LCOV - code coverage report
Current view: top level - sm - minip12.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 0 1279 0.0 %
Date: 2016-09-12 12:29:17 Functions: 0 21 0.0 %

          Line data    Source code
       1             : /* minip12.c - A minimal pkcs-12 implementation.
       2             :  * Copyright (C) 2002, 2003, 2004, 2006, 2011 Free Software Foundation, Inc.
       3             :  * Copyright (C) 2014 Werner Koch
       4             :  *
       5             :  * This file is part of GnuPG.
       6             :  *
       7             :  * GnuPG is free software; you can redistribute it and/or modify
       8             :  * it under the terms of the GNU General Public License as published by
       9             :  * the Free Software Foundation; either version 3 of the License, or
      10             :  * (at your option) any later version.
      11             :  *
      12             :  * GnuPG is distributed in the hope that it will be useful,
      13             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :  * GNU General Public License for more details.
      16             :  *
      17             :  * You should have received a copy of the GNU General Public License
      18             :  * along with this program; if not, see <http://www.gnu.org/licenses/>.
      19             :  */
      20             : 
      21             : #ifdef HAVE_CONFIG_H
      22             : #include <config.h>
      23             : #endif
      24             : #include <stdio.h>
      25             : #include <stdlib.h>
      26             : #include <string.h>
      27             : #include <assert.h>
      28             : #include <gcrypt.h>
      29             : #include <errno.h>
      30             : 
      31             : #ifdef TEST
      32             : #include <sys/stat.h>
      33             : #include <unistd.h>
      34             : #endif
      35             : 
      36             : #include "../common/logging.h"
      37             : #include "../common/utf8conv.h"
      38             : #include "minip12.h"
      39             : 
      40             : #ifndef DIM
      41             : #define DIM(v)               (sizeof(v)/sizeof((v)[0]))
      42             : #endif
      43             : 
      44             : 
      45             : enum
      46             : {
      47             :   UNIVERSAL = 0,
      48             :   APPLICATION = 1,
      49             :   ASNCONTEXT = 2,
      50             :   PRIVATE = 3
      51             : };
      52             : 
      53             : 
      54             : enum
      55             : {
      56             :   TAG_NONE = 0,
      57             :   TAG_BOOLEAN = 1,
      58             :   TAG_INTEGER = 2,
      59             :   TAG_BIT_STRING = 3,
      60             :   TAG_OCTET_STRING = 4,
      61             :   TAG_NULL = 5,
      62             :   TAG_OBJECT_ID = 6,
      63             :   TAG_OBJECT_DESCRIPTOR = 7,
      64             :   TAG_EXTERNAL = 8,
      65             :   TAG_REAL = 9,
      66             :   TAG_ENUMERATED = 10,
      67             :   TAG_EMBEDDED_PDV = 11,
      68             :   TAG_UTF8_STRING = 12,
      69             :   TAG_REALTIVE_OID = 13,
      70             :   TAG_SEQUENCE = 16,
      71             :   TAG_SET = 17,
      72             :   TAG_NUMERIC_STRING = 18,
      73             :   TAG_PRINTABLE_STRING = 19,
      74             :   TAG_TELETEX_STRING = 20,
      75             :   TAG_VIDEOTEX_STRING = 21,
      76             :   TAG_IA5_STRING = 22,
      77             :   TAG_UTC_TIME = 23,
      78             :   TAG_GENERALIZED_TIME = 24,
      79             :   TAG_GRAPHIC_STRING = 25,
      80             :   TAG_VISIBLE_STRING = 26,
      81             :   TAG_GENERAL_STRING = 27,
      82             :   TAG_UNIVERSAL_STRING = 28,
      83             :   TAG_CHARACTER_STRING = 29,
      84             :   TAG_BMP_STRING = 30
      85             : };
      86             : 
      87             : 
      88             : static unsigned char const oid_data[9] = {
      89             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01 };
      90             : static unsigned char const oid_encryptedData[9] = {
      91             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06 };
      92             : static unsigned char const oid_pkcs_12_keyBag[11] = {
      93             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x01 };
      94             : static unsigned char const oid_pkcs_12_pkcs_8ShroudedKeyBag[11] = {
      95             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x02 };
      96             : static unsigned char const oid_pkcs_12_CertBag[11] = {
      97             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x03 };
      98             : static unsigned char const oid_pkcs_12_CrlBag[11] = {
      99             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x04 };
     100             : 
     101             : static unsigned char const oid_pbeWithSHAAnd3_KeyTripleDES_CBC[10] = {
     102             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x03 };
     103             : static unsigned char const oid_pbeWithSHAAnd40BitRC2_CBC[10] = {
     104             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x06 };
     105             : static unsigned char const oid_x509Certificate_for_pkcs_12[10] = {
     106             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x16, 0x01 };
     107             : 
     108             : static unsigned char const oid_pkcs5PBKDF2[9] = {
     109             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0C };
     110             : static unsigned char const oid_pkcs5PBES2[9] = {
     111             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0D };
     112             : static unsigned char const oid_aes128_CBC[9] = {
     113             :   0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02 };
     114             : 
     115             : static unsigned char const oid_rsaEncryption[9] = {
     116             :   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 };
     117             : 
     118             : 
     119             : static unsigned char const data_3desiter2048[30] = {
     120             :   0x30, 0x1C, 0x06, 0x0A, 0x2A, 0x86, 0x48, 0x86,
     121             :   0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x03, 0x30, 0x0E,
     122             :   0x04, 0x08, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     123             :   0xFF, 0xFF, 0x02, 0x02, 0x08, 0x00 };
     124             : #define DATA_3DESITER2048_SALT_OFF  18
     125             : 
     126             : static unsigned char const data_rc2iter2048[30] = {
     127             :   0x30, 0x1C, 0x06, 0x0A, 0x2A, 0x86, 0x48, 0x86,
     128             :   0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x06, 0x30, 0x0E,
     129             :   0x04, 0x08, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     130             :   0xFF, 0xFF, 0x02, 0x02, 0x08, 0x00 };
     131             : #define DATA_RC2ITER2048_SALT_OFF  18
     132             : 
     133             : static unsigned char const data_mactemplate[51] = {
     134             :   0x30, 0x31, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
     135             :   0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04,
     136             :   0x14, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
     137             :   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
     138             :   0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x08, 0xff,
     139             :   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x02,
     140             :   0x02, 0x08, 0x00 };
     141             : #define DATA_MACTEMPLATE_MAC_OFF 17
     142             : #define DATA_MACTEMPLATE_SALT_OFF 39
     143             : 
     144             : static unsigned char const data_attrtemplate[106] = {
     145             :   0x31, 0x7c, 0x30, 0x55, 0x06, 0x09, 0x2a, 0x86,
     146             :   0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31,
     147             :   0x48, 0x1e, 0x46, 0x00, 0x47, 0x00, 0x6e, 0x00,
     148             :   0x75, 0x00, 0x50, 0x00, 0x47, 0x00, 0x20, 0x00,
     149             :   0x65, 0x00, 0x78, 0x00, 0x70, 0x00, 0x6f, 0x00,
     150             :   0x72, 0x00, 0x74, 0x00, 0x65, 0x00, 0x64, 0x00,
     151             :   0x20, 0x00, 0x63, 0x00, 0x65, 0x00, 0x72, 0x00,
     152             :   0x74, 0x00, 0x69, 0x00, 0x66, 0x00, 0x69, 0x00,
     153             :   0x63, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00,
     154             :   0x20, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00,
     155             :   0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00,
     156             :   0x66, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48,
     157             :   0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16,
     158             :   0x04, 0x14 }; /* Need to append SHA-1 digest. */
     159             : #define DATA_ATTRTEMPLATE_KEYID_OFF 73
     160             : 
     161             : struct buffer_s
     162             : {
     163             :   unsigned char *buffer;
     164             :   size_t length;
     165             : };
     166             : 
     167             : 
     168             : struct tag_info
     169             : {
     170             :   int class;
     171             :   int is_constructed;
     172             :   unsigned long tag;
     173             :   unsigned long length;  /* length part of the TLV */
     174             :   int nhdr;
     175             :   int ndef;              /* It is an indefinite length */
     176             : };
     177             : 
     178             : 
     179             : /* Parse the buffer at the address BUFFER which is of SIZE and return
     180             :    the tag and the length part from the TLV triplet.  Update BUFFER
     181             :    and SIZE on success.  Checks that the encoded length does not
     182             :    exhaust the length of the provided buffer. */
     183             : static int
     184           0 : parse_tag (unsigned char const **buffer, size_t *size, struct tag_info *ti)
     185             : {
     186             :   int c;
     187             :   unsigned long tag;
     188           0 :   const unsigned char *buf = *buffer;
     189           0 :   size_t length = *size;
     190             : 
     191           0 :   ti->length = 0;
     192           0 :   ti->ndef = 0;
     193           0 :   ti->nhdr = 0;
     194             : 
     195             :   /* Get the tag */
     196           0 :   if (!length)
     197           0 :     return -1; /* premature eof */
     198           0 :   c = *buf++; length--;
     199           0 :   ti->nhdr++;
     200             : 
     201           0 :   ti->class = (c & 0xc0) >> 6;
     202           0 :   ti->is_constructed = !!(c & 0x20);
     203           0 :   tag = c & 0x1f;
     204             : 
     205           0 :   if (tag == 0x1f)
     206             :     {
     207           0 :       tag = 0;
     208             :       do
     209             :         {
     210           0 :           tag <<= 7;
     211           0 :           if (!length)
     212           0 :             return -1; /* premature eof */
     213           0 :           c = *buf++; length--;
     214           0 :           ti->nhdr++;
     215           0 :           tag |= c & 0x7f;
     216             :         }
     217           0 :       while (c & 0x80);
     218             :     }
     219           0 :   ti->tag = tag;
     220             : 
     221             :   /* Get the length */
     222           0 :   if (!length)
     223           0 :     return -1; /* prematureeof */
     224           0 :   c = *buf++; length--;
     225           0 :   ti->nhdr++;
     226             : 
     227           0 :   if ( !(c & 0x80) )
     228           0 :     ti->length = c;
     229           0 :   else if (c == 0x80)
     230           0 :     ti->ndef = 1;
     231           0 :   else if (c == 0xff)
     232           0 :     return -1; /* forbidden length value */
     233             :   else
     234             :     {
     235           0 :       unsigned long len = 0;
     236           0 :       int count = c & 0x7f;
     237             : 
     238           0 :       for (; count; count--)
     239             :         {
     240           0 :           len <<= 8;
     241           0 :           if (!length)
     242           0 :             return -1; /* premature_eof */
     243           0 :           c = *buf++; length--;
     244           0 :           ti->nhdr++;
     245           0 :           len |= c & 0xff;
     246             :         }
     247           0 :       ti->length = len;
     248             :     }
     249             : 
     250           0 :   if (ti->class == UNIVERSAL && !ti->tag)
     251           0 :     ti->length = 0;
     252             : 
     253           0 :   if (ti->length > length)
     254           0 :     return -1; /* data larger than buffer. */
     255             : 
     256           0 :   *buffer = buf;
     257           0 :   *size = length;
     258           0 :   return 0;
     259             : }
     260             : 
     261             : 
     262             : /* Given an ASN.1 chunk of a structure like:
     263             : 
     264             :      24 NDEF:       OCTET STRING  -- This is not passed to us
     265             :      04    1:         OCTET STRING  -- INPUT point s to here
     266             :             :           30
     267             :      04    1:         OCTET STRING
     268             :             :           80
     269             :           [...]
     270             :      04    2:         OCTET STRING
     271             :             :           00 00
     272             :             :         } -- This denotes a Null tag and are the last
     273             :                         -- two bytes in INPUT.
