• file
• revisions
• annotate
• diff
• comparison
• raw

security/nss/lib/softoken/lowpbe.c@6474c204b198 (annotated)

security/nss/lib/softoken/lowpbe.c

Wed, 31 Dec 2014 06:09:35 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Wed, 31 Dec 2014 06:09:35 +0100

changeset 0

6474c204b198

permissions

-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0	1	/* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	2	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	4
michael@0	5	#include "plarena.h"
michael@0	6
michael@0	7	#include "seccomon.h"
michael@0	8	#include "secitem.h"
michael@0	9	#include "secport.h"
michael@0	10	#include "hasht.h"
michael@0	11	#include "pkcs11t.h"
michael@0	12	#include "blapi.h"
michael@0	13	#include "hasht.h"
michael@0	14	#include "secasn1.h"
michael@0	15	#include "secder.h"
michael@0	16	#include "lowpbe.h"
michael@0	17	#include "secoid.h"
michael@0	18	#include "alghmac.h"
michael@0	19	#include "softoken.h"
michael@0	20	#include "secerr.h"
michael@0	21
michael@0	22	SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
michael@0	23
michael@0	24	/* template for PKCS 5 PBE Parameter. This template has been expanded
michael@0	25	* based upon the additions in PKCS 12. This should eventually be moved
michael@0	26	* if RSA updates PKCS 5.
michael@0	27	*/
michael@0	28	static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] =
michael@0	29	{
michael@0	30	{ SEC_ASN1_SEQUENCE,
michael@0	31	0, NULL, sizeof(NSSPKCS5PBEParameter) },
michael@0	32	{ SEC_ASN1_OCTET_STRING,
michael@0	33	offsetof(NSSPKCS5PBEParameter, salt) },
michael@0	34	{ SEC_ASN1_INTEGER,
michael@0	35	offsetof(NSSPKCS5PBEParameter, iteration) },
michael@0	36	{ 0 }
michael@0	37	};
michael@0	38
michael@0	39	static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] =
michael@0	40	{
michael@0	41	{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
michael@0	42	{ SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
michael@0	43	{ SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
michael@0	44	{ 0 }
michael@0	45	};
michael@0	46
michael@0	47
michael@0	48	/* PKCS5 v2 */
michael@0	49
michael@0	50	struct nsspkcs5V2PBEParameterStr {
michael@0	51	SECAlgorithmID keyParams; /* parameters of the key generation */
michael@0	52	SECAlgorithmID algParams; /* parameters for the encryption or mac op */
michael@0	53	};
michael@0	54
michael@0	55	typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter;
michael@0	56	#define PBKDF2
michael@0	57
michael@0	58	#ifdef PBKDF2
michael@0	59	static const SEC_ASN1Template NSSPKCS5V2PBES2ParameterTemplate[] =
michael@0	60	{
michael@0	61	{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(nsspkcs5V2PBEParameter) },
michael@0	62	{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
michael@0	63	offsetof(nsspkcs5V2PBEParameter, keyParams),
michael@0	64	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
michael@0	65	{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
michael@0	66	offsetof(nsspkcs5V2PBEParameter, algParams),
michael@0	67	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
michael@0	68	{ 0 }
michael@0	69	};
michael@0	70
michael@0	71	static const SEC_ASN1Template NSSPKCS5V2PBEParameterTemplate[] =
michael@0	72	{
michael@0	73	{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
michael@0	74	/* this is really a choice, but since we don't understand any other
michael@0	75	*choice, just inline it. */
michael@0	76	{ SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
michael@0	77	{ SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
michael@0	78	{ SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, keyLength) },
michael@0	79	{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
michael@0	80	offsetof(NSSPKCS5PBEParameter, prfAlg),
michael@0	81	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
michael@0	82	{ 0 }
michael@0	83	};
michael@0	84	#endif
michael@0	85
michael@0	86	SECStatus
michael@0	87	nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest,
michael@0	88	unsigned char *src, int len)
michael@0	89	{
michael@0	90	void *ctx;
michael@0	91	unsigned int retLen;
michael@0	92
michael@0	93	ctx = hashObj->create();
michael@0	94	if(ctx == NULL) {
michael@0	95	return SECFailure;
michael@0	96	}
michael@0	97	hashObj->begin(ctx);
michael@0	98	hashObj->update(ctx, src, len);
michael@0	99	hashObj->end(ctx, dest, &retLen, hashObj->length);
michael@0	100	hashObj->destroy(ctx, PR_TRUE);
michael@0	101	return SECSuccess;
michael@0	102	}
michael@0	103
michael@0	104	/* generate bits using any hash
michael@0	105	*/
michael@0	106	static SECItem *
michael@0	107	nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd,
michael@0	108	int iter, PRBool faulty3DES)
michael@0	109	{
michael@0	110	SECItem *hash = NULL, *pre_hash = NULL;
michael@0	111	SECStatus rv = SECFailure;
michael@0	112
michael@0	113	if((salt == NULL) || (pwd == NULL) || (iter < 0)) {
michael@0	114	return NULL;
michael@0	115	}
michael@0	116
michael@0	117	hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	118	pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	119
michael@0	120	if((hash != NULL) && (pre_hash != NULL)) {
michael@0	121	int i, ph_len;
michael@0	122
michael@0	123	ph_len = hashObj->length;
michael@0	124	if((salt->len + pwd->len) > hashObj->length) {
michael@0	125	ph_len = salt->len + pwd->len;
michael@0	126	}
michael@0	127
michael@0	128	rv = SECFailure;
michael@0	129
michael@0	130	/* allocate buffers */
michael@0	131	hash->len = hashObj->length;
michael@0	132	hash->data = (unsigned char *)PORT_ZAlloc(hash->len);
michael@0	133	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
michael@0	134
michael@0	135	/* in pbeSHA1TripleDESCBC there was an allocation error that made
michael@0	136	* it into the caller. We do not want to propagate those errors
michael@0	137	* further, so we are doing it correctly, but reading the old method.
michael@0	138	*/
michael@0	139	if (faulty3DES) {
michael@0	140	pre_hash->len = ph_len;
michael@0	141	} else {
michael@0	142	pre_hash->len = salt->len + pwd->len;
michael@0	143	}
michael@0	144
michael@0	145	/* preform hash */
michael@0	146	if ((hash->data != NULL) && (pre_hash->data != NULL)) {
michael@0	147	rv = SECSuccess;
michael@0	148	/* check for 0 length password */
michael@0	149	if(pwd->len > 0) {
michael@0	150	PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
michael@0	151	}
michael@0	152	if(salt->len > 0) {
michael@0	153	PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
michael@0	154	}
michael@0	155	for(i = 0; ((i < iter) && (rv == SECSuccess)); i++) {
michael@0	156	rv = nsspkcs5_HashBuf(hashObj, hash->data,
michael@0	157	pre_hash->data, pre_hash->len);
michael@0	158	if(rv != SECFailure) {
michael@0	159	pre_hash->len = hashObj->length;
michael@0	160	PORT_Memcpy(pre_hash->data, hash->data, hashObj->length);
michael@0	161	}
michael@0	162	}
michael@0	163	}
michael@0	164	}
michael@0	165
michael@0	166	if(pre_hash != NULL) {
michael@0	167	SECITEM_FreeItem(pre_hash, PR_TRUE);
michael@0	168	}
michael@0	169
michael@0	170	if((rv != SECSuccess) && (hash != NULL)) {
michael@0	171	SECITEM_FreeItem(hash, PR_TRUE);
michael@0	172	hash = NULL;
michael@0	173	}
michael@0	174
michael@0	175	return hash;
michael@0	176	}
michael@0	177
michael@0	178	/* this bit generation routine is described in PKCS 12 and the proposed
michael@0	179	* extensions to PKCS 5. an initial hash is generated following the
michael@0	180	* instructions laid out in PKCS 5. If the number of bits generated is
michael@0	181	* insufficient, then the method discussed in the proposed extensions to
michael@0	182	* PKCS 5 in PKCS 12 are used. This extension makes use of the HMAC
michael@0	183	* function. And the P_Hash function from the TLS standard.
