lib/x509/pkcs12_encr.c

   1 /* minip12.c - A mini pkcs-12 implementation (modified for gnutls)
   2  *
   3  * Copyright (C) 2002-2012 Free Software Foundation, Inc.
   4  *
   5  * This file is part of GnuTLS.
   6  *
   7  * The GnuTLS is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU Lesser General Public License
   9  * as published by the Free Software Foundation; either version 3 of
  10  * the License, or (at your option) any later version.
  11  *
  12  * This library is distributed in the hope that it will be useful, but
  13  * WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  15  * Lesser General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Lesser General Public License
  18  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  19  *
  20  */
  21
  22 #include <gnutls_int.h>
  23
  24 #include <gnutls_mpi.h>
  25 #include <gnutls_errors.h>
  26 #include <x509_int.h>
  27
  28 /* Returns 0 if the password is ok, or a negative error
  29  * code instead.
  30  */
  31 static int
  32 _pkcs12_check_pass (const char *pass, size_t plen)
  33 {
  34   unsigned int i;
  35
  36   for (i = 0; i < plen; i++)
  37     {
  38       if (isascii (pass[i]))
  39         continue;
  40       return GNUTLS_E_INVALID_PASSWORD;
  41     }
  42
  43   return 0;
  44 }
  45
  46 /* ID should be:
  47  * 3 for MAC
  48  * 2 for IV
  49  * 1 for encryption key
  50  */
  51 int
  52 _gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t * salt,
  53                               unsigned int salt_size, unsigned int iter,
  54                               const char *pw, unsigned int req_keylen,
  55                               uint8_t * keybuf)
  56 {
  57   int rc;
  58   unsigned int i, j;
  59   digest_hd_st md;
  60   bigint_t num_b1 = NULL, num_ij = NULL;
  61   bigint_t mpi512 = NULL;
  62   unsigned int pwlen;
  63   uint8_t hash[20], buf_b[64], buf_i[128], *p;
  64   size_t cur_keylen;
  65   size_t n, m;
  66   const uint8_t buf_512[] =      /* 2^64 */
  67   { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  68     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  69     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  70     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  71     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  72     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
  73   };
  74
  75   cur_keylen = 0;
  76
  77   if (pw == NULL)
  78     pwlen = 0;
  79   else
  80     pwlen = strlen (pw);
  81
  82   if (pwlen > 63 / 2)
  83     {
  84       gnutls_assert ();
  85       return GNUTLS_E_INVALID_REQUEST;
  86     }
  87
  88   if ((rc = _pkcs12_check_pass (pw, pwlen)) < 0)
  89     {
  90       gnutls_assert ();
  91       return rc;
  92     }
  93
  94   rc = _gnutls_mpi_scan (&mpi512, buf_512, sizeof (buf_512));
  95   if (rc < 0)
  96     {
  97       gnutls_assert ();
  98       return rc;
  99     }
 100
 101   /* Store salt and password in BUF_I */
 102   p = buf_i;
 103   for (i = 0; i < 64; i++)
 104     *p++ = salt[i % salt_size];
 105   if (pw)
 106     {
 107       for (i = j = 0; i < 64; i += 2)
 108         {
 109           *p++ = 0;
 110           *p++ = pw[j];
 111           if (++j > pwlen)      /* Note, that we include the trailing (0) */
 112             j = 0;
 113         }
 114     }
 115   else
 116     memset (p, 0, 64);
 117
 118   for (;;)
 119     {
 120       rc = _gnutls_hash_init (&md, GNUTLS_MAC_SHA1);
 121       if (rc < 0)
 122         {
 123           gnutls_assert ();
 124           goto cleanup;
 125         }
 126       for (i = 0; i < 64; i++)
 127         {
 128           unsigned char lid = id & 0xFF;
 129           _gnutls_hash (&md, &lid, 1);
 130         }
 131       _gnutls_hash (&md, buf_i, pw ? 128 : 64);
 132       _gnutls_hash_deinit (&md, hash);
 133       for (i = 1; i < iter; i++)
 134         {
 135           rc = _gnutls_hash_init (&md, GNUTLS_MAC_SHA1);
 136           if (rc < 0)
 137             {
 138               gnutls_assert ();
 139               goto cleanup;
 140             }
 141           _gnutls_hash (&md, hash, 20);
 142           _gnutls_hash_deinit (&md, hash);
 143         }
 144       for (i = 0; i < 20 && cur_keylen < req_keylen; i++)
 145         keybuf[cur_keylen++] = hash[i];
 146       if (cur_keylen == req_keylen)
 147         {
 148           rc = 0;               /* ready */
 149           goto cleanup;
 150         }
 151
 152       /* need more bytes. */
 153       for (i = 0; i < 64; i++)
 154         buf_b[i] = hash[i % 20];
 155       n = 64;
 156       rc = _gnutls_mpi_scan (&num_b1, buf_b, n);
 157       if (rc < 0)
 158         {
 159           gnutls_assert ();
 160           goto cleanup;
 161         }
 162       _gnutls_mpi_add_ui (num_b1, num_b1, 1);
 163       for (i = 0; i < 128; i += 64)
 164         {
 165           n = 64;
 166           rc = _gnutls_mpi_scan (&num_ij, buf_i + i, n);
 167           if (rc < 0)
 168             {
 169               gnutls_assert ();
 170               goto cleanup;
 171             }
 172           _gnutls_mpi_addm (num_ij, num_ij, num_b1, mpi512);
 173           n = 64;
 174 #ifndef PKCS12_BROKEN_KEYGEN
 175           m = (_gnutls_mpi_get_nbits (num_ij) + 7) / 8;
 176 #else
 177           m = n;
 178 #endif
 179           memset (buf_i + i, 0, n - m);
 180           rc = _gnutls_mpi_print (num_ij, buf_i + i + n - m, &n);
 181           if (rc < 0)
 182             {
 183               gnutls_assert ();
 184               goto cleanup;
 185             }
 186           _gnutls_mpi_release (&num_ij);
 187         }
 188     }
 189 cleanup:
 190   _gnutls_mpi_release (&num_ij);
 191   _gnutls_mpi_release (&num_b1);
 192   _gnutls_mpi_release (&mpi512);
 193
 194   return rc;
 195 }
 196