     274             : 
     275             :    Create a new buffer with the content of that octet string.  INPUT
     276             :    is the original buffer with a length as stored at LENGTH.  Returns
     277             :    NULL on error or a new malloced buffer with the length of this new
     278             :    buffer stored at LENGTH and the number of bytes parsed from input
     279             :    are added to the value stored at INPUT_CONSUMED.  INPUT_CONSUMED is
     280             :    allowed to be passed as NULL if the caller is not interested in
     281             :    this value. */
     282             : static unsigned char *
     283           0 : cram_octet_string (const unsigned char *input, size_t *length,
     284             :                    size_t *input_consumed)
     285             : {
     286           0 :   const unsigned char *s = input;
     287           0 :   size_t n = *length;
     288             :   unsigned char *output, *d;
     289             :   struct tag_info ti;
     290             : 
     291             :   /* Allocate output buf.  We know that it won't be longer than the
     292             :      input buffer. */
     293           0 :   d = output = gcry_malloc (n);
     294           0 :   if (!output)
     295           0 :     goto bailout;
     296             : 
     297             :   for (;;)
     298             :     {
     299           0 :       if (parse_tag (&s, &n, &ti))
     300           0 :         goto bailout;
     301           0 :       if (ti.class == UNIVERSAL && ti.tag == TAG_OCTET_STRING
     302           0 :           && !ti.ndef && !ti.is_constructed)
     303             :         {
     304           0 :           memcpy (d, s, ti.length);
     305           0 :           s += ti.length;
     306           0 :           d += ti.length;
     307           0 :           n -= ti.length;
     308             :         }
     309           0 :       else if (ti.class == UNIVERSAL && !ti.tag && !ti.is_constructed)
     310             :         break; /* Ready */
     311             :       else
     312             :         goto bailout;
     313           0 :     }
     314             : 
     315             : 
     316           0 :   *length = d - output;
     317           0 :   if (input_consumed)
     318           0 :     *input_consumed += s - input;
     319           0 :   return output;
     320             : 
     321             :  bailout:
     322           0 :   if (input_consumed)
     323           0 :     *input_consumed += s - input;
     324           0 :   gcry_free (output);
     325           0 :   return NULL;
     326             : }
     327             : 
     328             : 
     329             : 
     330             : static int
     331           0 : string_to_key (int id, char *salt, size_t saltlen, int iter, const char *pw,
     332             :                int req_keylen, unsigned char *keybuf)
     333             : {
     334             :   int rc, i, j;
     335             :   gcry_md_hd_t md;
     336           0 :   gcry_mpi_t num_b1 = NULL;
     337             :   int pwlen;
     338             :   unsigned char hash[20], buf_b[64], buf_i[128], *p;
     339             :   size_t cur_keylen;
     340             :   size_t n;
     341             : 
     342           0 :   cur_keylen = 0;
     343           0 :   pwlen = strlen (pw);
     344           0 :   if (pwlen > 63/2)
     345             :     {
     346           0 :       log_error ("password too long\n");
     347           0 :       return -1;
     348             :     }
     349             : 
     350           0 :   if (saltlen < 8)
     351             :     {
     352           0 :       log_error ("salt too short\n");
     353           0 :       return -1;
     354             :     }
     355             : 
     356             :   /* Store salt and password in BUF_I */
     357           0 :   p = buf_i;
     358           0 :   for(i=0; i < 64; i++)
     359           0 :     *p++ = salt [i%saltlen];
     360           0 :   for(i=j=0; i < 64; i += 2)
     361             :     {
     362           0 :       *p++ = 0;
     363           0 :       *p++ = pw[j];
     364           0 :       if (++j > pwlen) /* Note, that we include the trailing zero */
     365           0 :         j = 0;
     366             :     }
     367             : 
     368             :   for (;;)
     369             :     {
     370           0 :       rc = gcry_md_open (&md, GCRY_MD_SHA1, 0);
     371           0 :       if (rc)
     372             :         {
     373           0 :           log_error ( "gcry_md_open failed: %s\n", gpg_strerror (rc));
     374           0 :           return rc;
     375             :         }
     376           0 :       for(i=0; i < 64; i++)
     377           0 :         gcry_md_putc (md, id);
     378           0 :       gcry_md_write (md, buf_i, 128);
     379           0 :       memcpy (hash, gcry_md_read (md, 0), 20);
     380           0 :       gcry_md_close (md);
     381           0 :       for (i=1; i < iter; i++)
     382           0 :         gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20);
     383             : 
     384           0 :       for (i=0; i < 20 && cur_keylen < req_keylen; i++)
     385           0 :         keybuf[cur_keylen++] = hash[i];
     386           0 :       if (cur_keylen == req_keylen)
     387             :         {
     388           0 :           gcry_mpi_release (num_b1);
     389           0 :           return 0; /* ready */
     390             :         }
     391             : 
     392             :       /* need more bytes. */
     393           0 :       for(i=0; i < 64; i++)
     394           0 :         buf_b[i] = hash[i % 20];
     395           0 :       rc = gcry_mpi_scan (&num_b1, GCRYMPI_FMT_USG, buf_b, 64, &n);
     396           0 :       if (rc)
     397             :         {
     398           0 :           log_error ( "gcry_mpi_scan failed: %s\n", gpg_strerror (rc));
     399           0 :           return -1;
     400             :         }
     401           0 :       gcry_mpi_add_ui (num_b1, num_b1, 1);
     402           0 :       for (i=0; i < 128; i += 64)
     403             :         {
     404             :           gcry_mpi_t num_ij;
     405             : 
     406           0 :           rc = gcry_mpi_scan (&num_ij, GCRYMPI_FMT_USG, buf_i + i, 64, &n);
     407           0 :           if (rc)
     408             :             {
     409           0 :               log_error ( "gcry_mpi_scan failed: %s\n",
     410             :                        gpg_strerror (rc));
     411           0 :               return -1;
     412             :             }
     413           0 :           gcry_mpi_add (num_ij, num_ij, num_b1);
     414           0 :           gcry_mpi_clear_highbit (num_ij, 64*8);
     415           0 :           rc = gcry_mpi_print (GCRYMPI_FMT_USG, buf_i + i, 64, &n, num_ij);
     416           0 :           if (rc)
     417             :             {
     418           0 :               log_error ( "gcry_mpi_print failed: %s\n",
     419             :                           gpg_strerror (rc));
     420           0 :               return -1;
     421             :             }
     422           0 :           gcry_mpi_release (num_ij);
     423             :         }
     424           0 :     }
     425             : }
     426             : 
     427             : 
     428             : static int
     429           0 : set_key_iv (gcry_cipher_hd_t chd, char *salt, size_t saltlen, int iter,
     430             :             const char *pw, int keybytes)
     431             : {
     432             :   unsigned char keybuf[24];
     433             :   int rc;
     434             : 
     435           0 :   assert (keybytes == 5 || keybytes == 24);
     436           0 :   if (string_to_key (1, salt, saltlen, iter, pw, keybytes, keybuf))
     437           0 :     return -1;
     438           0 :   rc = gcry_cipher_setkey (chd, keybuf, keybytes);
     439           0 :   if (rc)
     440             :     {
     441           0 :       log_error ( "gcry_cipher_setkey failed: %s\n", gpg_strerror (rc));
     442           0 :       return -1;
     443             :     }
     444             : 
     445           0 :   if (string_to_key (2, salt, saltlen, iter, pw, 8, keybuf))
     446           0 :     return -1;
     447           0 :   rc = gcry_cipher_setiv (chd, keybuf, 8);
     448           0 :   if (rc)
     449             :     {
     450           0 :       log_error ("gcry_cipher_setiv failed: %s\n", gpg_strerror (rc));
     451           0 :       return -1;
     452             :     }
     453           0 :   return 0;
     454             : }
     455             : 
     456             : 
     457             : static int
     458           0 : set_key_iv_pbes2 (gcry_cipher_hd_t chd, char *salt, size_t saltlen, int iter,
     459             :                   const void *iv, size_t ivlen, const char *pw, int algo)
     460             : {
     461             :   unsigned char *keybuf;
     462             :   size_t keylen;
     463             :   int rc;
     464             : 
     465           0 :   keylen = gcry_cipher_get_algo_keylen (algo);
     466           0 :   if (!keylen)
     467           0 :     return -1;
     468           0 :   keybuf = gcry_malloc_secure (keylen);
     469           0 :   if (!keybuf)
     470           0 :     return -1;
     471             : 
     472           0 :   rc = gcry_kdf_derive (pw, strlen (pw),
     473             :                         GCRY_KDF_PBKDF2, GCRY_MD_SHA1,
     474             :                         salt, saltlen, iter, keylen, keybuf);
     475           0 :   if (rc)
     476             :     {
     477           0 :       log_error ("gcry_kdf_derive failed: %s\n", gpg_strerror (rc));
     478           0 :       gcry_free (keybuf);
     479           0 :       return -1;
     480             :     }
     481             : 
     482           0 :   rc = gcry_cipher_setkey (chd, keybuf, keylen);
     483           0 :   gcry_free (keybuf);
     484           0 :   if (rc)
     485             :     {
     486           0 :       log_error ("gcry_cipher_setkey failed: %s\n", gpg_strerror (rc));
     487           0 :       return -1;
     488             :     }
     489             : 
     490             : 
     491           0 :   rc = gcry_cipher_setiv (chd, iv, ivlen);
     492           0 :   if (rc)
     493             :     {
     494           0 :       log_error ("gcry_cipher_setiv failed: %s\n", gpg_strerror (rc));
     495           0 :       return -1;
     496             :     }
     497           0 :   return 0;
     498             : }
     499             : 
     500             : 
     501             : static void
     502           0 : crypt_block (unsigned char *buffer, size_t length, char *salt, size_t saltlen,
     503             :              int iter, const void *iv, size_t ivlen,
     504             :              const char *pw, int cipher_algo, int encrypt)
     505             : {
     506             :   gcry_cipher_hd_t chd;
     507             :   int rc;
     508             : 
     509           0 :   rc = gcry_cipher_open (&chd, cipher_algo, GCRY_CIPHER_MODE_CBC, 0);
     510           0 :   if (rc)
     511             :     {
     512           0 :       log_error ( "gcry_cipher_open failed: %s\n", gpg_strerror(rc));
     513           0 :       wipememory (buffer, length);
     514           0 :       return;
     515             :     }
     516             : 
     517           0 :   if (cipher_algo == GCRY_CIPHER_AES128
     518           0 :       ? set_key_iv_pbes2 (chd, salt, saltlen, iter, iv, ivlen, pw, cipher_algo)
     519           0 :       : set_key_iv (chd, salt, saltlen, iter, pw,
     520             :                     cipher_algo == GCRY_CIPHER_RFC2268_40? 5:24))
     521             :     {
     522           0 :       wipememory (buffer, length);
     523           0 :       goto leave;
     524             :     }
     525             : 
     526           0 :   rc = encrypt? gcry_cipher_encrypt (chd, buffer, length, NULL, 0)
     527           0 :               : gcry_cipher_decrypt (chd, buffer, length, NULL, 0);
     528             : 
     529           0 :   if (rc)
     530             :     {
     531           0 :       wipememory (buffer, length);
     532           0 :       log_error ( "en/de-crytion failed: %s\n", gpg_strerror (rc));
     533           0 :       goto leave;
     534             :     }
     535             : 
     536             :  leave:
     537           0 :   gcry_cipher_close (chd);
     538             : }
     539             : 
     540             : 
     541             : /* Decrypt a block of data and try several encodings of the key.
     542             :    CIPHERTEXT is the encrypted data of size LENGTH bytes; PLAINTEXT is
     543             :    a buffer of the same size to receive the decryption result. SALT,
     544             :    SALTLEN, ITER and PW are the information required for decryption
     545             :    and CIPHER_ALGO is the algorithm id to use.  CHECK_FNC is a
     546             :    function called with the plaintext and used to check whether the
     547             :    decryption succeeded; i.e. that a correct passphrase has been
     548             :    given.  That function shall return true if the decryption has likely
     549             :    succeeded. */
     550             : static void
     551           0 : decrypt_block (const void *ciphertext, unsigned char *plaintext, size_t length,
     552             :                char *salt, size_t saltlen,
     553             :                int iter, const void *iv, size_t ivlen,
     554             :                const char *pw, int cipher_algo,
     555             :                int (*check_fnc) (const void *, size_t))
     556             : {
     557             :   static const char * const charsets[] = {
     558             :     "",   /* No conversion - use the UTF-8 passphrase direct.  */
     559             :     "ISO-8859-1",
     560             :     "ISO-8859-15",
     561             :     "ISO-8859-2",
     562             :     "ISO-8859-3",
     563             :     "ISO-8859-4",
     564             :     "ISO-8859-5",
     565             :     "ISO-8859-6",
     566             :     "ISO-8859-7",
     567             :     "ISO-8859-8",
     568             :     "ISO-8859-9",
     569             :     "KOI8-R",
     570             :     "IBM437",
     571             :     "IBM850",
     572             :     "EUC-JP",
     573             :     "BIG5",
     574             :     NULL
     575             :   };
     576           0 :   int charsetidx = 0;
     577           0 :   char *convertedpw = NULL;   /* Malloced and converted password or NULL.  */
     578           0 :   size_t convertedpwsize = 0; /* Allocated length.  */
     579             : 
     580           0 :   for (charsetidx=0; charsets[charsetidx]; charsetidx++)
     581             :     {
     582           0 :       if (*charsets[charsetidx])
     583             :         {
     584             :           jnlib_iconv_t cd;
     585             :           const char *inptr;
     586             :           char *outptr;
     587             :           size_t inbytes, outbytes;
     588             : 
     589           0 :           if (!convertedpw)
     590             :             {
     591             :               /* We assume one byte encodings.  Thus we can allocate
     592             :                  the buffer of the same size as the original
     593             :                  passphrase; the result will actually be shorter
     594             :                  then.  */
     595           0 :               convertedpwsize = strlen (pw) + 1;
     596           0 :               convertedpw = gcry_malloc_secure (convertedpwsize);
     597           0 :               if (!convertedpw)
     598             :                 {
     599           0 :                   log_info ("out of secure memory while"
     600             :                             " converting passphrase\n");
     601           0 :                   break; /* Give up.  */
     602             :                 }
     603             :             }
     604             : 
     605           0 :           cd = jnlib_iconv_open (charsets[charsetidx], "utf-8");
     606           0 :           if (cd == (jnlib_iconv_t)(-1))
     607           0 :             continue;
     608             : 
     609           0 :           inptr = pw;
     610           0 :           inbytes = strlen (pw);
     611           0 :           outptr = convertedpw;
     612           0 :           outbytes = convertedpwsize - 1;
     613           0 :           if ( jnlib_iconv (cd, (const char **)&inptr, &inbytes,
     614             :                       &outptr, &outbytes) == (size_t)-1)
     615             :             {
     616           0 :               jnlib_iconv_close (cd);
     617           0 :               continue;
     618             :             }
     619           0 :           *outptr = 0;
     620           0 :           jnlib_iconv_close (cd);
     621           0 :           log_info ("decryption failed; trying charset '%s'\n",
     622             :                     charsets[charsetidx]);
     623             :         }
     624           0 :       memcpy (plaintext, ciphertext, length);
     625           0 :       crypt_block (plaintext, length, salt, saltlen, iter, iv, ivlen,