michael@0	184	*/
michael@0	185	static SECItem *
michael@0	186	nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param,
michael@0	187	SECItem *init_hash, unsigned int bytes_needed)
michael@0	188	{
michael@0	189	SECItem *ret_bits = NULL;
michael@0	190	int hash_size = 0;
michael@0	191	unsigned int i;
michael@0	192	unsigned int hash_iter;
michael@0	193	unsigned int dig_len;
michael@0	194	SECStatus rv = SECFailure;
michael@0	195	unsigned char *state = NULL;
michael@0	196	unsigned int state_len;
michael@0	197	HMACContext *cx = NULL;
michael@0	198
michael@0	199	hash_size = hashObj->length;
michael@0	200	hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size;
michael@0	201
michael@0	202	/* allocate return buffer */
michael@0	203	ret_bits = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	204	if(ret_bits == NULL)
michael@0	205	return NULL;
michael@0	206	ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1);
michael@0	207	ret_bits->len = (hash_iter * hash_size);
michael@0	208	if(ret_bits->data == NULL) {
michael@0	209	PORT_Free(ret_bits);
michael@0	210	return NULL;
michael@0	211	}
michael@0	212
michael@0	213	/* allocate intermediate hash buffer. 8 is for the 8 bytes of
michael@0	214	* data which are added based on iteration number
michael@0	215	*/
michael@0	216
michael@0	217	if ((unsigned int)hash_size > pbe_param->salt.len) {
michael@0	218	state_len = hash_size;
michael@0	219	} else {
michael@0	220	state_len = pbe_param->salt.len;
michael@0	221	}
michael@0	222	state = (unsigned char *)PORT_ZAlloc(state_len);
michael@0	223	if(state == NULL) {
michael@0	224	rv = SECFailure;
michael@0	225	goto loser;
michael@0	226	}
michael@0	227	if(pbe_param->salt.len > 0) {
michael@0	228	PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len);
michael@0	229	}
michael@0	230
michael@0	231	cx = HMAC_Create(hashObj, init_hash->data, init_hash->len, PR_TRUE);
michael@0	232	if (cx == NULL) {
michael@0	233	rv = SECFailure;
michael@0	234	goto loser;
michael@0	235	}
michael@0	236
michael@0	237	for(i = 0; i < hash_iter; i++) {
michael@0	238
michael@0	239	/* generate output bits */
michael@0	240	HMAC_Begin(cx);
michael@0	241	HMAC_Update(cx, state, state_len);
michael@0	242	HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len);
michael@0	243	rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size),
michael@0	244	&dig_len, hash_size);
michael@0	245	if (rv != SECSuccess)
michael@0	246	goto loser;
michael@0	247	PORT_Assert((unsigned int)hash_size == dig_len);
michael@0	248
michael@0	249	/* generate new state */
michael@0	250	HMAC_Begin(cx);
michael@0	251	HMAC_Update(cx, state, state_len);
michael@0	252	rv = HMAC_Finish(cx, state, &state_len, state_len);
michael@0	253	if (rv != SECSuccess)
michael@0	254	goto loser;
michael@0	255	PORT_Assert(state_len == dig_len);
michael@0	256	}
michael@0	257
michael@0	258	loser:
michael@0	259	if (state != NULL)
michael@0	260	PORT_ZFree(state, state_len);
michael@0	261	HMAC_Destroy(cx, PR_TRUE);
michael@0	262
michael@0	263	if(rv != SECSuccess) {
michael@0	264	SECITEM_ZfreeItem(ret_bits, PR_TRUE);
michael@0	265	ret_bits = NULL;
michael@0	266	}
michael@0	267
michael@0	268	return ret_bits;
michael@0	269	}
michael@0	270
michael@0	271	/* generate bits for the key and iv determination. if enough bits
michael@0	272	* are not generated using PKCS 5, then we need to generate more bits
michael@0	273	* based on the extension proposed in PKCS 12
michael@0	274	*/
michael@0	275	static SECItem *
michael@0	276	nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj,
michael@0	277	NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES)
michael@0	278	{
michael@0	279	SECItem * hash = NULL;
michael@0	280	SECItem * newHash = NULL;
michael@0	281	int bytes_needed;
michael@0	282	int bytes_available;
michael@0	283
michael@0	284	bytes_needed = pbe_param->ivLen + pbe_param->keyLen;
michael@0	285	bytes_available = hashObj->length;
michael@0	286
michael@0	287	hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem,
michael@0	288	pbe_param->iter, faulty3DES);
michael@0	289
michael@0	290	if(hash == NULL) {
michael@0	291	return NULL;
michael@0	292	}
michael@0	293
michael@0	294	if(bytes_needed <= bytes_available) {
michael@0	295	return hash;
michael@0	296	}
michael@0	297
michael@0	298	newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed);
michael@0	299	if (hash != newHash)
michael@0	300	SECITEM_FreeItem(hash, PR_TRUE);
michael@0	301	return newHash;
michael@0	302	}
michael@0	303
michael@0	304	#ifdef PBKDF2
michael@0	305
michael@0	306	/*
michael@0	307	* PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS
michael@0	308	*/
michael@0	309	static void
michael@0	310	do_xor(unsigned char *dest, unsigned char *src, int len)
michael@0	311	{
michael@0	312	/* use byt xor, not all platforms are happy about inaligned
michael@0	313	* integer fetches */
michael@0	314	while (len--) {
michael@0	315	*dest = *dest ^ *src;
michael@0	316	dest++;
michael@0	317	src++;
michael@0	318	}
michael@0	319	}
michael@0	320
michael@0	321	static SECStatus
michael@0	322	nsspkcs5_PBKFD2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
michael@0	323	int iterations, unsigned int i, unsigned char *T)
michael@0	324	{
michael@0	325	int j;
michael@0	326	HMACContext *cx = NULL;
michael@0	327	unsigned int hLen = hashobj->length;
michael@0	328	SECStatus rv = SECFailure;
michael@0	329	unsigned char *last = NULL;
michael@0	330	unsigned int lastLength = salt->len + 4;
michael@0	331	unsigned int lastBufLength;
michael@0	332
michael@0	333	cx=HMAC_Create(hashobj,pwitem->data,pwitem->len,PR_FALSE);
michael@0	334	if (cx == NULL) {
michael@0	335	goto loser;
michael@0	336	}
michael@0	337	PORT_Memset(T,0,hLen);
michael@0	338	lastBufLength = PR_MAX(lastLength, hLen);
michael@0	339	last = PORT_Alloc(lastBufLength);
michael@0	340	if (last == NULL) {
michael@0	341	goto loser;
michael@0	342	}
michael@0	343	PORT_Memcpy(last,salt->data,salt->len);
michael@0	344	last[salt->len ] = (i >> 24) & 0xff;
michael@0	345	last[salt->len+1] = (i >> 16) & 0xff;
michael@0	346	last[salt->len+2] = (i >> 8) & 0xff;
michael@0	347	last[salt->len+3] = i & 0xff;
michael@0	348
michael@0	349	/* NOTE: we need at least one iteration to return success! */
michael@0	350	for (j=0; j < iterations; j++) {
michael@0	351	HMAC_Begin(cx);
michael@0	352	HMAC_Update(cx,last,lastLength);
michael@0	353	rv =HMAC_Finish(cx,last,&lastLength,hLen);
michael@0	354	if (rv !=SECSuccess) {
michael@0	355	break;
michael@0	356	}
michael@0	357	do_xor(T,last,hLen);
michael@0	358	}
