TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/mbedtls-2.28 / . / library / pkcs12.c
blob: 55de216edb177a566a4278bc921e648f9948c933 [file] [log] [blame]
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]1/*
2 * PKCS#12 Personal Information Exchange Syntax
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman7ff79652023-11-03 12:04:52 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]6 */
7/*
8 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1
9 *
10 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
11 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]15
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]16#if defined(MBEDTLS_PKCS12_C)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]17
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]18#include "mbedtls/pkcs12.h"
19#include "mbedtls/asn1.h"
20#include "mbedtls/cipher.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]21#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]22#include "mbedtls/error.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]23
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]24#include <string.h>
25
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]26#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]27#include "mbedtls/arc4.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]28#endif
29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_DES_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/des.h"
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]32#endif
33
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100[diff] [blame]34#if defined(MBEDTLS_ASN1_PARSE_C)
35
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]36static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
37 mbedtls_asn1_buf *salt, int *iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]38{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]39 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Waleed Elmelegyf9193932023-09-12 14:05:10 +0100[diff] [blame]40 unsigned char **p = &params->p;
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200[diff] [blame]41 const unsigned char *end = params->p + params->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]42
43 /*
44 * pkcs-12PbeParams ::= SEQUENCE {
45 * salt OCTET STRING,
46 * iterations INTEGER
47 * }
48 *
49 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]50 if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
51 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
52 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
53 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]54
Waleed Elmelegyf9193932023-09-12 14:05:10 +0100[diff] [blame]55 if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]56 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
57 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]58
Waleed Elmelegyf9193932023-09-12 14:05:10 +0100[diff] [blame]59 salt->p = *p;
60 *p += salt->len;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]61
Waleed Elmelegyf9193932023-09-12 14:05:10 +0100[diff] [blame]62 if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]63 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
64 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]65
Waleed Elmelegyf9193932023-09-12 14:05:10 +0100[diff] [blame]66 if (*p != end) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]67 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
68 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
69 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]70
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]71 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]72}
73
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]74#define PKCS12_MAX_PWDLEN 128
75
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]76static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
77 const unsigned char *pwd, size_t pwdlen,
78 unsigned char *key, size_t keylen,
79 unsigned char *iv, size_t ivlen)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]80{
Nicholas Wilson409401c2016-04-13 11:48:25 +0100[diff] [blame]81 int ret, iterations = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82 mbedtls_asn1_buf salt;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]83 size_t i;
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]84 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
85
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]86 if (pwdlen > PKCS12_MAX_PWDLEN) {
87 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
88 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]89
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]90 memset(&salt, 0, sizeof(mbedtls_asn1_buf));
91 memset(&unipwd, 0, sizeof(unipwd));
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]92
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]93 if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
94 &iterations)) != 0) {
95 return ret;
96 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]97
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]98 for (i = 0; i < pwdlen; i++) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]99 unipwd[i * 2 + 1] = pwd[i];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]100 }
101
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]102 if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
103 salt.p, salt.len, md_type,
104 MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
105 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]106 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]107
108 if (iv == NULL || ivlen == 0) {
109 return 0;
110 }
111
112 if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
113 salt.p, salt.len, md_type,
114 MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
115 return ret;
116 }
117 return 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]118}
119
Manuel Pégourié-Gonnardd02a1da2015-09-28 18:34:48 +0200[diff] [blame]120#undef PKCS12_MAX_PWDLEN
121
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]122int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
123 const unsigned char *pwd, size_t pwdlen,
124 const unsigned char *data, size_t len,
125 unsigned char *output)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]126{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]127#if !defined(MBEDTLS_ARC4_C)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]128 ((void) pbe_params);
129 ((void) mode);
130 ((void) pwd);
131 ((void) pwdlen);
132 ((void) data);
133 ((void) len);
134 ((void) output);
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]135 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]136#else
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]137 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]138 unsigned char key[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]139 mbedtls_arc4_context ctx;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]140 ((void) mode);
141
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]142 mbedtls_arc4_init(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]143
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]144 if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, MBEDTLS_MD_SHA1,
145 pwd, pwdlen,
146 key, 16, NULL, 0)) != 0) {
147 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]148 }
149
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]150 mbedtls_arc4_setup(&ctx, key, 16);
151 if ((ret = mbedtls_arc4_crypt(&ctx, len, data, output)) != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]152 goto exit;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]153 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]154
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]155exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]156 mbedtls_platform_zeroize(key, sizeof(key));
157 mbedtls_arc4_free(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]158
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]159 return ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]160#endif /* MBEDTLS_ARC4_C */
Paul Bakker531e2942013-06-24 19:23:12 +0200[diff] [blame]161}
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]162
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]163#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
164int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
165 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
166 const unsigned char *pwd, size_t pwdlen,
167 const unsigned char *data, size_t len,
168 unsigned char *output, size_t output_size,
169 size_t *output_len);
170#endif
171
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]172int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
173 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
174 const unsigned char *pwd, size_t pwdlen,
175 const unsigned char *data, size_t len,
176 unsigned char *output)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]177{
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]178 size_t output_len = 0;
179
180 /* We assume caller of the function is providing a big enough output buffer
181 * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
182 * for the output size actually being correct.