     626             :                    convertedpw? convertedpw:pw, cipher_algo, 0);
     627           0 :       if (check_fnc (plaintext, length))
     628           0 :         break; /* Decryption succeeded. */
     629             :     }
     630           0 :   gcry_free (convertedpw);
     631           0 : }
     632             : 
     633             : 
     634             : /* Return true if the decryption of an bag_encrypted_data object has
     635             :    likely succeeded.  */
     636             : static int
     637           0 : bag_decrypted_data_p (const void *plaintext, size_t length)
     638             : {
     639             :   struct tag_info ti;
     640           0 :   const unsigned char *p = plaintext;
     641           0 :   size_t n = length;
     642             : 
     643             :   /*   { */
     644             :   /* #  warning debug code is enabled */
     645             :   /*     FILE *fp = fopen ("tmp-rc2-plain.der", "wb"); */
     646             :   /*     if (!fp || fwrite (p, n, 1, fp) != 1) */
     647             :   /*       exit (2); */
     648             :   /*     fclose (fp); */
     649             :   /*   } */
     650             : 
     651           0 :   if (parse_tag (&p, &n, &ti))
     652           0 :     return 0;
     653           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
     654           0 :     return 0;
     655           0 :   if (parse_tag (&p, &n, &ti))
     656           0 :     return 0;
     657             : 
     658           0 :   return 1;
     659             : }
     660             : 
     661             : /* Note: If R_RESULT is passed as NULL, a key object as already be
     662             :    processed and thus we need to skip it here. */
     663             : static int
     664           0 : parse_bag_encrypted_data (const unsigned char *buffer, size_t length,
     665             :                           int startoffset, size_t *r_consumed, const char *pw,
     666             :                           void (*certcb)(void*, const unsigned char*, size_t),
     667             :                           void *certcbarg, gcry_mpi_t **r_result,
     668             :                           int *r_badpass)
     669             : {
     670             :   struct tag_info ti;
     671           0 :   const unsigned char *p = buffer;
     672           0 :   const unsigned char *p_start = buffer;
     673           0 :   size_t n = length;
     674             :   const char *where;
     675             :   char salt[20];
     676             :   size_t saltlen;
     677             :   char iv[16];
     678             :   unsigned int iter;
     679           0 :   unsigned char *plain = NULL;
     680           0 :   int bad_pass = 0;
     681           0 :   unsigned char *cram_buffer = NULL;
     682           0 :   size_t consumed = 0; /* Number of bytes consumed from the original buffer. */
     683           0 :   int is_3des = 0;
     684           0 :   int is_pbes2 = 0;
     685           0 :   gcry_mpi_t *result = NULL;
     686             :   int result_count;
     687             : 
     688           0 :   if (r_result)
     689           0 :     *r_result = NULL;
     690           0 :   where = "start";
     691           0 :   if (parse_tag (&p, &n, &ti))
     692           0 :     goto bailout;
     693           0 :   if (ti.class != ASNCONTEXT || ti.tag)
     694             :     goto bailout;
     695           0 :   if (parse_tag (&p, &n, &ti))
     696           0 :     goto bailout;
     697           0 :   if (ti.tag != TAG_SEQUENCE)
     698           0 :     goto bailout;
     699             : 
     700           0 :   where = "bag.encryptedData.version";
     701           0 :   if (parse_tag (&p, &n, &ti))
     702           0 :     goto bailout;
     703           0 :   if (ti.tag != TAG_INTEGER || ti.length != 1 || *p != 0)
     704             :     goto bailout;
     705           0 :   p++; n--;
     706           0 :   if (parse_tag (&p, &n, &ti))
     707           0 :     goto bailout;
     708           0 :   if (ti.tag != TAG_SEQUENCE)
     709           0 :     goto bailout;
     710             : 
     711           0 :   where = "bag.encryptedData.data";
     712           0 :   if (parse_tag (&p, &n, &ti))
     713           0 :     goto bailout;
     714           0 :   if (ti.tag != TAG_OBJECT_ID || ti.length != DIM(oid_data)
     715           0 :       || memcmp (p, oid_data, DIM(oid_data)))
     716             :     goto bailout;
     717           0 :   p += DIM(oid_data);
     718           0 :   n -= DIM(oid_data);
     719             : 
     720           0 :   where = "bag.encryptedData.keyinfo";
     721           0 :   if (parse_tag (&p, &n, &ti))
     722           0 :     goto bailout;
     723           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
     724             :     goto bailout;
     725           0 :   if (parse_tag (&p, &n, &ti))
     726           0 :     goto bailout;
     727           0 :   if (!ti.class && ti.tag == TAG_OBJECT_ID
     728           0 :       && ti.length == DIM(oid_pbeWithSHAAnd40BitRC2_CBC)
     729           0 :       && !memcmp (p, oid_pbeWithSHAAnd40BitRC2_CBC,
     730             :                   DIM(oid_pbeWithSHAAnd40BitRC2_CBC)))
     731             :     {
     732           0 :       p += DIM(oid_pbeWithSHAAnd40BitRC2_CBC);
     733           0 :       n -= DIM(oid_pbeWithSHAAnd40BitRC2_CBC);
     734             :     }
     735           0 :   else if (!ti.class && ti.tag == TAG_OBJECT_ID
     736           0 :       && ti.length == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
     737           0 :       && !memcmp (p, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
     738             :                   DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
     739             :     {
     740           0 :       p += DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
     741           0 :       n -= DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
     742           0 :       is_3des = 1;
     743             :     }
     744           0 :   else if (!ti.class && ti.tag == TAG_OBJECT_ID
     745           0 :            && ti.length == DIM(oid_pkcs5PBES2)
     746           0 :            && !memcmp (p, oid_pkcs5PBES2, ti.length))
     747             :     {
     748           0 :       p += ti.length;
     749           0 :       n -= ti.length;
     750           0 :       is_pbes2 = 1;
     751             :     }
     752             :   else
     753             :     goto bailout;
     754             : 
     755           0 :   if (is_pbes2)
     756             :     {
     757           0 :       where = "pkcs5PBES2-params";
     758           0 :       if (parse_tag (&p, &n, &ti))
     759           0 :         goto bailout;
     760           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
     761             :         goto bailout;
     762           0 :       if (parse_tag (&p, &n, &ti))
     763           0 :         goto bailout;
     764           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
     765             :         goto bailout;
     766           0 :       if (parse_tag (&p, &n, &ti))
     767           0 :         goto bailout;
     768           0 :       if (!(!ti.class && ti.tag == TAG_OBJECT_ID
     769           0 :             && ti.length == DIM(oid_pkcs5PBKDF2)
     770           0 :             && !memcmp (p, oid_pkcs5PBKDF2, ti.length)))
     771             :         goto bailout; /* Not PBKDF2.  */
     772           0 :       p += ti.length;
     773           0 :       n -= ti.length;
     774           0 :       if (parse_tag (&p, &n, &ti))
     775           0 :         goto bailout;
     776           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
     777             :         goto bailout;
     778           0 :       if (parse_tag (&p, &n, &ti))
     779           0 :         goto bailout;
     780           0 :       if (!(!ti.class && ti.tag == TAG_OCTET_STRING
     781           0 :             && ti.length >= 8 && ti.length < sizeof salt))
     782             :         goto bailout;  /* No salt or unsupported length.  */
     783           0 :       saltlen = ti.length;
     784           0 :       memcpy (salt, p, saltlen);
     785           0 :       p += saltlen;
     786           0 :       n -= saltlen;
     787             : 
     788           0 :       if (parse_tag (&p, &n, &ti))
     789           0 :         goto bailout;
     790           0 :       if (!(!ti.class && ti.tag == TAG_INTEGER && ti.length))
     791             :         goto bailout;  /* No valid iteration count.  */
     792           0 :       for (iter=0; ti.length; ti.length--)
     793             :         {
     794           0 :           iter <<= 8;
     795           0 :           iter |= (*p++) & 0xff;
     796           0 :           n--;
     797             :         }
     798             :       /* Note: We don't support the optional parameters but assume
     799             :          that the algorithmIdentifier follows. */
     800           0 :       if (parse_tag (&p, &n, &ti))
     801           0 :         goto bailout;
     802           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
     803             :         goto bailout;
     804           0 :       if (parse_tag (&p, &n, &ti))
     805           0 :         goto bailout;
     806           0 :       if (!(!ti.class && ti.tag == TAG_OBJECT_ID
     807           0 :             && ti.length == DIM(oid_aes128_CBC)
     808           0 :             && !memcmp (p, oid_aes128_CBC, ti.length)))
     809             :         goto bailout; /* Not AES-128.  */
     810           0 :       p += ti.length;
     811           0 :       n -= ti.length;
     812           0 :       if (parse_tag (&p, &n, &ti))
     813           0 :         goto bailout;
     814           0 :       if (!(!ti.class && ti.tag == TAG_OCTET_STRING && ti.length == sizeof iv))
     815             :         goto bailout; /* Bad IV.  */
     816           0 :       memcpy (iv, p, sizeof iv);
     817           0 :       p += sizeof iv;
     818           0 :       n -= sizeof iv;
     819             :     }
     820             :   else
     821             :     {
     822           0 :       where = "rc2or3des-params";
     823           0 :       if (parse_tag (&p, &n, &ti))
     824           0 :         goto bailout;
     825           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
     826             :         goto bailout;
     827           0 :       if (parse_tag (&p, &n, &ti))
     828           0 :         goto bailout;
     829           0 :       if (ti.class || ti.tag != TAG_OCTET_STRING
     830           0 :           || ti.length < 8 || ti.length > 20 )
     831             :         goto bailout;
     832           0 :       saltlen = ti.length;
     833           0 :       memcpy (salt, p, saltlen);
     834           0 :       p += saltlen;
     835           0 :       n -= saltlen;
     836           0 :       if (parse_tag (&p, &n, &ti))
     837           0 :         goto bailout;
     838           0 :       if (ti.class || ti.tag != TAG_INTEGER || !ti.length )
     839             :         goto bailout;
     840           0 :       for (iter=0; ti.length; ti.length--)
     841             :         {
     842           0 :           iter <<= 8;
     843           0 :           iter |= (*p++) & 0xff;
     844           0 :           n--;
     845             :         }
     846             :     }
     847             : 
     848           0 :   where = "rc2or3desoraes-ciphertext";
     849           0 :   if (parse_tag (&p, &n, &ti))
     850           0 :     goto bailout;
     851             : 
     852           0 :   consumed = p - p_start;
     853           0 :   if (ti.class == ASNCONTEXT && ti.tag == 0 && ti.is_constructed && ti.ndef)
     854             :     {
     855             :       /* Mozilla exported certs now come with single byte chunks of
     856             :          octect strings.  (Mozilla Firefox 1.0.4).  Arghh. */
     857           0 :       where = "cram-rc2or3des-ciphertext";
     858           0 :       cram_buffer = cram_octet_string ( p, &n, &consumed);
     859           0 :       if (!cram_buffer)
     860           0 :         goto bailout;
     861           0 :       p = p_start = cram_buffer;
     862           0 :       if (r_consumed)
     863           0 :         *r_consumed = consumed;
     864           0 :       r_consumed = NULL; /* Ugly hack to not update that value any further. */
     865           0 :       ti.length = n;
     866             :     }
     867           0 :   else if (ti.class == ASNCONTEXT && ti.tag == 0 && ti.length )
     868             :     ;
     869             :   else
     870             :     goto bailout;
     871             : 
     872           0 :   log_info ("%lu bytes of %s encrypted text\n",ti.length,
     873           0 :             is_pbes2?"AES128":is_3des?"3DES":"RC2");
     874             : 
     875           0 :   plain = gcry_malloc_secure (ti.length);
     876           0 :   if (!plain)
     877             :     {
     878           0 :       log_error ("error allocating decryption buffer\n");
     879           0 :       goto bailout;
     880             :     }
     881           0 :   decrypt_block (p, plain, ti.length, salt, saltlen, iter,
     882             :                  iv, is_pbes2?16:0, pw,
     883             :                  is_pbes2 ? GCRY_CIPHER_AES128 :
     884           0 :                  is_3des  ? GCRY_CIPHER_3DES : GCRY_CIPHER_RFC2268_40,
     885             :                  bag_decrypted_data_p);
     886           0 :   n = ti.length;
     887           0 :   startoffset = 0;
     888           0 :   p_start = p = plain;
     889             : 
     890           0 :   where = "outer.outer.seq";
     891           0 :   if (parse_tag (&p, &n, &ti))
     892             :     {
     893           0 :       bad_pass = 1;
     894           0 :       goto bailout;
     895             :     }
     896           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
     897             :     {
     898           0 :       bad_pass = 1;
     899           0 :       goto bailout;
     900             :     }
     901             : 
     902           0 :   if (parse_tag (&p, &n, &ti))
     903             :     {
     904           0 :       bad_pass = 1;
     905           0 :       goto bailout;
     906             :     }
     907             : 
     908             :   /* Loop over all certificates inside the bag. */
     909           0 :   while (n)
     910             :     {
     911           0 :       int iscrlbag = 0;
     912           0 :       int iskeybag = 0;
     913             : 
     914           0 :       where = "certbag.nextcert";
     915           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
     916             :         goto bailout;
     917             : 
     918           0 :       where = "certbag.objectidentifier";
     919           0 :       if (parse_tag (&p, &n, &ti))
     920           0 :         goto bailout;
     921           0 :       if (ti.class || ti.tag != TAG_OBJECT_ID)
     922             :         goto bailout;
     923           0 :       if ( ti.length == DIM(oid_pkcs_12_CertBag)
     924           0 :            && !memcmp (p, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
     925             :         {
     926           0 :           p += DIM(oid_pkcs_12_CertBag);
     927           0 :           n -= DIM(oid_pkcs_12_CertBag);
     928             :         }
     929           0 :       else if ( ti.length == DIM(oid_pkcs_12_CrlBag)
     930           0 :            && !memcmp (p, oid_pkcs_12_CrlBag, DIM(oid_pkcs_12_CrlBag)))
     931             :         {
     932           0 :           p += DIM(oid_pkcs_12_CrlBag);
     933           0 :           n -= DIM(oid_pkcs_12_CrlBag);
     934           0 :           iscrlbag = 1;
     935             :         }
     936           0 :       else if ( ti.length == DIM(oid_pkcs_12_keyBag)
     937           0 :            && !memcmp (p, oid_pkcs_12_keyBag, DIM(oid_pkcs_12_keyBag)))
     938             :         {
     939             :           /* The TrustedMIME plugin for MS Outlook started to create
     940             :              files with just one outer 3DES encrypted container and
     941             :              inside the certificates as well as the key. */
     942           0 :           p += DIM(oid_pkcs_12_keyBag);
     943           0 :           n -= DIM(oid_pkcs_12_keyBag);
     944           0 :           iskeybag = 1;
     945             :         }
     946             :       else
     947             :         goto bailout;
     948             : 
     949           0 :       where = "certbag.before.certheader";
     950           0 :       if (parse_tag (&p, &n, &ti))
     951           0 :         goto bailout;
     952           0 :       if (ti.class != ASNCONTEXT || ti.tag)
     953             :         goto bailout;
     954           0 :       if (iscrlbag)
     955             :         {
     956           0 :           log_info ("skipping unsupported crlBag\n");
     957           0 :           p += ti.length;
     958           0 :           n -= ti.length;
     959             :         }
     960           0 :       else if (iskeybag && (result || !r_result))
     961             :         {
     962           0 :           log_info ("one keyBag already processed; skipping this one\n");