michael@0	359	loser:
michael@0	360	if (cx) {
michael@0	361	HMAC_Destroy(cx, PR_TRUE);
michael@0	362	}
michael@0	363	if (last) {
michael@0	364	PORT_ZFree(last,lastBufLength);
michael@0	365	}
michael@0	366	return rv;
michael@0	367	}
michael@0	368
michael@0	369	static SECItem *
michael@0	370	nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
michael@0	371	SECItem *pwitem)
michael@0	372	{
michael@0	373	int iterations = pbe_param->iter;
michael@0	374	int bytesNeeded = pbe_param->keyLen;
michael@0	375	unsigned int dkLen = bytesNeeded;
michael@0	376	unsigned int hLen = hashobj->length;
michael@0	377	unsigned int nblocks = (dkLen+hLen-1) / hLen;
michael@0	378	unsigned int i;
michael@0	379	unsigned char *rp;
michael@0	380	unsigned char *T = NULL;
michael@0	381	SECItem *result = NULL;
michael@0	382	SECItem *salt = &pbe_param->salt;
michael@0	383	SECStatus rv = SECFailure;
michael@0	384
michael@0	385	result = SECITEM_AllocItem(NULL,NULL,nblocks*hLen);
michael@0	386	if (result == NULL) {
michael@0	387	return NULL;
michael@0	388	}
michael@0	389
michael@0	390	T = PORT_Alloc(hLen);
michael@0	391	if (T == NULL) {
michael@0	392	goto loser;
michael@0	393	}
michael@0	394
michael@0	395	for (i=1,rp=result->data; i <= nblocks ; i++, rp +=hLen) {
michael@0	396	rv = nsspkcs5_PBKFD2_F(hashobj,pwitem,salt,iterations,i,T);
michael@0	397	if (rv != SECSuccess) {
michael@0	398	break;
michael@0	399	}
michael@0	400	PORT_Memcpy(rp,T,hLen);
michael@0	401	}
michael@0	402
michael@0	403	loser:
michael@0	404	if (T) {
michael@0	405	PORT_ZFree(T,hLen);
michael@0	406	}
michael@0	407	if (rv != SECSuccess) {
michael@0	408	SECITEM_FreeItem(result,PR_TRUE);
michael@0	409	result = NULL;
michael@0	410	} else {
michael@0	411	result->len = dkLen;
michael@0	412	}
michael@0	413
michael@0	414	return result;
michael@0	415	}
michael@0	416	#endif
michael@0	417
michael@0	418	#define HMAC_BUFFER 64
michael@0	419	#define NSSPBE_ROUNDUP(x,y) ((((x)+((y)-1))/(y))*(y))
michael@0	420	#define NSSPBE_MIN(x,y) ((x) < (y) ? (x) : (y))
michael@0	421	/*
michael@0	422	* This is the extended PBE function defined by the final PKCS #12 spec.
michael@0	423	*/
michael@0	424	static SECItem *
michael@0	425	nsspkcs5_PKCS12PBE(const SECHashObject *hashObject,
michael@0	426	NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
michael@0	427	PBEBitGenID bitGenPurpose, unsigned int bytesNeeded)
michael@0	428	{
michael@0	429	PLArenaPool *arena = NULL;
michael@0	430	unsigned int SLen,PLen;
michael@0	431	unsigned int hashLength = hashObject->length;
michael@0	432	unsigned char *S, *P;
michael@0	433	SECItem *A = NULL, B, D, I;
michael@0	434	SECItem *salt = &pbe_param->salt;
michael@0	435	unsigned int c,i = 0;
michael@0	436	unsigned int hashLen;
michael@0	437	int iter;
michael@0	438	unsigned char *iterBuf;
michael@0	439	void *hash = NULL;
michael@0	440
michael@0	441	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0	442	if(!arena) {
michael@0	443	return NULL;
michael@0	444	}
michael@0	445
michael@0	446	/* how many hash object lengths are needed */
michael@0	447	c = (bytesNeeded + (hashLength-1))/hashLength;
michael@0	448
michael@0	449	/* initialize our buffers */
michael@0	450	D.len = HMAC_BUFFER;
michael@0	451	/* B and D are the same length, use one alloc go get both */
michael@0	452	D.data = (unsigned char*)PORT_ArenaZAlloc(arena, D.len*2);
michael@0	453	B.len = D.len;
michael@0	454	B.data = D.data + D.len;
michael@0	455
michael@0	456	/* if all goes well, A will be returned, so don't use our temp arena */
michael@0	457	A = SECITEM_AllocItem(NULL,NULL,c*hashLength);
michael@0	458	if (A == NULL) {
michael@0	459	goto loser;
michael@0	460	}
michael@0	461
michael@0	462	SLen = NSSPBE_ROUNDUP(salt->len,HMAC_BUFFER);
michael@0	463	PLen = NSSPBE_ROUNDUP(pwitem->len,HMAC_BUFFER);
michael@0	464	I.len = SLen+PLen;
michael@0	465	I.data = (unsigned char*)PORT_ArenaZAlloc(arena, I.len);
michael@0	466	if (I.data == NULL) {
michael@0	467	goto loser;
michael@0	468	}
michael@0	469
michael@0	470	/* S & P are only used to initialize I */
michael@0	471	S = I.data;
michael@0	472	P = S + SLen;
michael@0	473
michael@0	474	PORT_Memset(D.data, (char)bitGenPurpose, D.len);
michael@0	475	if (SLen) {
michael@0	476	for (i=0; i < SLen; i += salt->len) {
michael@0	477	PORT_Memcpy(S+i, salt->data, NSSPBE_MIN(SLen-i,salt->len));
michael@0	478	}
michael@0	479	}
michael@0	480	if (PLen) {
michael@0	481	for (i=0; i < PLen; i += pwitem->len) {
michael@0	482	PORT_Memcpy(P+i, pwitem->data, NSSPBE_MIN(PLen-i,pwitem->len));
michael@0	483	}
michael@0	484	}
michael@0	485
michael@0	486	iterBuf = (unsigned char*)PORT_ArenaZAlloc(arena,hashLength);
michael@0	487	if (iterBuf == NULL) {
michael@0	488	goto loser;
michael@0	489	}
michael@0	490
michael@0	491	hash = hashObject->create();
michael@0	492	if(!hash) {
michael@0	493	goto loser;
michael@0	494	}
michael@0	495	/* calculate the PBE now */
michael@0	496	for(i = 0; i < c; i++) {
michael@0	497	int Bidx; /* must be signed or the for loop won't terminate */
michael@0	498	unsigned int k, j;
michael@0	499	unsigned char *Ai = A->data+i*hashLength;
michael@0	500
michael@0	501
michael@0	502	for(iter = 0; iter < pbe_param->iter; iter++) {
michael@0	503	hashObject->begin(hash);
michael@0	504
michael@0	505	if (iter) {
michael@0	506	hashObject->update(hash, iterBuf, hashLen);
michael@0	507	} else {
michael@0	508	hashObject->update(hash, D.data, D.len);
michael@0	509	hashObject->update(hash, I.data, I.len);
michael@0	510	}
michael@0	511
michael@0	512	hashObject->end(hash, iterBuf, &hashLen, hashObject->length);
michael@0	513	if(hashLen != hashObject->length) {
michael@0	514	break;
michael@0	515	}
michael@0	516	}
michael@0	517
michael@0	518	PORT_Memcpy(Ai, iterBuf, hashLength);
michael@0	519	for (Bidx = 0; Bidx < B.len; Bidx += hashLength) {
michael@0	520	PORT_Memcpy(B.data+Bidx,iterBuf,NSSPBE_MIN(B.len-Bidx,hashLength));
michael@0	521	}
michael@0	522
michael@0	523	k = I.len/B.len;
michael@0	524	for(j = 0; j < k; j++) {
michael@0	525	unsigned int q, carryBit;
michael@0	526	unsigned char *Ij = I.data + j*B.len;
michael@0	527
michael@0	528	/* (Ij = Ij+B+1) */
michael@0	529	for (Bidx = (B.len-1), q=1, carryBit=0; Bidx >= 0; Bidx--,q=0) {
michael@0	530	q += (unsigned int)Ij[Bidx];
michael@0	531	q += (unsigned int)B.data[Bidx];
michael@0	532	q += carryBit;
michael@0	533
michael@0	534	carryBit = (q > 0xff);
michael@0	535	Ij[Bidx] = (unsigned char)(q & 0xff);
michael@0	536	}
michael@0	537	}
michael@0	538	}
michael@0	539	loser:
michael@0	540	if (hash) {