183 */
184 return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
185 pwd, pwdlen, data, len, output, SIZE_MAX,
186 &output_len);
187}
188
189int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
190 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
191 const unsigned char *pwd, size_t pwdlen,
192 const unsigned char *data, size_t len,
193 unsigned char *output, size_t output_size,
194 size_t *output_len)
195{
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]196 int ret, keylen = 0;
197 unsigned char key[32];
198 unsigned char iv[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]199 const mbedtls_cipher_info_t *cipher_info;
200 mbedtls_cipher_context_t cipher_ctx;
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]201 size_t finish_olen = 0;
202 unsigned int padlen = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]203
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]204 if (pwd == NULL && pwdlen != 0) {
205 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
206 }
Paul Elliottfe724fe2021-11-11 19:00:38 +0000[diff] [blame]207
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]208 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
209 if (cipher_info == NULL) {
210 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
211 }
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]212
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200[diff] [blame]213 keylen = cipher_info->key_bitlen / 8;
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]214
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]215 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
216 if (output_size < len) {
217 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
218 }
219 }
220
221 if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
222 padlen = cipher_info->block_size - (len % cipher_info->block_size);
223 if (output_size < (len + padlen)) {
224 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
225 }
226 }
227
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]228 if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
229 key, keylen,
230 iv, cipher_info->iv_size)) != 0) {
231 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]232 }
233
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]234 mbedtls_cipher_init(&cipher_ctx);
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]235
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]236 if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]237 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]238 }
239
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]240 if ((ret =
241 mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
242 (mbedtls_operation_t) mode)) != 0) {
243 goto exit;
244 }
245
Waleed Elmelegy38a89ad2023-09-04 15:11:22 +0100[diff] [blame]246#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Dave Rodgman2af05c82023-10-13 14:40:14 +0100[diff] [blame]247 {
248 /* PKCS12 uses CBC with PKCS7 padding */
249 mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
Waleed Elmelegy38a89ad2023-09-04 15:11:22 +0100[diff] [blame]250#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
Dave Rodgman2af05c82023-10-13 14:40:14 +0100[diff] [blame]251 /* For historical reasons, when decrypting, this function works when
252 * decrypting even when support for PKCS7 padding is disabled. In this
253 * case, it ignores the padding, and so will never report a
254 * password mismatch.
255 */
256 if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
257 padding = MBEDTLS_PADDING_NONE;
258 }
Waleed Elmelegy38a89ad2023-09-04 15:11:22 +0100[diff] [blame]259#endif
Dave Rodgman2af05c82023-10-13 14:40:14 +0100[diff] [blame]260 if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
261 goto exit;
262 }
Waleed Elmelegy38a89ad2023-09-04 15:11:22 +0100[diff] [blame]263 }
264#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
265
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]266 if ((ret = mbedtls_cipher_set_iv(&cipher_ctx, iv, cipher_info->iv_size)) != 0) {
267 goto exit;
268 }
269
270 if ((ret = mbedtls_cipher_reset(&cipher_ctx)) != 0) {
271 goto exit;
272 }
273
274 if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len,
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]275 output, output_len)) != 0) {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]276 goto exit;
277 }
278
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]279 if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + (*output_len), &finish_olen)) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]280 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]281 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]282
Waleed Elmelegy6060cf12023-09-06 15:48:08 +0100[diff] [blame]283 *output_len += finish_olen;
284
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]285exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]286 mbedtls_platform_zeroize(key, sizeof(key));
287 mbedtls_platform_zeroize(iv, sizeof(iv));
288 mbedtls_cipher_free(&cipher_ctx);
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]289
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]290 return ret;
Paul Bakker531e2942013-06-24 19:23:12 +0200[diff] [blame]291}
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]292
Hanno Becker8a89f9f2018-10-12 10:46:32 +0100[diff] [blame]293#endif /* MBEDTLS_ASN1_PARSE_C */
294
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]295static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
296 const unsigned char *filler, size_t fill_len)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]297{
298 unsigned char *p = data;
299 size_t use_len;
300
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]301 if (filler != NULL && fill_len != 0) {
302 while (data_len > 0) {
303 use_len = (data_len > fill_len) ? fill_len : data_len;
304 memcpy(p, filler, use_len);
Paul Elliottfe724fe2021-11-11 19:00:38 +0000[diff] [blame]305 p += use_len;
306 data_len -= use_len;
307 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]308 } else {
Paul Elliott8d7eef42021-12-02 17:51:34 +0000[diff] [blame]309 /* If either of the above are not true then clearly there is nothing