     963           0 :           p += ti.length;
     964           0 :           n -= ti.length;
     965             :         }
     966           0 :       else if (iskeybag)
     967             :         {
     968             :           int len;
     969             : 
     970           0 :           log_info ("processing simple keyBag\n");
     971             : 
     972             :           /* Fixme: This code is duplicated from parse_bag_data.  */
     973           0 :           if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
     974             :             goto bailout;
     975           0 :           if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER
     976           0 :               || ti.length != 1 || *p)
     977             :             goto bailout;
     978           0 :           p++; n--;
     979           0 :           if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
     980             :             goto bailout;
     981           0 :           len = ti.length;
     982           0 :           if (parse_tag (&p, &n, &ti))
     983           0 :             goto bailout;
     984           0 :           if (len < ti.nhdr)
     985           0 :             goto bailout;
     986           0 :           len -= ti.nhdr;
     987           0 :           if (ti.class || ti.tag != TAG_OBJECT_ID
     988           0 :               || ti.length != DIM(oid_rsaEncryption)
     989           0 :               || memcmp (p, oid_rsaEncryption,
     990             :                          DIM(oid_rsaEncryption)))
     991             :             goto bailout;
     992           0 :           p += DIM (oid_rsaEncryption);
     993           0 :           n -= DIM (oid_rsaEncryption);
     994           0 :           if (len < ti.length)
     995           0 :             goto bailout;
     996           0 :           len -= ti.length;
     997           0 :           if (n < len)
     998           0 :             goto bailout;
     999           0 :           p += len;
    1000           0 :           n -= len;
    1001           0 :           if ( parse_tag (&p, &n, &ti)
    1002           0 :                || ti.class || ti.tag != TAG_OCTET_STRING)
    1003             :             goto bailout;
    1004           0 :           if ( parse_tag (&p, &n, &ti)
    1005           0 :                || ti.class || ti.tag != TAG_SEQUENCE)
    1006             :             goto bailout;
    1007           0 :           len = ti.length;
    1008             : 
    1009           0 :           result = gcry_calloc (10, sizeof *result);
    1010           0 :           if (!result)
    1011             :             {
    1012           0 :               log_error ( "error allocating result array\n");
    1013           0 :               goto bailout;
    1014             :             }
    1015           0 :           result_count = 0;
    1016             : 
    1017           0 :           where = "reading.keybag.key-parameters";
    1018           0 :           for (result_count = 0; len && result_count < 9;)
    1019             :             {
    1020           0 :               if ( parse_tag (&p, &n, &ti)
    1021           0 :                    || ti.class || ti.tag != TAG_INTEGER)
    1022             :                 goto bailout;
    1023           0 :               if (len < ti.nhdr)
    1024           0 :                 goto bailout;
    1025           0 :               len -= ti.nhdr;
    1026           0 :               if (len < ti.length)
    1027           0 :                 goto bailout;
    1028           0 :               len -= ti.length;
    1029           0 :               if (!result_count && ti.length == 1 && !*p)
    1030             :                 ; /* ignore the very first one if it is a 0 */
    1031             :               else
    1032             :                 {
    1033             :                   int rc;
    1034             : 
    1035           0 :                   rc = gcry_mpi_scan (result+result_count, GCRYMPI_FMT_USG, p,
    1036             :                                       ti.length, NULL);
    1037           0 :                   if (rc)
    1038             :                     {
    1039           0 :                       log_error ("error parsing key parameter: %s\n",
    1040             :                                  gpg_strerror (rc));
    1041           0 :                       goto bailout;
    1042             :                     }
    1043           0 :                   result_count++;
    1044             :                 }
    1045           0 :               p += ti.length;
    1046           0 :               n -= ti.length;
    1047             :             }
    1048           0 :           if (len)
    1049           0 :             goto bailout;
    1050             :         }
    1051             :       else
    1052             :         {
    1053           0 :           log_info ("processing certBag\n");
    1054           0 :           if (parse_tag (&p, &n, &ti))
    1055           0 :             goto bailout;
    1056           0 :           if (ti.class || ti.tag != TAG_SEQUENCE)
    1057             :             goto bailout;
    1058           0 :           if (parse_tag (&p, &n, &ti))
    1059           0 :             goto bailout;
    1060           0 :           if (ti.class || ti.tag != TAG_OBJECT_ID
    1061           0 :               || ti.length != DIM(oid_x509Certificate_for_pkcs_12)
    1062           0 :               || memcmp (p, oid_x509Certificate_for_pkcs_12,
    1063             :                          DIM(oid_x509Certificate_for_pkcs_12)))
    1064             :             goto bailout;
    1065           0 :           p += DIM(oid_x509Certificate_for_pkcs_12);
    1066           0 :           n -= DIM(oid_x509Certificate_for_pkcs_12);
    1067             : 
    1068           0 :           where = "certbag.before.octetstring";
    1069           0 :           if (parse_tag (&p, &n, &ti))
    1070           0 :             goto bailout;
    1071           0 :           if (ti.class != ASNCONTEXT || ti.tag)
    1072             :             goto bailout;
    1073           0 :           if (parse_tag (&p, &n, &ti))
    1074           0 :             goto bailout;
    1075           0 :           if (ti.class || ti.tag != TAG_OCTET_STRING || ti.ndef)
    1076             :             goto bailout;
    1077             : 
    1078             :           /* Return the certificate. */
    1079           0 :           if (certcb)
    1080           0 :             certcb (certcbarg, p, ti.length);
    1081             : 
    1082           0 :           p += ti.length;
    1083           0 :           n -= ti.length;
    1084             :         }
    1085             : 
    1086             :       /* Ugly hack to cope with the padding: Forget about the rest if
    1087             :          that is less or equal to the cipher's block length.  We can
    1088             :          reasonable assume that all valid data will be longer than
    1089             :          just one block. */
    1090           0 :       if (n <= (is_pbes2? 16:8))
    1091           0 :         n = 0;
    1092             : 
    1093             :       /* Skip the optional SET with the pkcs12 cert attributes. */
    1094           0 :       if (n)
    1095             :         {
    1096           0 :           where = "bag.attributes";
    1097           0 :           if (parse_tag (&p, &n, &ti))
    1098           0 :             goto bailout;
    1099           0 :           if (!ti.class && ti.tag == TAG_SEQUENCE)
    1100             :             ; /* No attributes. */
    1101           0 :           else if (!ti.class && ti.tag == TAG_SET && !ti.ndef)
    1102             :             { /* The optional SET. */
    1103           0 :               p += ti.length;
    1104           0 :               n -= ti.length;
    1105           0 :               if (n <= (is_pbes2?16:8))
    1106           0 :                 n = 0;
    1107           0 :               if (n && parse_tag (&p, &n, &ti))
    1108           0 :                 goto bailout;
    1109             :             }
    1110             :           else
    1111             :             goto bailout;
    1112             :         }
    1113             :     }
    1114             : 
    1115           0 :   if (r_consumed)
    1116           0 :     *r_consumed = consumed;
    1117           0 :   gcry_free (plain);
    1118           0 :   gcry_free (cram_buffer);
    1119           0 :   if (r_result)
    1120           0 :     *r_result = result;
    1121           0 :   return 0;
    1122             : 
    1123             :  bailout:
    1124           0 :   if (result)
    1125             :     {
    1126             :       int i;
    1127             : 
    1128           0 :       for (i=0; result[i]; i++)
    1129           0 :         gcry_mpi_release (result[i]);
    1130           0 :       gcry_free (result);
    1131             :     }
    1132           0 :   if (r_consumed)
    1133           0 :     *r_consumed = consumed;
    1134           0 :   gcry_free (plain);
    1135           0 :   gcry_free (cram_buffer);
    1136           0 :   log_error ("encryptedData error at \"%s\", offset %u\n",
    1137           0 :              where, (unsigned int)((p - p_start)+startoffset));
    1138           0 :   if (bad_pass)
    1139             :     {
    1140             :       /* Note, that the following string might be used by other programs
    1141             :          to check for a bad passphrase; it should therefore not be
    1142             :          translated or changed. */
    1143           0 :       log_error ("possibly bad passphrase given\n");
    1144           0 :       *r_badpass = 1;
    1145             :     }
    1146           0 :   return -1;
    1147             : }
    1148             : 
    1149             : 
    1150             : /* Return true if the decryption of a bag_data object has likely
    1151             :    succeeded.  */
    1152             : static int
    1153           0 : bag_data_p (const void *plaintext, size_t length)
    1154             : {
    1155             :   struct tag_info ti;
    1156           0 :   const unsigned char *p = plaintext;
    1157           0 :   size_t n = length;
    1158             : 
    1159             : /*   { */
    1160             : /* #  warning debug code is enabled */
    1161             : /*     FILE *fp = fopen ("tmp-3des-plain-key.der", "wb"); */
    1162             : /*     if (!fp || fwrite (p, n, 1, fp) != 1) */
    1163             : /*       exit (2); */
    1164             : /*     fclose (fp); */
    1165             : /*   } */
    1166             : 
    1167           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
    1168           0 :     return 0;
    1169           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER
    1170           0 :       || ti.length != 1 || *p)
    1171           0 :     return 0;
    1172             : 
    1173           0 :   return 1;
    1174             : }
    1175             : 
    1176             : 
    1177             : static gcry_mpi_t *
    1178           0 : parse_bag_data (const unsigned char *buffer, size_t length, int startoffset,
    1179             :                 size_t *r_consumed, const char *pw)
    1180             : {
    1181             :   int rc;
    1182             :   struct tag_info ti;
    1183           0 :   const unsigned char *p = buffer;
    1184           0 :   const unsigned char *p_start = buffer;
    1185           0 :   size_t n = length;
    1186             :   const char *where;
    1187             :   char salt[20];
    1188             :   size_t saltlen;
    1189             :   char iv[16];
    1190             :   unsigned int iter;
    1191             :   int len;
    1192           0 :   unsigned char *plain = NULL;
    1193           0 :   gcry_mpi_t *result = NULL;
    1194             :   int result_count, i;
    1195           0 :   unsigned char *cram_buffer = NULL;
    1196           0 :   size_t consumed = 0; /* Number of bytes consumed from the original buffer. */
    1197           0 :   int is_pbes2 = 0;
    1198             : 
    1199           0 :   where = "start";
    1200           0 :   if (parse_tag (&p, &n, &ti))
    1201           0 :     goto bailout;
    1202           0 :   if (ti.class != ASNCONTEXT || ti.tag)
    1203             :     goto bailout;
    1204           0 :   if (parse_tag (&p, &n, &ti))
    1205           0 :     goto bailout;
    1206           0 :   if (ti.class || ti.tag != TAG_OCTET_STRING)
    1207             :     goto bailout;
    1208             : 
    1209           0 :   consumed = p - p_start;
    1210           0 :   if (ti.is_constructed && ti.ndef)
    1211             :     {
    1212             :       /* Mozilla exported certs now come with single byte chunks of
    1213             :          octect strings.  (Mozilla Firefox 1.0.4).  Arghh. */
    1214           0 :       where = "cram-data.outersegs";
    1215           0 :       cram_buffer = cram_octet_string ( p, &n, &consumed);
    1216           0 :       if (!cram_buffer)
    1217           0 :         goto bailout;
    1218           0 :       p = p_start = cram_buffer;
    1219           0 :       if (r_consumed)
    1220           0 :         *r_consumed = consumed;
    1221           0 :       r_consumed = NULL; /* Ugly hack to not update that value any further. */
    1222             :     }
    1223             : 
    1224             : 
    1225           0 :   where = "data.outerseqs";
    1226           0 :   if (parse_tag (&p, &n, &ti))
    1227           0 :     goto bailout;
    1228           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
    1229             :     goto bailout;
    1230           0 :   if (parse_tag (&p, &n, &ti))
    1231           0 :     goto bailout;
    1232           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
    1233             :     goto bailout;
    1234             : 
    1235           0 :   where = "data.objectidentifier";
    1236           0 :   if (parse_tag (&p, &n, &ti))
    1237           0 :     goto bailout;
    1238           0 :   if (ti.class || ti.tag != TAG_OBJECT_ID
    1239           0 :       || ti.length != DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)
    1240           0 :       || memcmp (p, oid_pkcs_12_pkcs_8ShroudedKeyBag,
    1241             :                  DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)))
    1242             :     goto bailout;
    1243           0 :   p += DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag);
    1244           0 :   n -= DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag);
    1245             : 
    1246           0 :   where = "shrouded,outerseqs";
    1247           0 :   if (parse_tag (&p, &n, &ti))
    1248           0 :     goto bailout;
    1249           0 :   if (ti.class != ASNCONTEXT || ti.tag)
    1250             :     goto bailout;
    1251           0 :   if (parse_tag (&p, &n, &ti))
    1252           0 :     goto bailout;
    1253           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
    1254             :     goto bailout;
    1255           0 :   if (parse_tag (&p, &n, &ti))
    1256           0 :     goto bailout;
    1257           0 :   if (ti.class || ti.tag != TAG_SEQUENCE)
    1258             :     goto bailout;
    1259           0 :   if (parse_tag (&p, &n, &ti))
    1260           0 :     goto bailout;
    1261           0 :   if (ti.class == 0 && ti.tag == TAG_OBJECT_ID
    1262           0 :       && ti.length == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
    1263           0 :       && !memcmp (p, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
    1264             :                   DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
    1265             :     {
    1266           0 :       p += DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
    1267           0 :       n -= DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
    1268             :     }
    1269           0 :   else if (ti.class == 0 && ti.tag == TAG_OBJECT_ID
    1270           0 :            && ti.length == DIM(oid_pkcs5PBES2)
    1271           0 :            && !memcmp (p, oid_pkcs5PBES2, DIM(oid_pkcs5PBES2)))
    1272             :     {
    1273           0 :       p += DIM(oid_pkcs5PBES2);
    1274           0 :       n -= DIM(oid_pkcs5PBES2);
    1275           0 :       is_pbes2 = 1;
    1276             :     }
    1277             :   else
    1278             :     goto bailout;
    1279             : 
    1280           0 :   if (is_pbes2)
    1281             :     {
    1282           0 :       where = "pkcs5PBES2-params";
    1283           0 :       if (parse_tag (&p, &n, &ti))
    1284           0 :         goto bailout;
    1285           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
    1286             :         goto bailout;
    1287           0 :       if (parse_tag (&p, &n, &ti))
    1288           0 :         goto bailout;
    1289           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
    1290             :         goto bailout;
    1291           0 :       if (parse_tag (&p, &n, &ti))
    1292           0 :         goto bailout;
    1293           0 :       if (!(!ti.class && ti.tag == TAG_OBJECT_ID
    1294           0 :             && ti.length == DIM(oid_pkcs5PBKDF2)
    1295           0 :             && !memcmp (p, oid_pkcs5PBKDF2, ti.length)))
    1296             :         goto bailout; /* Not PBKDF2.  */