michael@0	541	hashObject->destroy(hash, PR_TRUE);
michael@0	542	}
michael@0	543	if(arena) {
michael@0	544	PORT_FreeArena(arena, PR_TRUE);
michael@0	545	}
michael@0	546
michael@0	547	if (A) {
michael@0	548	/* if i != c, then we didn't complete the loop above and must of failed
michael@0	549	* somwhere along the way */
michael@0	550	if (i != c) {
michael@0	551	SECITEM_ZfreeItem(A,PR_TRUE);
michael@0	552	A = NULL;
michael@0	553	} else {
michael@0	554	A->len = bytesNeeded;
michael@0	555	}
michael@0	556	}
michael@0	557
michael@0	558	return A;
michael@0	559	}
michael@0	560
michael@0	561	/*
michael@0	562	* generate key as per PKCS 5
michael@0	563	*/
michael@0	564	SECItem *
michael@0	565	nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
michael@0	566	SECItem *iv, PRBool faulty3DES)
michael@0	567	{
michael@0	568	SECItem *hash = NULL, *key = NULL;
michael@0	569	const SECHashObject *hashObj;
michael@0	570	PRBool getIV = PR_FALSE;
michael@0	571
michael@0	572	if((pbe_param == NULL) || (pwitem == NULL)) {
michael@0	573	return NULL;
michael@0	574	}
michael@0	575
michael@0	576	key = SECITEM_AllocItem(NULL,NULL,pbe_param->keyLen);
michael@0	577	if (key == NULL) {
michael@0	578	return NULL;
michael@0	579	}
michael@0	580
michael@0	581	if (iv && (pbe_param->ivLen) && (iv->data == NULL)) {
michael@0	582	getIV = PR_TRUE;
michael@0	583	iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen);
michael@0	584	if (iv->data == NULL) {
michael@0	585	goto loser;
michael@0	586	}
michael@0	587	iv->len = pbe_param->ivLen;
michael@0	588	}
michael@0	589
michael@0	590	hashObj = HASH_GetRawHashObject(pbe_param->hashType);
michael@0	591	switch (pbe_param->pbeType) {
michael@0	592	case NSSPKCS5_PBKDF1:
michael@0	593	hash = nsspkcs5_PBKDF1Extended(hashObj,pbe_param,pwitem,faulty3DES);
michael@0	594	if (hash == NULL) {
michael@0	595	goto loser;
michael@0	596	}
michael@0	597	PORT_Assert(hash->len >= key->len+(getIV ? iv->len : 0));
michael@0	598	if (getIV) {
michael@0	599	PORT_Memcpy(iv->data, hash->data+(hash->len - iv->len),iv->len);
michael@0	600	}
michael@0	601
michael@0	602	break;
michael@0	603	#ifdef PBKDF2
michael@0	604	case NSSPKCS5_PBKDF2:
michael@0	605	hash = nsspkcs5_PBKDF2(hashObj,pbe_param,pwitem);
michael@0	606	if (getIV) {
michael@0	607	PORT_Memcpy(iv->data, pbe_param->ivData, iv->len);
michael@0	608	}
michael@0	609	break;
michael@0	610	#endif
michael@0	611	case NSSPKCS5_PKCS12_V2:
michael@0	612	if (getIV) {
michael@0	613	hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
michael@0	614	pbeBitGenCipherIV,iv->len);
michael@0	615	if (hash == NULL) {
michael@0	616	goto loser;
michael@0	617	}
michael@0	618	PORT_Memcpy(iv->data,hash->data,iv->len);
michael@0	619	SECITEM_ZfreeItem(hash,PR_TRUE);
michael@0	620	hash = NULL;
michael@0	621	}
michael@0	622	hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
michael@0	623	pbe_param->keyID,key->len);
michael@0	624	default:
michael@0	625	break;
michael@0	626	}
michael@0	627
michael@0	628	if (hash == NULL) {
michael@0	629	goto loser;
michael@0	630	}
michael@0	631
michael@0	632	if (pbe_param->is2KeyDES) {
michael@0	633	PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
michael@0	634	PORT_Memcpy(&(key->data[(key->len * 2) / 3]), key->data,
michael@0	635	key->len / 3);
michael@0	636	} else {
michael@0	637	PORT_Memcpy(key->data, hash->data, key->len);
michael@0	638	}
michael@0	639
michael@0	640	SECITEM_ZfreeItem(hash, PR_TRUE);
michael@0	641	return key;
michael@0	642
michael@0	643	loser:
michael@0	644	if (getIV && iv->data) {
michael@0	645	PORT_ZFree(iv->data,iv->len);
michael@0	646	iv->data = NULL;
michael@0	647	}
michael@0	648
michael@0	649	SECITEM_ZfreeItem(key, PR_TRUE);
michael@0	650	return NULL;
michael@0	651	}
michael@0	652
michael@0	653	static SECStatus
michael@0	654	nsspkcs5_FillInParam(SECOidTag algorithm, NSSPKCS5PBEParameter *pbe_param)
michael@0	655	{
michael@0	656	PRBool skipType = PR_FALSE;
michael@0	657
michael@0	658	pbe_param->keyLen = 5;
michael@0	659	pbe_param->ivLen = 8;
michael@0	660	pbe_param->hashType = HASH_AlgSHA1;
michael@0	661	pbe_param->pbeType = NSSPKCS5_PBKDF1;
michael@0	662	pbe_param->encAlg = SEC_OID_RC2_CBC;
michael@0	663	pbe_param->is2KeyDES = PR_FALSE;
michael@0	664	switch(algorithm) {
michael@0	665	/* DES3 Algorithms */
michael@0	666	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
michael@0	667	pbe_param->is2KeyDES = PR_TRUE;
michael@0	668	/* fall through */
michael@0	669	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
michael@0	670	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
michael@0	671	/* fall through */
michael@0	672	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
michael@0	673	pbe_param->keyLen = 24;
michael@0	674	pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
michael@0	675	break;
michael@0	676
michael@0	677	/* DES Algorithms */
michael@0	678	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
michael@0	679	pbe_param->hashType = HASH_AlgMD2;
michael@0	680	goto finish_des;
michael@0	681	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
michael@0	682	pbe_param->hashType = HASH_AlgMD5;
michael@0	683	/* fall through */
michael@0	684	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
michael@0	685	finish_des:
michael@0	686	pbe_param->keyLen = 8;
michael@0	687	pbe_param->encAlg = SEC_OID_DES_CBC;
michael@0	688	break;
michael@0	689
michael@0	690	/* RC2 Algorithms */
michael@0	691	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
michael@0	692	pbe_param->keyLen = 16;
michael@0	693	/* fall through */
michael@0	694	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
michael@0	695	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
michael@0	696	break;
michael@0	697	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
michael@0	698	pbe_param->keyLen = 16;
michael@0	699	/* fall through */
michael@0	700	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
michael@0	701	break;
michael@0	702
michael@0	703	/* RC4 algorithms */
michael@0	704	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
michael@0	705	skipType = PR_TRUE;
michael@0	706	/* fall through */
michael@0	707	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
michael@0	708	pbe_param->keyLen = 16;
michael@0	709	/* fall through */
michael@0	710	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
michael@0	711	if (!skipType) {
michael@0	712	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
michael@0	713	}
michael@0	714	/* fall through */
michael@0	715	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
michael@0	716	pbe_param->ivLen = 0;
