p12_decr.c 4.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144
  1. /*
  2. * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/pkcs12.h>
  12. #include <openssl/trace.h>
  13. /*
  14. * Encrypt/Decrypt a buffer based on password and algor, result in a
  15. * OPENSSL_malloc'ed buffer
  16. */
  17. unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
  18. const char *pass, int passlen,
  19. const unsigned char *in, int inlen,
  20. unsigned char **data, int *datalen, int en_de)
  21. {
  22. unsigned char *out = NULL;
  23. int outlen, i;
  24. EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
  25. if (ctx == NULL) {
  26. PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
  27. goto err;
  28. }
  29. /* Decrypt data */
  30. if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
  31. algor->parameter, ctx, en_de)) {
  32. PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
  33. PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
  34. goto err;
  35. }
  36. if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(ctx)))
  37. == NULL) {
  38. PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
  39. goto err;
  40. }
  41. if (!EVP_CipherUpdate(ctx, out, &i, in, inlen)) {
  42. OPENSSL_free(out);
  43. out = NULL;
  44. PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB);
  45. goto err;
  46. }
  47. outlen = i;
  48. if (!EVP_CipherFinal_ex(ctx, out + i, &i)) {
  49. OPENSSL_free(out);
  50. out = NULL;
  51. PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
  52. PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
  53. goto err;
  54. }
  55. outlen += i;
  56. if (datalen)
  57. *datalen = outlen;
  58. if (data)
  59. *data = out;
  60. err:
  61. EVP_CIPHER_CTX_free(ctx);
  62. return out;
  63. }
  64. /*
  65. * Decrypt an OCTET STRING and decode ASN1 structure if zbuf set zero buffer
  66. * after use.
  67. */
  68. void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
  69. const char *pass, int passlen,
  70. const ASN1_OCTET_STRING *oct, int zbuf)
  71. {
  72. unsigned char *out;
  73. const unsigned char *p;
  74. void *ret;
  75. int outlen;
  76. if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
  77. &out, &outlen, 0)) {
  78. PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
  79. PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
  80. return NULL;
  81. }
  82. p = out;
  83. OSSL_TRACE_BEGIN(PKCS12_DECRYPT) {
  84. BIO_printf(trc_out, "\n");
  85. BIO_dump(trc_out, out, outlen);
  86. BIO_printf(trc_out, "\n");
  87. } OSSL_TRACE_END(PKCS12_DECRYPT);
  88. ret = ASN1_item_d2i(NULL, &p, outlen, it);
  89. if (zbuf)
  90. OPENSSL_cleanse(out, outlen);
  91. if (!ret)
  92. PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, PKCS12_R_DECODE_ERROR);
  93. OPENSSL_free(out);
  94. return ret;
  95. }
  96. /*
  97. * Encode ASN1 structure and encrypt, return OCTET STRING if zbuf set zero
  98. * encoding.
  99. */
  100. ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
  101. const ASN1_ITEM *it,
  102. const char *pass, int passlen,
  103. void *obj, int zbuf)
  104. {
  105. ASN1_OCTET_STRING *oct = NULL;
  106. unsigned char *in = NULL;
  107. int inlen;
  108. if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
  109. PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, ERR_R_MALLOC_FAILURE);
  110. goto err;
  111. }
  112. inlen = ASN1_item_i2d(obj, &in, it);
  113. if (!in) {
  114. PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCODE_ERROR);
  115. goto err;
  116. }
  117. if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
  118. &oct->length, 1)) {
  119. PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
  120. OPENSSL_free(in);
  121. goto err;
  122. }
  123. if (zbuf)
  124. OPENSSL_cleanse(in, inlen);
  125. OPENSSL_free(in);
  126. return oct;
  127. err:
  128. ASN1_OCTET_STRING_free(oct);
  129. return NULL;
  130. }