    1297           0 :       p += ti.length;
    1298           0 :       n -= ti.length;
    1299           0 :       if (parse_tag (&p, &n, &ti))
    1300           0 :         goto bailout;
    1301           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
    1302             :         goto bailout;
    1303           0 :       if (parse_tag (&p, &n, &ti))
    1304           0 :         goto bailout;
    1305           0 :       if (!(!ti.class && ti.tag == TAG_OCTET_STRING
    1306           0 :             && ti.length >= 8 && ti.length < sizeof salt))
    1307             :         goto bailout;  /* No salt or unsupported length.  */
    1308           0 :       saltlen = ti.length;
    1309           0 :       memcpy (salt, p, saltlen);
    1310           0 :       p += saltlen;
    1311           0 :       n -= saltlen;
    1312             : 
    1313           0 :       if (parse_tag (&p, &n, &ti))
    1314           0 :         goto bailout;
    1315           0 :       if (!(!ti.class && ti.tag == TAG_INTEGER && ti.length))
    1316             :         goto bailout;  /* No valid iteration count.  */
    1317           0 :       for (iter=0; ti.length; ti.length--)
    1318             :         {
    1319           0 :           iter <<= 8;
    1320           0 :           iter |= (*p++) & 0xff;
    1321           0 :           n--;
    1322             :         }
    1323             :       /* Note: We don't support the optional parameters but assume
    1324             :          that the algorithmIdentifier follows. */
    1325           0 :       if (parse_tag (&p, &n, &ti))
    1326           0 :         goto bailout;
    1327           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
    1328             :         goto bailout;
    1329           0 :       if (parse_tag (&p, &n, &ti))
    1330           0 :         goto bailout;
    1331           0 :       if (!(!ti.class && ti.tag == TAG_OBJECT_ID
    1332           0 :             && ti.length == DIM(oid_aes128_CBC)
    1333           0 :             && !memcmp (p, oid_aes128_CBC, ti.length)))
    1334             :         goto bailout; /* Not AES-128.  */
    1335           0 :       p += ti.length;
    1336           0 :       n -= ti.length;
    1337           0 :       if (parse_tag (&p, &n, &ti))
    1338           0 :         goto bailout;
    1339           0 :       if (!(!ti.class && ti.tag == TAG_OCTET_STRING && ti.length == sizeof iv))
    1340             :         goto bailout; /* Bad IV.  */
    1341           0 :       memcpy (iv, p, sizeof iv);
    1342           0 :       p += sizeof iv;
    1343           0 :       n -= sizeof iv;
    1344             :     }
    1345             :   else
    1346             :     {
    1347           0 :       where = "3des-params";
    1348           0 :       if (parse_tag (&p, &n, &ti))
    1349           0 :         goto bailout;
    1350           0 :       if (ti.class || ti.tag != TAG_SEQUENCE)
    1351             :         goto bailout;
    1352           0 :       if (parse_tag (&p, &n, &ti))
    1353           0 :         goto bailout;
    1354           0 :       if (ti.class || ti.tag != TAG_OCTET_STRING
    1355           0 :           || ti.length < 8 || ti.length > 20)
    1356             :         goto bailout;
    1357           0 :       saltlen = ti.length;
    1358           0 :       memcpy (salt, p, saltlen);
    1359           0 :       p += saltlen;
    1360           0 :       n -= saltlen;
    1361           0 :       if (parse_tag (&p, &n, &ti))
    1362           0 :         goto bailout;
    1363           0 :       if (ti.class || ti.tag != TAG_INTEGER || !ti.length )
    1364             :         goto bailout;
    1365           0 :       for (iter=0; ti.length; ti.length--)
    1366             :         {
    1367           0 :           iter <<= 8;
    1368           0 :           iter |= (*p++) & 0xff;
    1369           0 :           n--;
    1370             :         }
    1371             :     }
    1372             : 
    1373           0 :   where = "3desoraes-ciphertext";
    1374           0 :   if (parse_tag (&p, &n, &ti))
    1375           0 :     goto bailout;
    1376           0 :   if (ti.class || ti.tag != TAG_OCTET_STRING || !ti.length )
    1377             :     goto bailout;
    1378             : 
    1379           0 :   log_info ("%lu bytes of %s encrypted text\n",
    1380             :             ti.length, is_pbes2? "AES128":"3DES");
    1381             : 
    1382           0 :   plain = gcry_malloc_secure (ti.length);
    1383           0 :   if (!plain)
    1384             :     {
    1385           0 :       log_error ("error allocating decryption buffer\n");
    1386           0 :       goto bailout;
    1387             :     }
    1388           0 :   consumed += p - p_start + ti.length;
    1389           0 :   decrypt_block (p, plain, ti.length, salt, saltlen, iter,
    1390             :                  iv, is_pbes2? 16:0, pw,
    1391             :                  is_pbes2? GCRY_CIPHER_AES128 : GCRY_CIPHER_3DES,
    1392             :                  bag_data_p);
    1393           0 :   n = ti.length;
    1394           0 :   startoffset = 0;
    1395           0 :   p_start = p = plain;
    1396             : 
    1397           0 :   where = "decrypted-text";
    1398           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
    1399             :     goto bailout;
    1400           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER
    1401           0 :       || ti.length != 1 || *p)
    1402             :     goto bailout;
    1403           0 :   p++; n--;
    1404           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
    1405             :     goto bailout;
    1406           0 :   len = ti.length;
    1407           0 :   if (parse_tag (&p, &n, &ti))
    1408           0 :     goto bailout;
    1409           0 :   if (len < ti.nhdr)
    1410           0 :     goto bailout;
    1411           0 :   len -= ti.nhdr;
    1412           0 :   if (ti.class || ti.tag != TAG_OBJECT_ID
    1413           0 :       || ti.length != DIM(oid_rsaEncryption)
    1414           0 :       || memcmp (p, oid_rsaEncryption,
    1415             :                  DIM(oid_rsaEncryption)))
    1416             :     goto bailout;
    1417           0 :   p += DIM (oid_rsaEncryption);
    1418           0 :   n -= DIM (oid_rsaEncryption);
    1419           0 :   if (len < ti.length)
    1420           0 :     goto bailout;
    1421           0 :   len -= ti.length;
    1422           0 :   if (n < len)
    1423           0 :     goto bailout;
    1424           0 :   p += len;
    1425           0 :   n -= len;
    1426           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_OCTET_STRING)
    1427             :     goto bailout;
    1428           0 :   if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
    1429             :     goto bailout;
    1430           0 :   len = ti.length;
    1431             : 
    1432           0 :   result = gcry_calloc (10, sizeof *result);
    1433           0 :   if (!result)
    1434             :     {
    1435           0 :       log_error ( "error allocating result array\n");
    1436           0 :       goto bailout;
    1437             :     }
    1438           0 :   result_count = 0;
    1439             : 
    1440           0 :   where = "reading.key-parameters";
    1441           0 :   for (result_count=0; len && result_count < 9;)
    1442             :     {
    1443           0 :       if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER)
    1444             :         goto bailout;
    1445           0 :       if (len < ti.nhdr)
    1446           0 :         goto bailout;
    1447           0 :       len -= ti.nhdr;
    1448           0 :       if (len < ti.length)
    1449           0 :         goto bailout;
    1450           0 :       len -= ti.length;
    1451           0 :       if (!result_count && ti.length == 1 && !*p)
    1452             :         ; /* ignore the very first one if it is a 0 */
    1453             :       else
    1454             :         {
    1455           0 :           rc = gcry_mpi_scan (result+result_count, GCRYMPI_FMT_USG, p,
    1456             :                               ti.length, NULL);
    1457           0 :           if (rc)
    1458             :             {
    1459           0 :               log_error ("error parsing key parameter: %s\n",
    1460             :                          gpg_strerror (rc));
    1461           0 :               goto bailout;
    1462             :             }
    1463           0 :           result_count++;
    1464             :         }
    1465           0 :       p += ti.length;
    1466           0 :       n -= ti.length;
    1467             :     }
    1468           0 :   if (len)
    1469           0 :     goto bailout;
    1470             : 
    1471           0 :   gcry_free (cram_buffer);
    1472           0 :   if (r_consumed)
    1473           0 :     *r_consumed = consumed;
    1474           0 :   return result;
    1475             : 
    1476             :  bailout:
    1477           0 :   gcry_free (plain);
    1478           0 :   if (result)
    1479             :     {
    1480           0 :       for (i=0; result[i]; i++)
    1481           0 :         gcry_mpi_release (result[i]);
    1482           0 :       gcry_free (result);
    1483             :     }
    1484           0 :   gcry_free (cram_buffer);
    1485           0 :   log_error ( "data error at \"%s\", offset %u\n",
    1486           0 :               where, (unsigned int)((p - buffer) + startoffset));
    1487           0 :   if (r_consumed)
    1488           0 :     *r_consumed = consumed;
    1489           0 :   return NULL;
    1490             : }
    1491             : 
    1492             : 
    1493             : /* Parse a PKCS12 object and return an array of MPI representing the
    1494             :    secret key parameters.  This is a very limited implementation in
    1495             :    that it is only able to look for 3DES encoded encryptedData and
    1496             :    tries to extract the first private key object it finds.  In case of
    1497             :    an error NULL is returned. CERTCB and CERRTCBARG are used to pass
    1498             :    X.509 certificates back to the caller. */
    1499             : gcry_mpi_t *
    1500           0 : p12_parse (const unsigned char *buffer, size_t length, const char *pw,
    1501             :            void (*certcb)(void*, const unsigned char*, size_t),
    1502             :            void *certcbarg, int *r_badpass)
    1503             : {
    1504             :   struct tag_info ti;
    1505           0 :   const unsigned char *p = buffer;
    1506           0 :   const unsigned char *p_start = buffer;
    1507           0 :   size_t n = length;
    1508             :   const char *where;
    1509             :   int bagseqlength, len;
    1510             :   int bagseqndef, lenndef;
    1511           0 :   gcry_mpi_t *result = NULL;
    1512           0 :   unsigned char *cram_buffer = NULL;
    1513             : 
    1514           0 :   *r_badpass = 0;
    1515           0 :   where = "pfx";
    1516           0 :   if (parse_tag (&p, &n, &ti))
    1517           0 :     goto bailout;
    1518           0 :   if (ti.tag != TAG_SEQUENCE)
    1519           0 :     goto bailout;
    1520             : 
    1521           0 :   where = "pfxVersion";
    1522           0 :   if (parse_tag (&p, &n, &ti))
    1523           0 :     goto bailout;
    1524           0 :   if (ti.tag != TAG_INTEGER || ti.length != 1 || *p != 3)
    1525             :     goto bailout;
    1526           0 :   p++; n--;
    1527             : 
    1528           0 :   where = "authSave";
    1529           0 :   if (parse_tag (&p, &n, &ti))
    1530           0 :     goto bailout;
    1531           0 :   if (ti.tag != TAG_SEQUENCE)
    1532           0 :     goto bailout;
    1533           0 :   if (parse_tag (&p, &n, &ti))
    1534           0 :     goto bailout;
    1535           0 :   if (ti.tag != TAG_OBJECT_ID || ti.length != DIM(oid_data)
    1536           0 :       || memcmp (p, oid_data, DIM(oid_data)))
    1537             :     goto bailout;
    1538           0 :   p += DIM(oid_data);
    1539           0 :   n -= DIM(oid_data);
    1540             : 
    1541           0 :   if (parse_tag (&p, &n, &ti))
    1542           0 :     goto bailout;
    1543           0 :   if (ti.class != ASNCONTEXT || ti.tag)
    1544             :     goto bailout;
    1545           0 :   if (parse_tag (&p, &n, &ti))
    1546           0 :     goto bailout;
    1547           0 :   if (ti.class != UNIVERSAL || ti.tag != TAG_OCTET_STRING)
    1548             :     goto bailout;
    1549             : 
    1550           0 :   if (ti.is_constructed && ti.ndef)
    1551             :     {
    1552             :       /* Mozilla exported certs now come with single byte chunks of
    1553             :          octect strings.  (Mozilla Firefox 1.0.4).  Arghh. */
    1554           0 :       where = "cram-bags";
    1555           0 :       cram_buffer = cram_octet_string ( p, &n, NULL);
    1556           0 :       if (!cram_buffer)
    1557           0 :         goto bailout;
    1558           0 :       p = p_start = cram_buffer;
    1559             :     }
    1560             : 
    1561           0 :   where = "bags";
    1562           0 :   if (parse_tag (&p, &n, &ti))
    1563           0 :     goto bailout;
    1564           0 :   if (ti.class != UNIVERSAL || ti.tag != TAG_SEQUENCE)
    1565             :     goto bailout;
    1566           0 :   bagseqndef = ti.ndef;
    1567           0 :   bagseqlength = ti.length;
    1568           0 :   while (bagseqlength || bagseqndef)
    1569             :     {
    1570             : /*       log_debug ( "at offset %u\n", (p - p_start)); */
    1571           0 :       where = "bag-sequence";
    1572           0 :       if (parse_tag (&p, &n, &ti))
    1573           0 :         goto bailout;
    1574           0 :       if (bagseqndef && ti.class == UNIVERSAL && !ti.tag && !ti.is_constructed)
    1575           0 :         break; /* Ready */
    1576           0 :       if (ti.class != UNIVERSAL || ti.tag != TAG_SEQUENCE)
    1577             :         goto bailout;
    1578             : 
    1579           0 :       if (!bagseqndef)
    1580             :         {
    1581           0 :           if (bagseqlength < ti.nhdr)
    1582           0 :             goto bailout;
    1583           0 :           bagseqlength -= ti.nhdr;
    1584           0 :           if (bagseqlength < ti.length)
    1585           0 :             goto bailout;
    1586           0 :           bagseqlength -= ti.length;
    1587             :         }
    1588           0 :       lenndef = ti.ndef;
    1589           0 :       len = ti.length;
    1590             : 
    1591           0 :       if (parse_tag (&p, &n, &ti))
    1592           0 :         goto bailout;
    1593           0 :       if (lenndef)
    1594           0 :         len = ti.nhdr;
    1595             :       else
    1596           0 :         len -= ti.nhdr;
    1597             : 
    1598           0 :       if (ti.tag == TAG_OBJECT_ID && ti.length == DIM(oid_encryptedData)
    1599           0 :           && !memcmp (p, oid_encryptedData, DIM(oid_encryptedData)))
    1600           0 :         {
    1601           0 :           size_t consumed = 0;
    1602             : 
    1603           0 :           p += DIM(oid_encryptedData);
    1604           0 :           n -= DIM(oid_encryptedData);
    1605           0 :           if (!lenndef)
    1606           0 :             len -= DIM(oid_encryptedData);
    1607           0 :           where = "bag.encryptedData";
    1608           0 :           if (parse_bag_encrypted_data (p, n, (p - p_start), &consumed, pw,
    1609             :                                         certcb, certcbarg,
    1610           0 :                                         result? NULL : &result, r_badpass))
    1611           0 :             goto bailout;
    1612           0 :           if (lenndef)
    1613           0 :             len += consumed;
    1614             :         }
    1615           0 :       else if (ti.tag == TAG_OBJECT_ID && ti.length == DIM(oid_data)
    1616           0 :                && !memcmp (p, oid_data, DIM(oid_data)))
    1617             :         {
    1618           0 :           if (result)
    1619             :             {
    1620           0 :               log_info ("already got an key object, skipping this one\n");
    1621           0 :               p += ti.length;
    1622           0 :               n -= ti.length;
    1623             :             }
    1624             :           else
    1625             :             {
    1626           0 :               size_t consumed = 0;
    1627             : 
    1628           0 :               p += DIM(oid_data);
    1629           0 :               n -= DIM(oid_data);
    1630           0 :               if (!lenndef)
    1631           0 :                 len -= DIM(oid_data);
    1632           0 :               result = parse_bag_data (p, n, (p - p_start), &consumed, pw);
    1633           0 :               if (!result)
    1634           0 :                 goto bailout;
    1635           0 :               if (lenndef)
    1636           0 :                 len += consumed;
    1637             :             }
    1638             :         }
    1639             :       else
    1640             :         {