michael@0	717	pbe_param->encAlg = SEC_OID_RC4;
michael@0	718	break;
michael@0	719
michael@0	720	#ifdef PBKDF2
michael@0	721	case SEC_OID_PKCS5_PBKDF2:
michael@0	722	case SEC_OID_PKCS5_PBES2:
michael@0	723	case SEC_OID_PKCS5_PBMAC1:
michael@0	724	/* everything else will be filled in by the template */
michael@0	725	pbe_param->ivLen = 0;
michael@0	726	pbe_param->pbeType = NSSPKCS5_PBKDF2;
michael@0	727	pbe_param->encAlg = SEC_OID_PKCS5_PBKDF2;
michael@0	728	pbe_param->keyLen = 0; /* needs to be set by caller after return */
michael@0	729	break;
michael@0	730	#endif
michael@0	731
michael@0	732	default:
michael@0	733	return SECFailure;
michael@0	734	}
michael@0	735
michael@0	736	return SECSuccess;
michael@0	737	}
michael@0	738
michael@0	739	/* decode the algid and generate a PKCS 5 parameter from it
michael@0	740	*/
michael@0	741	NSSPKCS5PBEParameter *
michael@0	742	nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator)
michael@0	743	{
michael@0	744	PLArenaPool *arena = NULL;
michael@0	745	NSSPKCS5PBEParameter *pbe_param = NULL;
michael@0	746	SECStatus rv = SECFailure;
michael@0	747
michael@0	748	arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0	749	if (arena == NULL)
michael@0	750	return NULL;
michael@0	751
michael@0	752	/* allocate memory for the parameter */
michael@0	753	pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena,
michael@0	754	sizeof(NSSPKCS5PBEParameter));
michael@0	755
michael@0	756	if (pbe_param == NULL) {
michael@0	757	goto loser;
michael@0	758	}
michael@0	759
michael@0	760	pbe_param->poolp = arena;
michael@0	761
michael@0	762	rv = nsspkcs5_FillInParam(alg, pbe_param);
michael@0	763	if (rv != SECSuccess) {
michael@0	764	goto loser;
michael@0	765	}
michael@0	766
michael@0	767	pbe_param->iter = iterator;
michael@0	768	if (salt) {
michael@0	769	rv = SECITEM_CopyItem(arena,&pbe_param->salt,salt);
michael@0	770	}
michael@0	771
michael@0	772	/* default key gen */
michael@0	773	pbe_param->keyID = pbeBitGenCipherKey;
michael@0	774
michael@0	775	loser:
michael@0	776	if (rv != SECSuccess) {
michael@0	777	PORT_FreeArena(arena, PR_TRUE);
michael@0	778	pbe_param = NULL;
michael@0	779	}
michael@0	780
michael@0	781	return pbe_param;
michael@0	782	}
michael@0	783
michael@0	784	/*
michael@0	785	* find the hash type needed to implement a specific HMAC.
michael@0	786	* OID definitions are from pkcs 5 v2.0 and 2.1
michael@0	787	*/
michael@0	788	HASH_HashType
michael@0	789	HASH_FromHMACOid(SECOidTag hmac)
michael@0	790	{
michael@0	791	switch (hmac) {
michael@0	792	case SEC_OID_HMAC_SHA1:
michael@0	793	return HASH_AlgSHA1;
michael@0	794	case SEC_OID_HMAC_SHA256:
michael@0	795	return HASH_AlgSHA256;
michael@0	796	case SEC_OID_HMAC_SHA384:
michael@0	797	return HASH_AlgSHA384;
michael@0	798	case SEC_OID_HMAC_SHA512:
michael@0	799	return HASH_AlgSHA512;
michael@0	800	case SEC_OID_HMAC_SHA224:
michael@0	801	default:
michael@0	802	break;
michael@0	803	}
michael@0	804	return HASH_AlgNULL;
michael@0	805	}
michael@0	806
michael@0	807	/* decode the algid and generate a PKCS 5 parameter from it
michael@0	808	*/
michael@0	809	NSSPKCS5PBEParameter *
michael@0	810	nsspkcs5_AlgidToParam(SECAlgorithmID *algid)
michael@0	811	{
michael@0	812	NSSPKCS5PBEParameter *pbe_param = NULL;
michael@0	813	nsspkcs5V2PBEParameter pbev2_param;
michael@0	814	SECOidTag algorithm;
michael@0	815	SECStatus rv = SECFailure;
michael@0	816
michael@0	817	if (algid == NULL) {
michael@0	818	return NULL;
michael@0	819	}
michael@0	820
michael@0	821	algorithm = SECOID_GetAlgorithmTag(algid);
michael@0	822	if (algorithm == SEC_OID_UNKNOWN) {
michael@0	823	goto loser;
michael@0	824	}
michael@0	825
michael@0	826	pbe_param = nsspkcs5_NewParam(algorithm, NULL, 1);
michael@0	827	if (pbe_param == NULL) {
michael@0	828	goto loser;
michael@0	829	}
michael@0	830
michael@0	831	/* decode parameter */
michael@0	832	rv = SECFailure;
michael@0	833	switch (pbe_param->pbeType) {
michael@0	834	case NSSPKCS5_PBKDF1:
michael@0	835	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
michael@0	836	NSSPKCS5PBEParameterTemplate, &algid->parameters);
michael@0	837	break;
michael@0	838	case NSSPKCS5_PKCS12_V2:
michael@0	839	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
michael@0	840	NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters);
michael@0	841	break;
michael@0	842	#ifdef PBKDF2
michael@0	843	case NSSPKCS5_PBKDF2:
michael@0	844	PORT_Memset(&pbev2_param,0, sizeof(pbev2_param));
michael@0	845	/* just the PBE */
michael@0	846	if (algorithm == SEC_OID_PKCS5_PBKDF2) {
michael@0	847	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
michael@0	848	NSSPKCS5V2PBEParameterTemplate, &algid->parameters);
michael@0	849	} else {
michael@0	850	/* PBE data an others */
michael@0	851	rv = SEC_ASN1DecodeItem(pbe_param->poolp, &pbev2_param,
michael@0	852	NSSPKCS5V2PBES2ParameterTemplate, &algid->parameters);
michael@0	853	if (rv != SECSuccess) {
michael@0	854	break;
michael@0	855	}
michael@0	856	pbe_param->encAlg = SECOID_GetAlgorithmTag(&pbev2_param.algParams);
michael@0	857	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
michael@0	858	NSSPKCS5V2PBEParameterTemplate,
michael@0	859	&pbev2_param.keyParams.parameters);
michael@0	860	if (rv != SECSuccess) {
michael@0	861	break;
michael@0	862	}
michael@0	863	pbe_param->keyLen = DER_GetInteger(&pbe_param->keyLength);
michael@0	864	}
michael@0	865	/* we we are encrypting, save any iv's */
michael@0	866	if (algorithm == SEC_OID_PKCS5_PBES2) {
michael@0	867	pbe_param->ivLen = pbev2_param.algParams.parameters.len;
michael@0	868	pbe_param->ivData = pbev2_param.algParams.parameters.data;
michael@0	869	}
michael@0	870	pbe_param->hashType =
michael@0	871	HASH_FromHMACOid(SECOID_GetAlgorithmTag(&pbe_param->prfAlg));
michael@0	872	if (pbe_param->hashType == HASH_AlgNULL) {
michael@0	873	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
michael@0	874	rv = SECFailure;
michael@0	875	}
michael@0	876	break;
michael@0	877	#endif
michael@0	878	}
michael@0	879
michael@0	880	loser:
michael@0	881	if (rv == SECSuccess) {
michael@0	882	pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
michael@0	883	} else {
michael@0	884	nsspkcs5_DestroyPBEParameter(pbe_param);
michael@0	885	pbe_param = NULL;
michael@0	886	}
michael@0	887
michael@0	888	return pbe_param;
michael@0	889	}
michael@0	890
michael@0	891	/* destroy a pbe parameter. it assumes that the parameter was
michael@0	892	* generated using the appropriate create function and therefor
michael@0	893	* contains an arena pool.
