1/*
2 * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "internal/cryptlib.h"
12#include <openssl/pkcs12.h>
13#include <openssl/trace.h>
14
15/*
16 * Encrypt/Decrypt a buffer based on password and algor, result in a
17 * OPENSSL_malloc'ed buffer
18 */
19unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
20 const char *pass, int passlen,
21 const unsigned char *in, int inlen,
22 unsigned char **data, int *datalen, int en_de)
23{
24 unsigned char *out = NULL;
25 int outlen, i;
26 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
27
28 if (ctx == NULL) {
29 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
30 goto err;
31 }
32
33 /* Decrypt data */
34 if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
35 algor->parameter, ctx, en_de)) {
36 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
37 PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
38 goto err;
39 }
40
41 if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(ctx)))
42 == NULL) {
43 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
44 goto err;
45 }
46
47 if (!EVP_CipherUpdate(ctx, out, &i, in, inlen)) {
48 OPENSSL_free(out);
49 out = NULL;
50 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB);
51 goto err;
52 }
53
54 outlen = i;
55 if (!EVP_CipherFinal_ex(ctx, out + i, &i)) {
56 OPENSSL_free(out);
57 out = NULL;
58 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
59 PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
60 goto err;
61 }
62 outlen += i;
63 if (datalen)
64 *datalen = outlen;
65 if (data)
66 *data = out;
67 err:
68 EVP_CIPHER_CTX_free(ctx);
69 return out;
70
71}
72
73/*
74 * Decrypt an OCTET STRING and decode ASN1 structure if zbuf set zero buffer
75 * after use.
76 */
77
78void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
79 const char *pass, int passlen,
80 const ASN1_OCTET_STRING *oct, int zbuf)
81{
82 unsigned char *out;
83 const unsigned char *p;
84 void *ret;
85 int outlen;
86
87 if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
88 &out, &outlen, 0)) {
89 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
90 PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
91 return NULL;
92 }
93 p = out;
94 OSSL_TRACE_BEGIN(PKCS12_DECRYPT) {
95 BIO_printf(trc_out, "\n");
96 BIO_dump(trc_out, out, outlen);
97 BIO_printf(trc_out, "\n");
98 } OSSL_TRACE_END(PKCS12_DECRYPT);
99 ret = ASN1_item_d2i(NULL, &p, outlen, it);
100 if (zbuf)
101 OPENSSL_cleanse(out, outlen);
102 if (!ret)
103 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, PKCS12_R_DECODE_ERROR);
104 OPENSSL_free(out);
105 return ret;
106}
107
108/*
109 * Encode ASN1 structure and encrypt, return OCTET STRING if zbuf set zero
110 * encoding.
111 */
112
113ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
114 const ASN1_ITEM *it,
115 const char *pass, int passlen,
116 void *obj, int zbuf)
117{
118 ASN1_OCTET_STRING *oct = NULL;
119 unsigned char *in = NULL;
120 int inlen;
121
122 if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
123 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, ERR_R_MALLOC_FAILURE);
124 goto err;
125 }
126 inlen = ASN1_item_i2d(obj, &in, it);
127 if (!in) {
128 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCODE_ERROR);
129 goto err;
130 }
131 if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
132 &oct->length, 1)) {
133 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
134 OPENSSL_free(in);
135 goto err;
136 }
137 if (zbuf)
138 OPENSSL_cleanse(in, inlen);
139 OPENSSL_free(in);
140 return oct;
141 err:
142 ASN1_OCTET_STRING_free(oct);
143 return NULL;
144}
145