310 * that this function can do. The function should *not* be called
311 * under either of those circumstances, as you could end up with an
312 * incorrect output but for safety's sake, leaving the check in as
313 * otherwise we could end up with memory corruption.*/
314 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]315}
316
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]317int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
318 const unsigned char *pwd, size_t pwdlen,
319 const unsigned char *salt, size_t saltlen,
320 mbedtls_md_type_t md_type, int id, int iterations)
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]321{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]322 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]323 unsigned int j;
324
325 unsigned char diversifier[128];
326 unsigned char salt_block[128], pwd_block[128], hash_block[128];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]327 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]328 unsigned char *p;
329 unsigned char c;
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]330 int use_password = 0;
331 int use_salt = 0;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]332
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]333 size_t hlen, use_len, v, i;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]335 const mbedtls_md_info_t *md_info;
336 mbedtls_md_context_t md_ctx;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]337
338 // This version only allows max of 64 bytes of password or salt
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]339 if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
340 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]341 }
342
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]343 if (pwd == NULL && pwdlen != 0) {
344 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
345 }
346
347 if (salt == NULL && saltlen != 0) {
348 return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
349 }
350
351 use_password = (pwd && pwdlen != 0);
352 use_salt = (salt && saltlen != 0);
353
354 md_info = mbedtls_md_info_from_type(md_type);
355 if (md_info == NULL) {
356 return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
357 }
358
359 mbedtls_md_init(&md_ctx);
360
361 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
362 return ret;
363 }
364 hlen = mbedtls_md_get_size(md_info);
365
366 if (hlen <= 32) {
367 v = 64;
368 } else {
369 v = 128;
370 }
371
372 memset(diversifier, (unsigned char) id, v);
373
374 if (use_salt != 0) {
375 pkcs12_fill_buffer(salt_block, v, salt, saltlen);
376 }
377
378 if (use_password != 0) {
379 pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen);
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]380 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]381
382 p = data;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]383 while (datalen > 0) {
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]384 // Calculate hash( diversifier || salt_block || pwd_block )
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]385 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]386 goto exit;
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]387 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]388
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]389 if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]390 goto exit;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]391 }
392
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]393 if (use_salt != 0) {
394 if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
395 goto exit;
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]396 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]397 }
398
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]399 if (use_password != 0) {
400 if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
401 goto exit;
402 }
403 }
404
405 if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
406 goto exit;
407 }
408
409 // Perform remaining ( iterations - 1 ) recursive hash calculations
410 for (i = 1; i < (size_t) iterations; i++) {
411 if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output)) != 0) {
412 goto exit;
413 }
414 }
415
416 use_len = (datalen > hlen) ? hlen : datalen;
417 memcpy(p, hash_output, use_len);
418 datalen -= use_len;
419 p += use_len;
420
421 if (datalen == 0) {
422 break;
423 }
424
425 // Concatenating copies of hash_output into hash_block (B)
426 pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
427
428 // B += 1
429 for (i = v; i > 0; i--) {
430 if (++hash_block[i - 1] != 0) {
431 break;
432 }
433 }
434
435 if (use_salt != 0) {
436 // salt_block += B
437 c = 0;
438 for (i = v; i > 0; i--) {
439 j = salt_block[i - 1] + hash_block[i - 1] + c;
440 c = MBEDTLS_BYTE_1(j);
441 salt_block[i - 1] = MBEDTLS_BYTE_0(j);
442 }
443 }
444
445 if (use_password != 0) {
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]446 // pwd_block += B
447 c = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]448 for (i = v; i > 0; i--) {
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]449 j = pwd_block[i - 1] + hash_block[i - 1] + c;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]450 c = MBEDTLS_BYTE_1(j);
451 pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
Paul Elliott7412eb42021-11-18 14:02:21 +0000[diff] [blame]452 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]453 }
454 }
455
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]456 ret = 0;
457
458exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]459 mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
460 mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
461 mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
462 mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
Paul Bakker91c301a2014-06-18 13:59:38 +0200[diff] [blame]463
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]464 mbedtls_md_free(&md_ctx);
Paul Bakkerbd552442013-07-03 14:44:40 +0200[diff] [blame]465
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]466 return ret;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]467}
468
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469#endif /* MBEDTLS_PKCS12_C */