_t md_type, int iterations,
269 unsigned char *diversifier, unsigned char *salt_block,
270 unsigned char *pwd_block, unsigned char *hash_output, int use_salt,
271 int use_password, size_t hlen, size_t v)
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]272{
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]273 int ret = -1;
274 size_t i;
275 const mbedtls_md_info_t *md_info;
276 mbedtls_md_context_t md_ctx;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]277 md_info = mbedtls_md_info_from_type(md_type);
278 if (md_info == NULL) {
279 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
280 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 mbedtls_md_init(&md_ctx);
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]284 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
285 return ret;
286 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]287 // Calculate hash( diversifier || salt_block || pwd_block )
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]288 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]289 goto exit;
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]290 }
291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]292 if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
293 goto exit;
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]294 }
295
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]296 if (use_salt != 0) {
297 if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
298 goto exit;
299 }
300 }
301
302 if (use_password != 0) {
303 if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
304 goto exit;
305 }
306 }
307
308 if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]309 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]310 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]311
312 // Perform remaining ( iterations - 1 ) recursive hash calculations
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313 for (i = 1; i < (size_t) iterations; i++) {
314 if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output))
315 != 0) {
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]316 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]317 }
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]318 }
319
320exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 mbedtls_md_free(&md_ctx);
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]322 return ret;
Andrzej Kurek7bd12c52022-08-24 10:47:10 -0400[diff] [blame]323}
324
325
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
327 const unsigned char *pwd, size_t pwdlen,
328 const unsigned char *salt, size_t saltlen,
329 mbedtls_md_type_t md_type, int id, int iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]330{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]331 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]332 unsigned int j;
333
334 unsigned char diversifier[128];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]335 unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]336 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]337 unsigned char *p;
338 unsigned char c;
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]339 int use_password = 0;
340 int use_salt = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]341
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]342 size_t hlen, use_len, v, i;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]343
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]344 // This version only allows max of 64 bytes of password or salt
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345 if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
346 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]347 }
348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]349 if (pwd == NULL && pwdlen != 0) {
350 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
351 }
352
353 if (salt == NULL && saltlen != 0) {
354 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
355 }
356
357 use_password = (pwd && pwdlen != 0);
358 use_salt = (salt && saltlen != 0);
359
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +0200[diff] [blame]360 hlen = mbedtls_md_get_size_from_type(md_type);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361
362 if (hlen <= 32) {
363 v = 64;
364 } else {
365 v = 128;
366 }
367
368 memset(diversifier, (unsigned char) id, v);
369
370 if (use_salt != 0) {
371 pkcs12_fill_buffer(salt_block, v, salt, saltlen);
372 }
373
374 if (use_password != 0) {
375 pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen);
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]376 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]377
378 p = data;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]379 while (datalen > 0) {
380 if (calculate_hashes(md_type, iterations, diversifier, salt_block,
381 pwd_block, hash_output, use_salt, use_password, hlen,
382 v) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]383 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]384 }
385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 use_len = (datalen > hlen) ? hlen : datalen;
387 memcpy(p, hash_output, use_len);
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]388 datalen -= use_len;
389 p += use_len;
390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]391 if (datalen == 0) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]392 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]394
395 // Concatenating copies of hash_output into hash_block (B)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]396 pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]397
398 // B += 1
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 for (i = v; i > 0; i--) {
400 if (++hash_block[i - 1] != 0) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]401 break;
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]402 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]403 }
404
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]405 if (use_salt != 0) {
406 // salt_block += B
407 c = 0;
408 for (i = v; i > 0; i--) {
409 j = salt_block[i - 1] + hash_block[i - 1] + c;
410 c = MBEDTLS_BYTE_1(j);
411 salt_block[i - 1] = MBEDTLS_BYTE_0(j);
412 }
413 }
414
415 if (use_password != 0) {
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]416 // pwd_block += B
417 c = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418 for (i = v; i > 0; i--) {
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]419 j = pwd_block[i - 1] + hash_block[i - 1] + c;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 c = MBEDTLS_BYTE_1(j);
421 pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
Paul Elliott4086bdb2021-11-18 14:02:21 +0000[diff] [blame]422 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]423 }
424 }
425
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]426 ret = 0;
427
428exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429 mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
430 mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
431 mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
432 mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
Paul Bakker91c301a2014-06-18 13:59:38 +0200[diff] [blame]433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]434 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]435}
436
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437#endif /* MBEDTLS_PKCS12_C */