michael@0	894	*/
michael@0	895	void
michael@0	896	nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param)
michael@0	897	{
michael@0	898	if (pbe_param != NULL) {
michael@0	899	PORT_FreeArena(pbe_param->poolp, PR_FALSE);
michael@0	900	}
michael@0	901	}
michael@0	902
michael@0	903
michael@0	904	/* crypto routines */
michael@0	905	/* perform DES encryption and decryption. these routines are called
michael@0	906	* by nsspkcs5_CipherData. In the case of an error, NULL is returned.
michael@0	907	*/
michael@0	908	static SECItem *
michael@0	909	sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des,
michael@0	910	PRBool encrypt)
michael@0	911	{
michael@0	912	SECItem *dest;
michael@0	913	SECItem *dup_src;
michael@0	914	SECStatus rv = SECFailure;
michael@0	915	int pad;
michael@0	916
michael@0	917	if((src == NULL) || (key == NULL) || (iv == NULL))
michael@0	918	return NULL;
michael@0	919
michael@0	920	dup_src = SECITEM_DupItem(src);
michael@0	921	if(dup_src == NULL) {
michael@0	922	return NULL;
michael@0	923	}
michael@0	924
michael@0	925	if(encrypt != PR_FALSE) {
michael@0	926	void *dummy;
michael@0	927
michael@0	928	dummy = CBC_PadBuffer(NULL, dup_src->data,
michael@0	929	dup_src->len, &dup_src->len, 8 /* DES_BLOCK_SIZE */);
michael@0	930	if(dummy == NULL) {
michael@0	931	SECITEM_FreeItem(dup_src, PR_TRUE);
michael@0	932	return NULL;
michael@0	933	}
michael@0	934	dup_src->data = (unsigned char*)dummy;
michael@0	935	}
michael@0	936
michael@0	937	dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	938	if(dest != NULL) {
michael@0	939	/* allocate with over flow */
michael@0	940	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
michael@0	941	if(dest->data != NULL) {
michael@0	942	DESContext *ctxt;
michael@0	943	ctxt = DES_CreateContext(key->data, iv->data,
michael@0	944	(triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC),
michael@0	945	encrypt);
michael@0	946
michael@0	947	if(ctxt != NULL) {
michael@0	948	rv = (encrypt ? DES_Encrypt : DES_Decrypt)(
michael@0	949	ctxt, dest->data, &dest->len,
michael@0	950	dup_src->len + 64, dup_src->data, dup_src->len);
michael@0	951
michael@0	952	/* remove padding -- assumes 64 bit blocks */
michael@0	953	if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
michael@0	954	pad = dest->data[dest->len-1];
michael@0	955	if((pad > 0) && (pad <= 8)) {
michael@0	956	if(dest->data[dest->len-pad] != pad) {
michael@0	957	rv = SECFailure;
michael@0	958	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
michael@0	959	} else {
michael@0	960	dest->len -= pad;
michael@0	961	}
michael@0	962	} else {
michael@0	963	rv = SECFailure;
michael@0	964	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
michael@0	965	}
michael@0	966	}
michael@0	967	DES_DestroyContext(ctxt, PR_TRUE);
michael@0	968	}
michael@0	969	}
michael@0	970	}
michael@0	971
michael@0	972	if(rv == SECFailure) {
michael@0	973	if(dest != NULL) {
michael@0	974	SECITEM_FreeItem(dest, PR_TRUE);
michael@0	975	}
michael@0	976	dest = NULL;
michael@0	977	}
michael@0	978
michael@0	979	if(dup_src != NULL) {
michael@0	980	SECITEM_FreeItem(dup_src, PR_TRUE);
michael@0	981	}
michael@0	982
michael@0	983	return dest;
michael@0	984	}
michael@0	985
michael@0	986	/* perform aes encryption/decryption if an error occurs, NULL is returned
michael@0	987	*/
michael@0	988	static SECItem *
michael@0	989	sec_pkcs5_aes(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des,
michael@0	990	PRBool encrypt)
michael@0	991	{
michael@0	992	SECItem *dest;
michael@0	993	SECItem *dup_src;
michael@0	994	SECStatus rv = SECFailure;
michael@0	995	int pad;
michael@0	996
michael@0	997	if((src == NULL) || (key == NULL) || (iv == NULL))
michael@0	998	return NULL;
michael@0	999
michael@0	1000	dup_src = SECITEM_DupItem(src);
michael@0	1001	if(dup_src == NULL) {
michael@0	1002	return NULL;
michael@0	1003	}
michael@0	1004
michael@0	1005	if(encrypt != PR_FALSE) {
michael@0	1006	void *dummy;
michael@0	1007
michael@0	1008	dummy = CBC_PadBuffer(NULL, dup_src->data,
michael@0	1009	dup_src->len, &dup_src->len,AES_BLOCK_SIZE);
michael@0	1010	if(dummy == NULL) {
michael@0	1011	SECITEM_FreeItem(dup_src, PR_TRUE);
michael@0	1012	return NULL;
michael@0	1013	}
michael@0	1014	dup_src->data = (unsigned char*)dummy;
michael@0	1015	}
michael@0	1016
michael@0	1017	dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	1018	if(dest != NULL) {
michael@0	1019	/* allocate with over flow */
michael@0	1020	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
michael@0	1021	if(dest->data != NULL) {
michael@0	1022	AESContext *ctxt;
michael@0	1023	ctxt = AES_CreateContext(key->data, iv->data,
michael@0	1024	NSS_AES_CBC, encrypt, key->len, 16);
michael@0	1025
michael@0	1026	if(ctxt != NULL) {
michael@0	1027	rv = (encrypt ? AES_Encrypt : AES_Decrypt)(
michael@0	1028	ctxt, dest->data, &dest->len,
michael@0	1029	dup_src->len + 64, dup_src->data, dup_src->len);
michael@0	1030
michael@0	1031	/* remove padding -- assumes 64 bit blocks */
michael@0	1032	if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
michael@0	1033	pad = dest->data[dest->len-1];
michael@0	1034	if((pad > 0) && (pad <= 16)) {
michael@0	1035	if(dest->data[dest->len-pad] != pad) {
michael@0	1036	rv = SECFailure;
michael@0	1037	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
