1 | /* |
2 | * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdio.h> |
11 | #include "internal/cryptlib.h" |
12 | #include <openssl/pkcs12.h> |
13 | #include <openssl/trace.h> |
14 | |
15 | /* |
16 | * Encrypt/Decrypt a buffer based on password and algor, result in a |
17 | * OPENSSL_malloc'ed buffer |
18 | */ |
19 | unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, |
20 | const char *pass, int passlen, |
21 | const unsigned char *in, int inlen, |
22 | unsigned char **data, int *datalen, int en_de) |
23 | { |
24 | unsigned char *out = NULL; |
25 | int outlen, i; |
26 | EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); |
27 | |
28 | if (ctx == NULL) { |
29 | PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE); |
30 | goto err; |
31 | } |
32 | |
33 | /* Decrypt data */ |
34 | if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen, |
35 | algor->parameter, ctx, en_de)) { |
36 | PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, |
37 | PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR); |
38 | goto err; |
39 | } |
40 | |
41 | if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(ctx))) |
42 | == NULL) { |
43 | PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE); |
44 | goto err; |
45 | } |
46 | |
47 | if (!EVP_CipherUpdate(ctx, out, &i, in, inlen)) { |
48 | OPENSSL_free(out); |
49 | out = NULL; |
50 | PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB); |
51 | goto err; |
52 | } |
53 | |
54 | outlen = i; |
55 | if (!EVP_CipherFinal_ex(ctx, out + i, &i)) { |
56 | OPENSSL_free(out); |
57 | out = NULL; |
58 | PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, |
59 | PKCS12_R_PKCS12_CIPHERFINAL_ERROR); |
60 | goto err; |
61 | } |
62 | outlen += i; |
63 | if (datalen) |
64 | *datalen = outlen; |
65 | if (data) |
66 | *data = out; |
67 | err: |
68 | EVP_CIPHER_CTX_free(ctx); |
69 | return out; |
70 | |
71 | } |
72 | |
73 | /* |
74 | * Decrypt an OCTET STRING and decode ASN1 structure if zbuf set zero buffer |
75 | * after use. |
76 | */ |
77 | |
78 | void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, |
79 | const char *pass, int passlen, |
80 | const ASN1_OCTET_STRING *oct, int zbuf) |
81 | { |
82 | unsigned char *out; |
83 | const unsigned char *p; |
84 | void *ret; |
85 | int outlen; |
86 | |
87 | if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, |
88 | &out, &outlen, 0)) { |
89 | PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, |
90 | PKCS12_R_PKCS12_PBE_CRYPT_ERROR); |
91 | return NULL; |
92 | } |
93 | p = out; |
94 | OSSL_TRACE_BEGIN(PKCS12_DECRYPT) { |
95 | BIO_printf(trc_out, "\n" ); |
96 | BIO_dump(trc_out, out, outlen); |
97 | BIO_printf(trc_out, "\n" ); |
98 | } OSSL_TRACE_END(PKCS12_DECRYPT); |
99 | ret = ASN1_item_d2i(NULL, &p, outlen, it); |
100 | if (zbuf) |
101 | OPENSSL_cleanse(out, outlen); |
102 | if (!ret) |
103 | PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, PKCS12_R_DECODE_ERROR); |
104 | OPENSSL_free(out); |
105 | return ret; |
106 | } |
107 | |
108 | /* |
109 | * Encode ASN1 structure and encrypt, return OCTET STRING if zbuf set zero |
110 | * encoding. |
111 | */ |
112 | |
113 | ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, |
114 | const ASN1_ITEM *it, |
115 | const char *pass, int passlen, |
116 | void *obj, int zbuf) |
117 | { |
118 | ASN1_OCTET_STRING *oct = NULL; |
119 | unsigned char *in = NULL; |
120 | int inlen; |
121 | |
122 | if ((oct = ASN1_OCTET_STRING_new()) == NULL) { |
123 | PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, ERR_R_MALLOC_FAILURE); |
124 | goto err; |
125 | } |
126 | inlen = ASN1_item_i2d(obj, &in, it); |
127 | if (!in) { |
128 | PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCODE_ERROR); |
129 | goto err; |
130 | } |
131 | if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data, |
132 | &oct->length, 1)) { |
133 | PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCRYPT_ERROR); |
134 | OPENSSL_free(in); |
135 | goto err; |
136 | } |
137 | if (zbuf) |
138 | OPENSSL_cleanse(in, inlen); |
139 | OPENSSL_free(in); |
140 | return oct; |
141 | err: |
142 | ASN1_OCTET_STRING_free(oct); |
143 | return NULL; |
144 | } |
145 | |