    1641           0 :           log_info ("unknown bag type - skipped\n");
    1642           0 :           p += ti.length;
    1643           0 :           n -= ti.length;
    1644             :         }
    1645             : 
    1646           0 :       if (len < 0 || len > n)
    1647             :         goto bailout;
    1648           0 :       p += len;
    1649           0 :       n -= len;
    1650           0 :       if (lenndef)
    1651             :         {
    1652             :           /* Need to skip the Null Tag. */
    1653           0 :           if (parse_tag (&p, &n, &ti))
    1654           0 :             goto bailout;
    1655           0 :           if (!(ti.class == UNIVERSAL && !ti.tag && !ti.is_constructed))
    1656             :             goto bailout;
    1657             :         }
    1658             :     }
    1659             : 
    1660           0 :   gcry_free (cram_buffer);
    1661           0 :   return result;
    1662             :  bailout:
    1663           0 :   log_error ("error at \"%s\", offset %u\n",
    1664           0 :              where, (unsigned int)(p - p_start));
    1665           0 :   if (result)
    1666             :     {
    1667             :       int i;
    1668             : 
    1669           0 :       for (i=0; result[i]; i++)
    1670           0 :         gcry_mpi_release (result[i]);
    1671           0 :       gcry_free (result);
    1672             :     }
    1673           0 :   gcry_free (cram_buffer);
    1674           0 :   return NULL;
    1675             : }
    1676             : 
    1677             : 
    1678             : 
    1679             : static size_t
    1680           0 : compute_tag_length (size_t n)
    1681             : {
    1682           0 :   int needed = 0;
    1683             : 
    1684           0 :   if (n < 128)
    1685           0 :     needed += 2; /* tag and one length byte */
    1686           0 :   else if (n < 256)
    1687           0 :     needed += 3; /* tag, number of length bytes, 1 length byte */
    1688           0 :   else if (n < 65536)
    1689           0 :     needed += 4; /* tag, number of length bytes, 2 length bytes */
    1690             :   else
    1691             :     {
    1692           0 :       log_error ("object too larger to encode\n");
    1693           0 :       return 0;
    1694             :     }
    1695           0 :   return needed;
    1696             : }
    1697             : 
    1698             : static unsigned char *
    1699           0 : store_tag_length (unsigned char *p, int tag, size_t n)
    1700             : {
    1701           0 :   if (tag == TAG_SEQUENCE)
    1702           0 :     tag |= 0x20; /* constructed */
    1703             : 
    1704           0 :   *p++ = tag;
    1705           0 :   if (n < 128)
    1706           0 :     *p++ = n;
    1707           0 :   else if (n < 256)
    1708             :     {
    1709           0 :       *p++ = 0x81;
    1710           0 :       *p++ = n;
    1711             :     }
    1712           0 :   else if (n < 65536)
    1713             :     {
    1714           0 :       *p++ = 0x82;
    1715           0 :       *p++ = n >> 8;
    1716           0 :       *p++ = n;
    1717             :     }
    1718             : 
    1719           0 :   return p;
    1720             : }
    1721             : 
    1722             : 
    1723             : /* Create the final PKCS-12 object from the sequences contained in
    1724             :    SEQLIST.  PW is the password. That array is terminated with an NULL
    1725             :    object. */
    1726             : static unsigned char *
    1727           0 : create_final (struct buffer_s *sequences, const char *pw, size_t *r_length)
    1728             : {
    1729             :   int i;
    1730           0 :   size_t needed = 0;
    1731             :   size_t len[8], n;
    1732             :   unsigned char *macstart;
    1733             :   size_t maclen;
    1734             :   unsigned char *result, *p;
    1735             :   size_t resultlen;
    1736             :   char salt[8];
    1737             :   unsigned char keybuf[20];
    1738             :   gcry_md_hd_t md;
    1739             :   int rc;
    1740           0 :   int with_mac = 1;
    1741             : 
    1742             : 
    1743             :   /* 9 steps to create the pkcs#12 Krampf. */
    1744             : 
    1745             :   /* 8. The MAC. */
    1746             :   /* We add this at step 0. */
    1747             : 
    1748             :   /* 7. All the buffers. */
    1749           0 :   for (i=0; sequences[i].buffer; i++)
    1750           0 :     needed += sequences[i].length;
    1751             : 
    1752             :   /* 6. This goes into a sequences. */
    1753           0 :   len[6] = needed;
    1754           0 :   n = compute_tag_length (needed);
    1755           0 :   needed += n;
    1756             : 
    1757             :   /* 5. Encapsulate all in an octet string. */
    1758           0 :   len[5] = needed;
    1759           0 :   n = compute_tag_length (needed);
    1760           0 :   needed += n;
    1761             : 
    1762             :   /* 4. And tag it with [0]. */
    1763           0 :   len[4] = needed;
    1764           0 :   n = compute_tag_length (needed);
    1765           0 :   needed += n;
    1766             : 
    1767             :   /* 3. Prepend an data OID. */
    1768           0 :   needed += 2 + DIM (oid_data);
    1769             : 
    1770             :   /* 2. Put all into a sequences. */
    1771           0 :   len[2] = needed;
    1772           0 :   n = compute_tag_length (needed);
    1773           0 :   needed += n;
    1774             : 
    1775             :   /* 1. Prepend the version integer 3. */
    1776           0 :   needed += 3;
    1777             : 
    1778             :   /* 0. And the final outer sequence. */
    1779           0 :   if (with_mac)
    1780           0 :     needed += DIM (data_mactemplate);
    1781           0 :   len[0] = needed;
    1782           0 :   n = compute_tag_length (needed);
    1783           0 :   needed += n;
    1784             : 
    1785             :   /* Allocate a buffer. */
    1786           0 :   result = gcry_malloc (needed);
    1787           0 :   if (!result)
    1788             :     {
    1789           0 :       log_error ("error allocating buffer\n");
    1790           0 :       return NULL;
    1791             :     }
    1792           0 :   p = result;
    1793             : 
    1794             :   /* 0. Store the very outer sequence. */
    1795           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[0]);
    1796             : 
    1797             :   /* 1. Store the version integer 3. */
    1798           0 :   *p++ = TAG_INTEGER;
    1799           0 :   *p++ = 1;
    1800           0 :   *p++ = 3;
    1801             : 
    1802             :   /* 2. Store another sequence. */
    1803           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[2]);
    1804             : 
    1805             :   /* 3. Store the data OID. */
    1806           0 :   p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_data));
    1807           0 :   memcpy (p, oid_data, DIM (oid_data));
    1808           0 :   p += DIM (oid_data);
    1809             : 
    1810             :   /* 4. Next comes a context tag. */
    1811           0 :   p = store_tag_length (p, 0xa0, len[4]);
    1812             : 
    1813             :   /* 5. And an octet string. */
    1814           0 :   p = store_tag_length (p, TAG_OCTET_STRING, len[5]);
    1815             : 
    1816             :   /* 6. And the inner sequence. */
    1817           0 :   macstart = p;
    1818           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[6]);
    1819             : 
    1820             :   /* 7. Append all the buffers. */
    1821           0 :   for (i=0; sequences[i].buffer; i++)
    1822             :     {
    1823           0 :       memcpy (p, sequences[i].buffer, sequences[i].length);
    1824           0 :       p += sequences[i].length;
    1825             :     }
    1826             : 
    1827           0 :   if (with_mac)
    1828             :     {
    1829             :       /* Intermezzo to compute the MAC. */
    1830           0 :       maclen = p - macstart;
    1831           0 :       gcry_randomize (salt, 8, GCRY_STRONG_RANDOM);
    1832           0 :       if (string_to_key (3, salt, 8, 2048, pw, 20, keybuf))
    1833             :         {
    1834           0 :           gcry_free (result);
    1835           0 :           return NULL;
    1836             :         }
    1837           0 :       rc = gcry_md_open (&md, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
    1838           0 :       if (rc)
    1839             :         {
    1840           0 :           log_error ("gcry_md_open failed: %s\n", gpg_strerror (rc));
    1841           0 :           gcry_free (result);
    1842           0 :           return NULL;
    1843             :         }
    1844           0 :       rc = gcry_md_setkey (md, keybuf, 20);
    1845           0 :       if (rc)
    1846             :         {
    1847           0 :           log_error ("gcry_md_setkey failed: %s\n", gpg_strerror (rc));
    1848           0 :           gcry_md_close (md);
    1849           0 :           gcry_free (result);
    1850           0 :           return NULL;
    1851             :         }
    1852           0 :       gcry_md_write (md, macstart, maclen);
    1853             : 
    1854             :       /* 8. Append the MAC template and fix it up. */
    1855           0 :       memcpy (p, data_mactemplate, DIM (data_mactemplate));
    1856           0 :       memcpy (p + DATA_MACTEMPLATE_SALT_OFF, salt, 8);
    1857           0 :       memcpy (p + DATA_MACTEMPLATE_MAC_OFF, gcry_md_read (md, 0), 20);
    1858           0 :       p += DIM (data_mactemplate);
    1859           0 :       gcry_md_close (md);
    1860             :     }
    1861             : 
    1862             :   /* Ready. */
    1863           0 :   resultlen = p - result;
    1864           0 :   if (needed != resultlen)
    1865           0 :     log_debug ("length mismatch: %lu, %lu\n",
    1866             :                (unsigned long)needed, (unsigned long)resultlen);
    1867             : 
    1868           0 :   *r_length = resultlen;
    1869           0 :   return result;
    1870             : }
    1871             : 
    1872             : 
    1873             : /* Build a DER encoded SEQUENCE with the key:
    1874             : 
    1875             :    SEQUENCE {
    1876             :      INTEGER 0
    1877             :      SEQUENCE {
    1878             :        OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
    1879             :        NULL
    1880             :        }
    1881             :      OCTET STRING, encapsulates {
    1882             :        SEQUENCE {
    1883             :          INTEGER 0
    1884             :          INTEGER
    1885             :          INTEGER
    1886             :          INTEGER
    1887             :          INTEGER
    1888             :          INTEGER
    1889             :          INTEGER
    1890             :          INTEGER
    1891             :          INTEGER
    1892             :          }
    1893             :        }
    1894             :      }
    1895             : 
    1896             :   MODE controls what is being generated:
    1897             :      0 - As described above
    1898             :      1 - Ditto but without the padding
    1899             :      2 - Only the inner part (pkcs#1)
    1900             : */
    1901             : 
    1902             : static unsigned char *
    1903           0 : build_key_sequence (gcry_mpi_t *kparms, int mode, size_t *r_length)
    1904             : {
    1905             :   int rc, i;
    1906             :   size_t needed, n;
    1907             :   unsigned char *plain, *p;
    1908             :   size_t plainlen;
    1909             :   size_t outseqlen, oidseqlen, octstrlen, inseqlen;
    1910             : 
    1911           0 :   needed = 3; /* The version integer with value 0. */
    1912           0 :   for (i=0; kparms[i]; i++)
    1913             :     {
    1914           0 :       n = 0;
    1915           0 :       rc = gcry_mpi_print (GCRYMPI_FMT_STD, NULL, 0, &n, kparms[i]);
    1916           0 :       if (rc)
    1917             :         {
    1918           0 :           log_error ("error formatting parameter: %s\n", gpg_strerror (rc));
    1919           0 :           return NULL;
    1920             :         }
    1921           0 :       needed += n;
    1922           0 :       n = compute_tag_length (n);
    1923           0 :       if (!n)
    1924           0 :         return NULL;
    1925           0 :       needed += n;
    1926             :     }
    1927           0 :   if (i != 8)
    1928             :     {
    1929           0 :       log_error ("invalid parameters for p12_build\n");
    1930           0 :       return NULL;
    1931             :     }
    1932             :   /* Now this all goes into a sequence. */
    1933           0 :   inseqlen = needed;
    1934           0 :   n = compute_tag_length (needed);
    1935           0 :   if (!n)
    1936           0 :     return NULL;
    1937           0 :   needed += n;
    1938             : 
    1939           0 :   if (mode != 2)
    1940             :     {
    1941             :       /* Encapsulate all into an octet string. */
    1942           0 :       octstrlen = needed;
    1943           0 :       n = compute_tag_length (needed);
    1944           0 :       if (!n)
    1945           0 :         return NULL;
    1946           0 :       needed += n;
    1947             :       /* Prepend the object identifier sequence. */
    1948           0 :       oidseqlen = 2 + DIM (oid_rsaEncryption) + 2;
    1949           0 :       needed += 2 + oidseqlen;
    1950             :       /* The version number. */
    1951           0 :       needed += 3;
    1952             :       /* And finally put the whole thing into a sequence. */
    1953           0 :       outseqlen = needed;
    1954           0 :       n = compute_tag_length (needed);
    1955           0 :       if (!n)
    1956           0 :         return NULL;
    1957           0 :       needed += n;
    1958             :     }
    1959             : 
    1960             :   /* allocate 8 extra bytes for padding */
    1961           0 :   plain = gcry_malloc_secure (needed+8);
    1962           0 :   if (!plain)
    1963             :     {
    1964           0 :       log_error ("error allocating encryption buffer\n");
    1965           0 :       return NULL;
    1966             :     }
    1967             : 
    1968             :   /* And now fill the plaintext buffer. */
    1969           0 :   p = plain;
    1970           0 :   if (mode != 2)
    1971             :     {
    1972           0 :       p = store_tag_length (p, TAG_SEQUENCE, outseqlen);
    1973             :       /* Store version. */
    1974           0 :       *p++ = TAG_INTEGER;
    1975           0 :       *p++ = 1;
    1976           0 :       *p++ = 0;
    1977             :       /* Store object identifier sequence. */
    1978           0 :       p = store_tag_length (p, TAG_SEQUENCE, oidseqlen);
    1979           0 :       p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_rsaEncryption));
    1980           0 :       memcpy (p, oid_rsaEncryption, DIM (oid_rsaEncryption));
    1981           0 :       p += DIM (oid_rsaEncryption);
    1982           0 :       *p++ = TAG_NULL;
    1983           0 :       *p++ = 0;
    1984             :       /* Start with the octet string. */
    1985           0 :       p = store_tag_length (p, TAG_OCTET_STRING, octstrlen);
    1986             :     }
    1987             : 
    1988           0 :   p = store_tag_length (p, TAG_SEQUENCE, inseqlen);
    1989             :   /* Store the key parameters. */
    1990           0 :   *p++ = TAG_INTEGER;
    1991           0 :   *p++ = 1;
    1992           0 :   *p++ = 0;
    1993           0 :   for (i=0; kparms[i]; i++)
    1994             :     {
    1995           0 :       n = 0;
    1996           0 :       rc = gcry_mpi_print (GCRYMPI_FMT_STD, NULL, 0, &n, kparms[i]);
    1997           0 :       if (rc)
    1998             :         {
    1999           0 :           log_error ("oops: error formatting parameter: %s\n",
    2000             :                      gpg_strerror (rc));
    2001           0 :           gcry_free (plain);
    2002           0 :           return NULL;
    2003             :         }
    2004           0 :       p = store_tag_length (p, TAG_INTEGER, n);
    2005             : 
    2006           0 :       n = plain + needed - p;
    2007           0 :       rc = gcry_mpi_print (GCRYMPI_FMT_STD, p, n, &n, kparms[i]);
    2008           0 :       if (rc)
    2009             :         {
    2010           0 :           log_error ("oops: error storing parameter: %s\n",
    2011             :                      gpg_strerror (rc));
    2012           0 :           gcry_free (plain);
    2013           0 :           return NULL;
    2014             :         }
    2015           0 :       p += n;
    2016             :     }
    2017             : 
    2018           0 :   plainlen = p - plain;
    2019           0 :   assert (needed == plainlen);
    2020             : 
    2021           0 :   if (!mode)
    2022             :     {
    2023             :       /* Append some pad characters; we already allocated extra space. */