michael@0	1038	} else {
michael@0	1039	dest->len -= pad;
michael@0	1040	}
michael@0	1041	} else {
michael@0	1042	rv = SECFailure;
michael@0	1043	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
michael@0	1044	}
michael@0	1045	}
michael@0	1046	AES_DestroyContext(ctxt, PR_TRUE);
michael@0	1047	}
michael@0	1048	}
michael@0	1049	}
michael@0	1050
michael@0	1051	if(rv == SECFailure) {
michael@0	1052	if(dest != NULL) {
michael@0	1053	SECITEM_FreeItem(dest, PR_TRUE);
michael@0	1054	}
michael@0	1055	dest = NULL;
michael@0	1056	}
michael@0	1057
michael@0	1058	if(dup_src != NULL) {
michael@0	1059	SECITEM_FreeItem(dup_src, PR_TRUE);
michael@0	1060	}
michael@0	1061
michael@0	1062	return dest;
michael@0	1063	}
michael@0	1064
michael@0	1065	/* perform rc2 encryption/decryption if an error occurs, NULL is returned
michael@0	1066	*/
michael@0	1067	static SECItem *
michael@0	1068	sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy,
michael@0	1069	PRBool encrypt)
michael@0	1070	{
michael@0	1071	SECItem *dest;
michael@0	1072	SECItem *dup_src;
michael@0	1073	SECStatus rv = SECFailure;
michael@0	1074	int pad;
michael@0	1075
michael@0	1076	if((src == NULL) || (key == NULL) || (iv == NULL)) {
michael@0	1077	return NULL;
michael@0	1078	}
michael@0	1079
michael@0	1080	dup_src = SECITEM_DupItem(src);
michael@0	1081	if(dup_src == NULL) {
michael@0	1082	return NULL;
michael@0	1083	}
michael@0	1084
michael@0	1085	if(encrypt != PR_FALSE) {
michael@0	1086	void *dummy;
michael@0	1087
michael@0	1088	dummy = CBC_PadBuffer(NULL, dup_src->data,
michael@0	1089	dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
michael@0	1090	if(dummy == NULL) {
michael@0	1091	SECITEM_FreeItem(dup_src, PR_TRUE);
michael@0	1092	return NULL;
michael@0	1093	}
michael@0	1094	dup_src->data = (unsigned char*)dummy;
michael@0	1095	}
michael@0	1096
michael@0	1097	dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	1098	if(dest != NULL) {
michael@0	1099	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
michael@0	1100	if(dest->data != NULL) {
michael@0	1101	RC2Context *ctxt;
michael@0	1102
michael@0	1103	ctxt = RC2_CreateContext(key->data, key->len, iv->data,
michael@0	1104	NSS_RC2_CBC, key->len);
michael@0	1105
michael@0	1106	if(ctxt != NULL) {
michael@0	1107	rv = (encrypt ? RC2_Encrypt: RC2_Decrypt)(
michael@0	1108	ctxt, dest->data, &dest->len,
michael@0	1109	dup_src->len + 64, dup_src->data, dup_src->len);
michael@0	1110
michael@0	1111	/* assumes 8 byte blocks -- remove padding */
michael@0	1112	if((rv == SECSuccess) && (encrypt != PR_TRUE)) {
michael@0	1113	pad = dest->data[dest->len-1];
michael@0	1114	if((pad > 0) && (pad <= 8)) {
michael@0	1115	if(dest->data[dest->len-pad] != pad) {
michael@0	1116	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
michael@0	1117	rv = SECFailure;
michael@0	1118	} else {
michael@0	1119	dest->len -= pad;
michael@0	1120	}
michael@0	1121	} else {
michael@0	1122	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
michael@0	1123	rv = SECFailure;
michael@0	1124	}
michael@0	1125	}
michael@0	1126
michael@0	1127	}
michael@0	1128	}
michael@0	1129	}
michael@0	1130
michael@0	1131	if((rv != SECSuccess) && (dest != NULL)) {
michael@0	1132	SECITEM_FreeItem(dest, PR_TRUE);
michael@0	1133	dest = NULL;
michael@0	1134	}
michael@0	1135
michael@0	1136	if(dup_src != NULL) {
michael@0	1137	SECITEM_FreeItem(dup_src, PR_TRUE);
michael@0	1138	}
michael@0	1139
michael@0	1140	return dest;
michael@0	1141	}
michael@0	1142
michael@0	1143	/* perform rc4 encryption and decryption */
michael@0	1144	static SECItem *
michael@0	1145	sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op,
michael@0	1146	PRBool encrypt)
michael@0	1147	{
michael@0	1148	SECItem *dest;
michael@0	1149	SECStatus rv = SECFailure;
michael@0	1150
michael@0	1151	if((src == NULL) || (key == NULL) || (iv == NULL)) {
michael@0	1152	return NULL;
michael@0	1153	}
michael@0	1154
michael@0	1155	dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
michael@0	1156	if(dest != NULL) {
michael@0	1157	dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
michael@0	1158	(src->len + 64));
michael@0	1159	if(dest->data != NULL) {
michael@0	1160	RC4Context *ctxt;
michael@0	1161
michael@0	1162	ctxt = RC4_CreateContext(key->data, key->len);
michael@0	1163	if(ctxt) {
michael@0	1164	rv = (encrypt ? RC4_Encrypt : RC4_Decrypt)(
michael@0	1165	ctxt, dest->data, &dest->len,
michael@0	1166	src->len + 64, src->data, src->len);
michael@0	1167	RC4_DestroyContext(ctxt, PR_TRUE);
michael@0	1168	}
michael@0	1169	}
michael@0	1170	}
michael@0	1171
michael@0	1172	if((rv != SECSuccess) && (dest)) {
michael@0	1173	SECITEM_FreeItem(dest, PR_TRUE);
michael@0	1174	dest = NULL;
michael@0	1175	}
michael@0	1176
michael@0	1177	return dest;
michael@0	1178	}
michael@0	1179	/* function pointer template for crypto functions */
michael@0	1180	typedef SECItem *(* pkcs5_crypto_func)(SECItem *key, SECItem *iv,
michael@0	1181	SECItem *src, PRBool op1, PRBool op2);
michael@0	1182
michael@0	1183	/* performs the cipher operation on the src and returns the result.
michael@0	1184	* if an error occurs, NULL is returned.
michael@0	1185	*
michael@0	1186	* a null length password is allowed. this corresponds to encrypting
michael@0	1187	* the data with ust the salt.