    2024           0 :       n = 8 - plainlen % 8;
    2025           0 :       for (i=0; i < n; i++, plainlen++)
    2026           0 :         *p++ = n;
    2027             :     }
    2028             : 
    2029           0 :   *r_length = plainlen;
    2030           0 :   return plain;
    2031             : }
    2032             : 
    2033             : 
    2034             : 
    2035             : static unsigned char *
    2036           0 : build_key_bag (unsigned char *buffer, size_t buflen, char *salt,
    2037             :                const unsigned char *sha1hash, const char *keyidstr,
    2038             :                size_t *r_length)
    2039             : {
    2040             :   size_t len[11], needed;
    2041             :   unsigned char *p, *keybag;
    2042             :   size_t keybaglen;
    2043             : 
    2044             :   /* Walk 11 steps down to collect the info: */
    2045             : 
    2046             :   /* 10. The data goes into an octet string. */
    2047           0 :   needed = compute_tag_length (buflen);
    2048           0 :   needed += buflen;
    2049             : 
    2050             :   /* 9. Prepend the algorithm identifier. */
    2051           0 :   needed += DIM (data_3desiter2048);
    2052             : 
    2053             :   /* 8. Put a sequence around. */
    2054           0 :   len[8] = needed;
    2055           0 :   needed += compute_tag_length (needed);
    2056             : 
    2057             :   /* 7. Prepend a [0] tag. */
    2058           0 :   len[7] = needed;
    2059           0 :   needed += compute_tag_length (needed);
    2060             : 
    2061             :   /* 6b. The attributes which are appended at the end. */
    2062           0 :   if (sha1hash)
    2063           0 :     needed += DIM (data_attrtemplate) + 20;
    2064             : 
    2065             :   /* 6. Prepend the shroudedKeyBag OID. */
    2066           0 :   needed += 2 + DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag);
    2067             : 
    2068             :   /* 5+4. Put all into two sequences. */
    2069           0 :   len[5] = needed;
    2070           0 :   needed += compute_tag_length ( needed);
    2071           0 :   len[4] = needed;
    2072           0 :   needed += compute_tag_length (needed);
    2073             : 
    2074             :   /* 3. This all goes into an octet string. */
    2075           0 :   len[3] = needed;
    2076           0 :   needed += compute_tag_length (needed);
    2077             : 
    2078             :   /* 2. Prepend another [0] tag. */
    2079           0 :   len[2] = needed;
    2080           0 :   needed += compute_tag_length (needed);
    2081             : 
    2082             :   /* 1. Prepend the data OID. */
    2083           0 :   needed += 2 + DIM (oid_data);
    2084             : 
    2085             :   /* 0. Prepend another sequence. */
    2086           0 :   len[0] = needed;
    2087           0 :   needed += compute_tag_length (needed);
    2088             : 
    2089             :   /* Now that we have all length information, allocate a buffer. */
    2090           0 :   p = keybag = gcry_malloc (needed);
    2091           0 :   if (!keybag)
    2092             :     {
    2093           0 :       log_error ("error allocating buffer\n");
    2094           0 :       return NULL;
    2095             :     }
    2096             : 
    2097             :   /* Walk 11 steps up to store the data. */
    2098             : 
    2099             :   /* 0. Store the first sequence. */
    2100           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[0]);
    2101             : 
    2102             :   /* 1. Store the data OID. */
    2103           0 :   p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_data));
    2104           0 :   memcpy (p, oid_data, DIM (oid_data));
    2105           0 :   p += DIM (oid_data);
    2106             : 
    2107             :   /* 2. Store a [0] tag. */
    2108           0 :   p = store_tag_length (p, 0xa0, len[2]);
    2109             : 
    2110             :   /* 3. And an octet string. */
    2111           0 :   p = store_tag_length (p, TAG_OCTET_STRING, len[3]);
    2112             : 
    2113             :   /* 4+5. Two sequences. */
    2114           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[4]);
    2115           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[5]);
    2116             : 
    2117             :   /* 6. Store the shroudedKeyBag OID. */
    2118           0 :   p = store_tag_length (p, TAG_OBJECT_ID,
    2119             :                         DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag));
    2120           0 :   memcpy (p, oid_pkcs_12_pkcs_8ShroudedKeyBag,
    2121             :           DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag));
    2122           0 :   p += DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag);
    2123             : 
    2124             :   /* 7. Store a [0] tag. */
    2125           0 :   p = store_tag_length (p, 0xa0, len[7]);
    2126             : 
    2127             :   /* 8. Store a sequence. */
    2128           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[8]);
    2129             : 
    2130             :   /* 9. Now for the pre-encoded algorithm identifier and the salt. */
    2131           0 :   memcpy (p, data_3desiter2048, DIM (data_3desiter2048));
    2132           0 :   memcpy (p + DATA_3DESITER2048_SALT_OFF, salt, 8);
    2133           0 :   p += DIM (data_3desiter2048);
    2134             : 
    2135             :   /* 10. And the octet string with the encrypted data. */
    2136           0 :   p = store_tag_length (p, TAG_OCTET_STRING, buflen);
    2137           0 :   memcpy (p, buffer, buflen);
    2138           0 :   p += buflen;
    2139             : 
    2140             :   /* Append the attributes whose length we calculated at step 2b. */
    2141           0 :   if (sha1hash)
    2142             :     {
    2143             :       int i;
    2144             : 
    2145           0 :       memcpy (p, data_attrtemplate, DIM (data_attrtemplate));
    2146           0 :       for (i=0; i < 8; i++)
    2147           0 :         p[DATA_ATTRTEMPLATE_KEYID_OFF+2*i+1] = keyidstr[i];
    2148           0 :       p += DIM (data_attrtemplate);
    2149           0 :       memcpy (p, sha1hash, 20);
    2150           0 :       p += 20;
    2151             :     }
    2152             : 
    2153             : 
    2154           0 :   keybaglen = p - keybag;
    2155           0 :   if (needed != keybaglen)
    2156           0 :     log_debug ("length mismatch: %lu, %lu\n",
    2157             :                (unsigned long)needed, (unsigned long)keybaglen);
    2158             : 
    2159           0 :   *r_length = keybaglen;
    2160           0 :   return keybag;
    2161             : }
    2162             : 
    2163             : 
    2164             : static unsigned char *
    2165           0 : build_cert_bag (unsigned char *buffer, size_t buflen, char *salt,
    2166             :                 size_t *r_length)
    2167             : {
    2168             :   size_t len[9], needed;
    2169             :   unsigned char *p, *certbag;
    2170             :   size_t certbaglen;
    2171             : 
    2172             :   /* Walk 9 steps down to collect the info: */
    2173             : 
    2174             :   /* 8. The data goes into an octet string. */
    2175           0 :   needed = compute_tag_length (buflen);
    2176           0 :   needed += buflen;
    2177             : 
    2178             :   /* 7. The algorithm identifier. */
    2179           0 :   needed += DIM (data_rc2iter2048);
    2180             : 
    2181             :   /* 6. The data OID. */
    2182           0 :   needed += 2 + DIM (oid_data);
    2183             : 
    2184             :   /* 5. A sequence. */
    2185           0 :   len[5] = needed;
    2186           0 :   needed += compute_tag_length ( needed);
    2187             : 
    2188             :   /* 4. An integer. */
    2189           0 :   needed += 3;
    2190             : 
    2191             :   /* 3. A sequence. */
    2192           0 :   len[3] = needed;
    2193           0 :   needed += compute_tag_length (needed);
    2194             : 
    2195             :   /* 2.  A [0] tag. */
    2196           0 :   len[2] = needed;
    2197           0 :   needed += compute_tag_length (needed);
    2198             : 
    2199             :   /* 1. The encryptedData OID. */
    2200           0 :   needed += 2 + DIM (oid_encryptedData);
    2201             : 
    2202             :   /* 0. The first sequence. */
    2203           0 :   len[0] = needed;
    2204           0 :   needed += compute_tag_length (needed);
    2205             : 
    2206             :   /* Now that we have all length information, allocate a buffer. */
    2207           0 :   p = certbag = gcry_malloc (needed);
    2208           0 :   if (!certbag)
    2209             :     {
    2210           0 :       log_error ("error allocating buffer\n");
    2211           0 :       return NULL;
    2212             :     }
    2213             : 
    2214             :   /* Walk 9 steps up to store the data. */
    2215             : 
    2216             :   /* 0. Store the first sequence. */
    2217           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[0]);
    2218             : 
    2219             :   /* 1. Store the encryptedData OID. */
    2220           0 :   p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_encryptedData));
    2221           0 :   memcpy (p, oid_encryptedData, DIM (oid_encryptedData));
    2222           0 :   p += DIM (oid_encryptedData);
    2223             : 
    2224             :   /* 2. Store a [0] tag. */
    2225           0 :   p = store_tag_length (p, 0xa0, len[2]);
    2226             : 
    2227             :   /* 3. Store a sequence. */
    2228           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[3]);
    2229             : 
    2230             :   /* 4. Store the integer 0. */
    2231           0 :   *p++ = TAG_INTEGER;
    2232           0 :   *p++ = 1;
    2233           0 :   *p++ = 0;
    2234             : 
    2235             :   /* 5. Store a sequence. */
    2236           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[5]);
    2237             : 
    2238             :   /* 6. Store the data OID. */
    2239           0 :   p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_data));
    2240           0 :   memcpy (p, oid_data, DIM (oid_data));
    2241           0 :   p += DIM (oid_data);
    2242             : 
    2243             :   /* 7. Now for the pre-encoded algorithm identifier and the salt. */
    2244           0 :   memcpy (p, data_rc2iter2048, DIM (data_rc2iter2048));
    2245           0 :   memcpy (p + DATA_RC2ITER2048_SALT_OFF, salt, 8);
    2246           0 :   p += DIM (data_rc2iter2048);
    2247             : 
    2248             :   /* 8. And finally the [0] tag with the encrypted data. */
    2249           0 :   p = store_tag_length (p, 0x80, buflen);
    2250           0 :   memcpy (p, buffer, buflen);
    2251           0 :   p += buflen;
    2252           0 :   certbaglen = p - certbag;
    2253             : 
    2254           0 :   if (needed != certbaglen)
    2255           0 :     log_debug ("length mismatch: %lu, %lu\n",
    2256             :                (unsigned long)needed, (unsigned long)certbaglen);
    2257             : 
    2258           0 :   *r_length = certbaglen;
    2259           0 :   return certbag;
    2260             : }
    2261             : 
    2262             : 
    2263             : static unsigned char *
    2264           0 : build_cert_sequence (const unsigned char *buffer, size_t buflen,
    2265             :                      const unsigned char *sha1hash, const char *keyidstr,
    2266             :                      size_t *r_length)
    2267             : {
    2268             :   size_t len[8], needed, n;
    2269             :   unsigned char *p, *certseq;
    2270             :   size_t certseqlen;
    2271             :   int i;
    2272             : 
    2273           0 :   assert (strlen (keyidstr) == 8);
    2274             : 
    2275             :   /* Walk 8 steps down to collect the info: */
    2276             : 
    2277             :   /* 7. The data goes into an octet string. */
    2278           0 :   needed = compute_tag_length (buflen);
    2279           0 :   needed += buflen;
    2280             : 
    2281             :   /* 6. A [0] tag. */
    2282           0 :   len[6] = needed;
    2283           0 :   needed += compute_tag_length (needed);
    2284             : 
    2285             :   /* 5. An OID. */
    2286           0 :   needed += 2 + DIM (oid_x509Certificate_for_pkcs_12);
    2287             : 
    2288             :   /* 4. A sequence. */
    2289           0 :   len[4] = needed;
    2290           0 :   needed += compute_tag_length (needed);
    2291             : 
    2292             :   /* 3. A [0] tag. */
    2293           0 :   len[3] = needed;
    2294           0 :   needed += compute_tag_length (needed);
    2295             : 
    2296             :   /* 2b. The attributes which are appended at the end. */
    2297           0 :   if (sha1hash)
    2298           0 :     needed += DIM (data_attrtemplate) + 20;
    2299             : 
    2300             :   /* 2. An OID. */
    2301           0 :   needed += 2 + DIM (oid_pkcs_12_CertBag);
    2302             : 
    2303             :   /* 1. A sequence. */
    2304           0 :   len[1] = needed;
    2305           0 :   needed += compute_tag_length (needed);
    2306             : 
    2307             :   /* 0. The first sequence. */
    2308           0 :   len[0] = needed;
    2309           0 :   needed += compute_tag_length (needed);
    2310             : 
    2311             :   /* Now that we have all length information, allocate a buffer. */
    2312           0 :   p = certseq = gcry_malloc (needed + 8 /*(for padding)*/);
    2313           0 :   if (!certseq)
    2314             :     {
    2315           0 :       log_error ("error allocating buffer\n");
    2316           0 :       return NULL;
    2317             :     }
    2318             : 
    2319             :   /* Walk 8 steps up to store the data. */
    2320             : 
    2321             :   /* 0. Store the first sequence. */
    2322           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[0]);
    2323             : 
    2324             :   /* 1. Store the second sequence. */
    2325           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[1]);
    2326             : 
    2327             :   /* 2. Store the pkcs12-cert-bag OID. */
    2328           0 :   p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_pkcs_12_CertBag));
    2329           0 :   memcpy (p, oid_pkcs_12_CertBag, DIM (oid_pkcs_12_CertBag));
    2330           0 :   p += DIM (oid_pkcs_12_CertBag);
    2331             : 
    2332             :   /* 3. Store a [0] tag. */
    2333           0 :   p = store_tag_length (p, 0xa0, len[3]);
    2334             : 
    2335             :   /* 4. Store a sequence. */
    2336           0 :   p = store_tag_length (p, TAG_SEQUENCE, len[4]);
    2337             : 
    2338             :   /* 5. Store the x509Certificate OID. */
    2339           0 :   p = store_tag_length (p, TAG_OBJECT_ID,
    2340             :                         DIM (oid_x509Certificate_for_pkcs_12));
    2341           0 :   memcpy (p, oid_x509Certificate_for_pkcs_12,
    2342             :           DIM (oid_x509Certificate_for_pkcs_12));
    2343           0 :   p += DIM (oid_x509Certificate_for_pkcs_12);
    2344             : 
    2345             :   /* 6. Store a [0] tag. */
    2346           0 :   p = store_tag_length (p, 0xa0, len[6]);
    2347             : 
    2348             :   /* 7. And the octet string with the actual certificate. */
    2349           0 :   p = store_tag_length (p, TAG_OCTET_STRING, buflen);
    2350           0 :   memcpy (p, buffer, buflen);
    2351           0 :   p += buflen;
    2352             : 
    2353             :   /* Append the attributes whose length we calculated at step 2b. */
    2354           0 :   if (sha1hash)
    2355             :     {
    2356           0 :       memcpy (p, data_attrtemplate, DIM (data_attrtemplate));
    2357           0 :       for (i=0; i < 8; i++)
    2358           0 :         p[DATA_ATTRTEMPLATE_KEYID_OFF+2*i+1] = keyidstr[i];
    2359           0 :       p += DIM (data_attrtemplate);
    2360           0 :       memcpy (p, sha1hash, 20);
    2361           0 :       p += 20;
    2362             :     }
    2363             : 
    2364           0 :   certseqlen = p - certseq;
    2365           0 :   if (needed != certseqlen)
    2366           0 :     log_debug ("length mismatch: %lu, %lu\n",
    2367             :                (unsigned long)needed, (unsigned long)certseqlen);
    2368             : 
    2369             :   /* Append some pad characters; we already allocated extra space. */
    2370           0 :   n = 8 - certseqlen % 8;
    2371           0 :   for (i=0; i < n; i++, certseqlen++)
    2372           0 :     *p++ = n;
    2373             : 
    2374           0 :   *r_length = certseqlen;
    2375           0 :   return certseq;
    2376             : }
    2377             : 
    2378             : 
    2379             : /* Expect the RSA key parameters in KPARMS and a password in PW.