michael@0	1188	*/
michael@0	1189	/* change this to use PKCS 11? */
michael@0	1190	SECItem *
michael@0	1191	nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
michael@0	1192	SECItem *src, PRBool encrypt, PRBool *update)
michael@0	1193	{
michael@0	1194	SECItem *key = NULL, iv;
michael@0	1195	SECItem *dest = NULL;
michael@0	1196	PRBool tripleDES = PR_TRUE;
michael@0	1197	pkcs5_crypto_func cryptof;
michael@0	1198
michael@0	1199	iv.data = NULL;
michael@0	1200
michael@0	1201	if (update) {
michael@0	1202	*update = PR_FALSE;
michael@0	1203	}
michael@0	1204
michael@0	1205	if ((pwitem == NULL) || (src == NULL)) {
michael@0	1206	return NULL;
michael@0	1207	}
michael@0	1208
michael@0	1209	/* get key, and iv */
michael@0	1210	key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE);
michael@0	1211	if(key == NULL) {
michael@0	1212	return NULL;
michael@0	1213	}
michael@0	1214
michael@0	1215	switch(pbe_param->encAlg) {
michael@0	1216	/* PKCS 5 v2 only */
michael@0	1217	case SEC_OID_AES_128_CBC:
michael@0	1218	case SEC_OID_AES_192_CBC:
michael@0	1219	case SEC_OID_AES_256_CBC:
michael@0	1220	cryptof = sec_pkcs5_aes;
michael@0	1221	break;
michael@0	1222	case SEC_OID_DES_EDE3_CBC:
michael@0	1223	cryptof = sec_pkcs5_des;
michael@0	1224	tripleDES = PR_TRUE;
michael@0	1225	break;
michael@0	1226	case SEC_OID_DES_CBC:
michael@0	1227	cryptof = sec_pkcs5_des;
michael@0	1228	tripleDES = PR_FALSE;
michael@0	1229	break;
michael@0	1230	case SEC_OID_RC2_CBC:
michael@0	1231	cryptof = sec_pkcs5_rc2;
michael@0	1232	break;
michael@0	1233	case SEC_OID_RC4:
michael@0	1234	cryptof = sec_pkcs5_rc4;
michael@0	1235	break;
michael@0	1236	default:
michael@0	1237	cryptof = NULL;
michael@0	1238	break;
michael@0	1239	}
michael@0	1240
michael@0	1241	if (cryptof == NULL) {
michael@0	1242	goto loser;
michael@0	1243	}
michael@0	1244
michael@0	1245	dest = (*cryptof)(key, &iv, src, tripleDES, encrypt);
michael@0	1246	/*
michael@0	1247	* it's possible for some keys and keydb's to claim to
michael@0	1248	* be triple des when they're really des. In this case
michael@0	1249	* we simply try des. If des works we set the update flag
michael@0	1250	* so the key db knows it needs to update all it's entries.
michael@0	1251	* The case can only happen on decrypted of a
michael@0	1252	* SEC_OID_DES_EDE3_CBD.
michael@0	1253	*/
michael@0	1254	if ((dest == NULL) && (encrypt == PR_FALSE) &&
michael@0	1255	(pbe_param->encAlg == SEC_OID_DES_EDE3_CBC)) {
michael@0	1256	dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt);
michael@0	1257	if (update && (dest != NULL)) *update = PR_TRUE;
michael@0	1258	}
michael@0	1259
michael@0	1260	loser:
michael@0	1261	if (key != NULL) {
michael@0	1262	SECITEM_ZfreeItem(key, PR_TRUE);
michael@0	1263	}
michael@0	1264	if (iv.data != NULL) {
michael@0	1265	SECITEM_ZfreeItem(&iv, PR_FALSE);
michael@0	1266	}
michael@0	1267
michael@0	1268	return dest;
michael@0	1269	}
michael@0	1270
michael@0	1271	/* creates a algorithm ID containing the PBE algorithm and appropriate
michael@0	1272	* parameters. the required parameter is the algorithm. if salt is
michael@0	1273	* not specified, it is generated randomly. if IV is specified, it overrides
michael@0	1274	* the PKCS 5 generation of the IV.
michael@0	1275	*
michael@0	1276	* the returned SECAlgorithmID should be destroyed using
michael@0	1277	* SECOID_DestroyAlgorithmID
michael@0	1278	*/
michael@0	1279	SECAlgorithmID *
michael@0	1280	nsspkcs5_CreateAlgorithmID(PLArenaPool *arena, SECOidTag algorithm,
michael@0	1281	NSSPKCS5PBEParameter *pbe_param)
michael@0	1282	{
michael@0	1283	SECAlgorithmID *algid, *ret_algid = NULL;
michael@0	1284	SECItem der_param;
michael@0	1285	nsspkcs5V2PBEParameter pkcs5v2_param;
michael@0	1286
michael@0	1287	SECStatus rv = SECFailure;
michael@0	1288	void *dummy = NULL;
michael@0	1289
michael@0	1290	if (arena == NULL) {
michael@0	1291	return NULL;
michael@0	1292	}
michael@0	1293
michael@0	1294	der_param.data = NULL;
michael@0	1295	der_param.len = 0;
michael@0	1296
michael@0	1297	/* generate the algorithm id */
michael@0	1298	algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID));
michael@0	1299	if (algid == NULL) {
michael@0	1300	goto loser;
michael@0	1301	}
michael@0	1302
michael@0	1303	if (pbe_param->iteration.data == NULL) {
michael@0	1304	dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,&pbe_param->iteration,
michael@0	1305	pbe_param->iter);
michael@0	1306	if (dummy == NULL) {
michael@0	1307	goto loser;
michael@0	1308	}
michael@0	1309	}
michael@0	1310	switch (pbe_param->pbeType) {
michael@0	1311	case NSSPKCS5_PBKDF1:
michael@0	1312	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
michael@0	1313	NSSPKCS5PBEParameterTemplate);
michael@0	1314	break;
michael@0	1315	case NSSPKCS5_PKCS12_V2:
michael@0	1316	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
michael@0	1317	NSSPKCS5PKCS12V2PBEParameterTemplate);
michael@0	1318	break;
michael@0	1319	#ifdef PBKDF2
michael@0	1320	case NSSPKCS5_PBKDF2:
michael@0	1321	if (pbe_param->keyLength.data == NULL) {
michael@0	1322	dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,
michael@0	1323	&pbe_param->keyLength, pbe_param->keyLen);
michael@0	1324	if (dummy == NULL) {
michael@0	1325	goto loser;
michael@0	1326	}
michael@0	1327	}
michael@0	1328	PORT_Memset(&pkcs5v2_param, 0, sizeof(pkcs5v2_param));
michael@0	1329	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
michael@0	1330	NSSPKCS5V2PBEParameterTemplate);
michael@0	1331	if (dummy == NULL) {
michael@0	1332	break;
michael@0	1333	}
michael@0	1334	dummy = NULL;
michael@0	1335	rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.keyParams,
michael@0	1336	SEC_OID_PKCS5_PBKDF2, &der_param);
michael@0	1337	if (rv != SECSuccess) {
michael@0	1338	break;
michael@0	1339	}
michael@0	1340	der_param.data = pbe_param->ivData;
michael@0	1341	der_param.len = pbe_param->ivLen;
michael@0	1342	rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.algParams,
michael@0	1343	pbe_param->encAlg, pbe_param->ivLen ? &der_param : NULL);
michael@0	1344	if (rv != SECSuccess) {
michael@0	1345	break;
michael@0	1346	}
michael@0	1347	dummy = SEC_ASN1EncodeItem(arena, &der_param, &pkcs5v2_param,
michael@0	1348	NSSPKCS5V2PBES2ParameterTemplate);
michael@0	1349	break;
michael@0	1350	#endif
michael@0	1351	default:
michael@0	1352	break;
michael@0	1353	}
michael@0	1354
michael@0	1355	if (dummy == NULL) {
michael@0	1356	goto loser;
michael@0	1357	}
michael@0	1358
michael@0	1359	rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param);
michael@0	1360	if (rv != SECSuccess) {
michael@0	1361	goto loser;
michael@0	1362	}
michael@0	1363
michael@0	1364	ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
michael@0	1365	if (ret_algid == NULL) {
michael@0	1366	goto loser;
michael@0	1367	}
michael@0	1368
michael@0	1369	rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
michael@0	1370	if (rv != SECSuccess) {
michael@0	1371	SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
michael@0	1372	ret_algid = NULL;
michael@0	1373	}
michael@0	1374
michael@0	1375	loser:
michael@0	1376
michael@0	1377	return ret_algid;
michael@0	1378	}