    2380             :    Create a PKCS structure from it and return it as well as the length
    2381             :    in R_LENGTH; return NULL in case of an error.  If CHARSET is not
    2382             :    NULL, re-encode PW to that character set. */
    2383             : unsigned char *
    2384           0 : p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen,
    2385             :            const char *pw, const char *charset, size_t *r_length)
    2386             : {
    2387           0 :   unsigned char *buffer = NULL;
    2388             :   size_t n, buflen;
    2389             :   char salt[8];
    2390             :   struct buffer_s seqlist[3];
    2391           0 :   int seqlistidx = 0;
    2392             :   unsigned char sha1hash[20];
    2393             :   char keyidstr[8+1];
    2394           0 :   char *pwbuf = NULL;
    2395           0 :   size_t pwbufsize = 0;
    2396             : 
    2397           0 :   n = buflen = 0; /* (avoid compiler warning). */
    2398           0 :   memset (sha1hash, 0, 20);
    2399           0 :   *keyidstr = 0;
    2400             : 
    2401           0 :   if (charset && pw && *pw)
    2402             :     {
    2403             :       jnlib_iconv_t cd;
    2404             :       const char *inptr;
    2405             :       char *outptr;
    2406             :       size_t inbytes, outbytes;
    2407             : 
    2408             :       /* We assume that the converted passphrase is at max 2 times
    2409             :          longer than its utf-8 encoding. */
    2410           0 :       pwbufsize = strlen (pw)*2 + 1;
    2411           0 :       pwbuf = gcry_malloc_secure (pwbufsize);
    2412           0 :       if (!pwbuf)
    2413             :         {
    2414           0 :           log_error ("out of secure memory while converting passphrase\n");
    2415           0 :           goto failure;
    2416             :         }
    2417             : 
    2418           0 :       cd = jnlib_iconv_open (charset, "utf-8");
    2419           0 :       if (cd == (jnlib_iconv_t)(-1))
    2420             :         {
    2421           0 :           log_error ("can't convert passphrase to"
    2422             :                      " requested charset '%s': %s\n",
    2423           0 :                      charset, strerror (errno));
    2424           0 :           goto failure;
    2425             :         }
    2426             : 
    2427           0 :       inptr = pw;
    2428           0 :       inbytes = strlen (pw);
    2429           0 :       outptr = pwbuf;
    2430           0 :       outbytes = pwbufsize - 1;
    2431           0 :       if ( jnlib_iconv (cd, (const char **)&inptr, &inbytes,
    2432             :                       &outptr, &outbytes) == (size_t)-1)
    2433             :         {
    2434           0 :           log_error ("error converting passphrase to"
    2435             :                      " requested charset '%s': %s\n",
    2436           0 :                      charset, strerror (errno));
    2437           0 :           jnlib_iconv_close (cd);
    2438           0 :           goto failure;
    2439             :         }
    2440           0 :       *outptr = 0;
    2441           0 :       jnlib_iconv_close (cd);
    2442           0 :       pw = pwbuf;
    2443             :     }
    2444             : 
    2445             : 
    2446           0 :   if (cert && certlen)
    2447             :     {
    2448             :       /* Calculate the hash value we need for the bag attributes. */
    2449           0 :       gcry_md_hash_buffer (GCRY_MD_SHA1, sha1hash, cert, certlen);
    2450           0 :       sprintf (keyidstr, "%02x%02x%02x%02x",
    2451           0 :                sha1hash[16], sha1hash[17], sha1hash[18], sha1hash[19]);
    2452             : 
    2453             :       /* Encode the certificate. */
    2454           0 :       buffer = build_cert_sequence (cert, certlen, sha1hash, keyidstr,
    2455             :                                     &buflen);
    2456           0 :       if (!buffer)
    2457           0 :         goto failure;
    2458             : 
    2459             :       /* Encrypt it. */
    2460           0 :       gcry_randomize (salt, 8, GCRY_STRONG_RANDOM);
    2461           0 :       crypt_block (buffer, buflen, salt, 8, 2048, NULL, 0, pw,
    2462             :                    GCRY_CIPHER_RFC2268_40, 1);
    2463             : 
    2464             :       /* Encode the encrypted stuff into a bag. */
    2465           0 :       seqlist[seqlistidx].buffer = build_cert_bag (buffer, buflen, salt, &n);
    2466           0 :       seqlist[seqlistidx].length = n;
    2467           0 :       gcry_free (buffer);
    2468           0 :       buffer = NULL;
    2469           0 :       if (!seqlist[seqlistidx].buffer)
    2470           0 :         goto failure;
    2471           0 :       seqlistidx++;
    2472             :     }
    2473             : 
    2474             : 
    2475           0 :   if (kparms)
    2476             :     {
    2477             :       /* Encode the key. */
    2478           0 :       buffer = build_key_sequence (kparms, 0, &buflen);
    2479           0 :       if (!buffer)
    2480           0 :         goto failure;
    2481             : 
    2482             :       /* Encrypt it. */
    2483           0 :       gcry_randomize (salt, 8, GCRY_STRONG_RANDOM);
    2484           0 :       crypt_block (buffer, buflen, salt, 8, 2048, NULL, 0,
    2485             :                    pw, GCRY_CIPHER_3DES, 1);
    2486             : 
    2487             :       /* Encode the encrypted stuff into a bag. */
    2488           0 :       if (cert && certlen)
    2489           0 :         seqlist[seqlistidx].buffer = build_key_bag (buffer, buflen, salt,
    2490             :                                                     sha1hash, keyidstr, &n);
    2491             :       else
    2492           0 :         seqlist[seqlistidx].buffer = build_key_bag (buffer, buflen, salt,
    2493             :                                                     NULL, NULL, &n);
    2494           0 :       seqlist[seqlistidx].length = n;
    2495           0 :       gcry_free (buffer);
    2496           0 :       buffer = NULL;
    2497           0 :       if (!seqlist[seqlistidx].buffer)
    2498           0 :         goto failure;
    2499           0 :       seqlistidx++;
    2500             :     }
    2501             : 
    2502           0 :   seqlist[seqlistidx].buffer = NULL;
    2503           0 :   seqlist[seqlistidx].length = 0;
    2504             : 
    2505           0 :   buffer = create_final (seqlist, pw, &buflen);
    2506             : 
    2507             :  failure:
    2508           0 :   if (pwbuf)
    2509             :     {
    2510             :       /* Note that wipememory is not really needed due to the use of
    2511             :          gcry_malloc_secure.  */
    2512           0 :       wipememory (pwbuf, pwbufsize);
    2513           0 :       gcry_free (pwbuf);
    2514             :     }
    2515           0 :   for ( ; seqlistidx; seqlistidx--)
    2516           0 :     gcry_free (seqlist[seqlistidx].buffer);
    2517             : 
    2518           0 :   *r_length = buffer? buflen : 0;
    2519           0 :   return buffer;
    2520             : }
    2521             : 
    2522             : 
    2523             : /* This is actually not a pkcs#12 function but one which creates an
    2524             :    unencrypted a pkcs#1 private key.  */
    2525             : unsigned char *
    2526           0 : p12_raw_build (gcry_mpi_t *kparms, int rawmode, size_t *r_length)
    2527             : {
    2528             :   unsigned char *buffer;
    2529             :   size_t buflen;
    2530             : 
    2531           0 :   assert (rawmode == 1 || rawmode == 2);
    2532           0 :   buffer = build_key_sequence (kparms, rawmode, &buflen);
    2533           0 :   if (!buffer)
    2534           0 :     return NULL;
    2535             : 
    2536           0 :   *r_length = buflen;
    2537           0 :   return buffer;
    2538             : }
    2539             : 
    2540             : 
    2541             : #ifdef TEST
    2542             : 
    2543             : static void
    2544             : cert_cb (void *opaque, const unsigned char *cert, size_t certlen)
    2545             : {
    2546             :   printf ("got a certificate of %u bytes length\n", certlen);
    2547             : }
    2548             : 
    2549             : int
    2550             : main (int argc, char **argv)
    2551             : {
    2552             :   FILE *fp;
    2553             :   struct stat st;
    2554             :   unsigned char *buf;
    2555             :   size_t buflen;
    2556             :   gcry_mpi_t *result;
    2557             :   int badpass;
    2558             : 
    2559             :   if (argc != 3)
    2560             :     {
    2561             :       fprintf (stderr, "usage: testp12 file passphrase\n");
    2562             :       return 1;
    2563             :     }
    2564             : 
    2565             :   gcry_control (GCRYCTL_DISABLE_SECMEM, NULL);
    2566             :   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL);
    2567             : 
    2568             :   fp = fopen (argv[1], "rb");
    2569             :   if (!fp)
    2570             :     {
    2571             :       fprintf (stderr, "can't open '%s': %s\n", argv[1], strerror (errno));
    2572             :       return 1;
    2573             :     }
    2574             : 
    2575             :   if (fstat (fileno(fp), &st))
    2576             :     {
    2577             :       fprintf (stderr, "can't stat '%s': %s\n", argv[1], strerror (errno));
    2578             :       return 1;
    2579             :     }
    2580             : 
    2581             :   buflen = st.st_size;
    2582             :   buf = gcry_malloc (buflen+1);
    2583             :   if (!buf || fread (buf, buflen, 1, fp) != 1)
    2584             :     {
    2585             :       fprintf (stderr, "error reading '%s': %s\n", argv[1], strerror (errno));
    2586             :       return 1;
    2587             :     }
    2588             :   fclose (fp);
    2589             : 
    2590             :   result = p12_parse (buf, buflen, argv[2], cert_cb, NULL, &badpass);
    2591             :   if (result)
    2592             :     {
    2593             :       int i, rc;
    2594             :       unsigned char *tmpbuf;
    2595             : 
    2596             :       for (i=0; result[i]; i++)
    2597             :         {
    2598             :           rc = gcry_mpi_aprint (GCRYMPI_FMT_HEX, &tmpbuf,
    2599             :                                 NULL, result[i]);
    2600             :           if (rc)
    2601             :             printf ("%d: [error printing number: %s]\n",
    2602             :                     i, gpg_strerror (rc));
    2603             :           else
    2604             :             {
    2605             :               printf ("%d: %s\n", i, tmpbuf);
    2606             :               gcry_free (tmpbuf);
    2607             :             }
    2608             :         }
    2609             :     }
    2610             : 
    2611             :   return 0;
    2612             : 
    2613             : }
    2614             : 
    2615             : /*
    2616             : Local Variables:
    2617             : compile-command: "gcc -Wall -O0 -g -DTEST=1 -o minip12 minip12.c ../common/libcommon.a -L /usr/local/lib -lgcrypt -lgpg-error"
    2618             : End:
    2619             : */
    2620             : #endif /* TEST */

Generated by: LCOV version 1.11