* Routines for PKCS#12: Personal Information Exchange packet dissection
* Graeme Lunt 2006
*
- * $Id$
+ * See "PKCS #12 v1.1: Personal Information Exchange Syntax":
+ *
+ * http://www.emc.com/emc-plus/rsa-labs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#ifdef HAVE_CONFIG_H
-# include "config.h"
-#endif
+#include "config.h"
-#include <glib.h>
#include <epan/packet.h>
-#include <epan/conversation.h>
+#include <epan/expert.h>
#include <epan/oids.h>
#include <epan/asn1.h>
#include <epan/prefs.h>
-#include <stdio.h>
-#include <string.h>
-
#include "packet-ber.h"
#include "packet-pkcs12.h"
#include "packet-x509af.h"
#include "packet-x509if.h"
#include "packet-cms.h"
-#ifndef _WIN32
-#include <sys/types.h>
-#include <sys/time.h>
-#endif
-
-#ifdef HAVE_LIBGCRYPT
-#ifdef _WIN32
-#include <winposixtype.h>
-#endif
-#include "gcrypt.h"
-#endif
+#include <wsutil/wsgcrypt.h>
#define PNAME "PKCS#12: Personal Information Exchange"
#define PSNAME "PKCS12"
#define PKCS12_PBE_3DES_SHA1_OID "1.2.840.113549.1.12.1.3"
#define PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6"
+void proto_register_pkcs12(void);
+void proto_reg_handoff_pkcs12(void);
+
/* Initialize the protocol and registered fields */
-int proto_pkcs12 = -1;
+static int proto_pkcs12 = -1;
static int hf_pkcs12_X509Certificate_PDU = -1;
+static int hf_pkcs12_AuthenticatedSafe_PDU = -1; /* AuthenticatedSafe */
static gint ett_decrypted_pbe = -1;
-static const char *object_identifier_id = NULL;
+static expert_field ei_pkcs12_octet_string_expected = EI_INIT;
+
+
+static const char *object_identifier_id = NULL;
static int iteration_count = 0;
static tvbuff_t *salt = NULL;
static const char *password = NULL;
static void dissect_AuthenticatedSafe_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
static void dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
-static void dissect_PrivateKeyInfo_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
+static int dissect_PrivateKeyInfo_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data);
#include "packet-pkcs12-hf.c"
{
const char *name = NULL;
- name = oid_resolved_from_string(oid);
- proto_item_append_text(tree, " (%s)", name ? name : oid);
+ name = oid_resolved_from_string(wmem_packet_scope(), oid);
+ proto_item_append_text(tree, " (%s)", name ? name : oid);
}
#ifdef HAVE_LIBGCRYPT
-int
+static int
generate_key_or_iv(unsigned int id, tvbuff_t *salt_tvb, unsigned int iter,
const char *pw, unsigned int req_keylen, char * keybuf)
{
unsigned int i, j;
gcry_md_hd_t md;
gcry_mpi_t num_b1 = NULL;
- unsigned int pwlen;
+ size_t pwlen;
char hash[20], buf_b[64], buf_i[128], *p;
- char *salt;
+ char *salt_p;
int salt_size;
size_t cur_keylen;
size_t n;
cur_keylen = 0;
- salt_size = tvb_length(salt_tvb);
- salt = tvb_get_ephemeral_string(salt_tvb, 0, salt_size);
+ salt_size = tvb_captured_length(salt_tvb);
+ salt_p = (char *)tvb_memdup(wmem_packet_scope(), salt_tvb, 0, salt_size);
if (pw == NULL)
pwlen = 0;
else
- pwlen = strlen (pw);
+ pwlen = strlen(pw);
if (pwlen > 63 / 2)
{
/* Store salt and password in BUF_I */
p = buf_i;
for (i = 0; i < 64; i++)
- *p++ = salt[i % salt_size];
+ *p++ = salt_p[i % salt_size];
if (pw)
{
for (i = j = 0; i < 64; i += 2)
else
memset (p, 0, 64);
- for (;;){
+ for (;;) {
err = gcry_md_open(&md, GCRY_MD_SHA1, 0);
- if (gcry_err_code(err)) {
- return FALSE;
- }
- for (i = 0; i < 64; i++) {
- unsigned char lid = id & 0xFF;
- gcry_md_write (md, &lid, 1);
- }
-
- gcry_md_write(md, buf_i, pw ? 128 : 64);
+ if (gcry_err_code(err))
+ {
+ return FALSE;
+ }
+ for (i = 0; i < 64; i++)
+ {
+ unsigned char lid = id & 0xFF;
+ gcry_md_write (md, &lid, 1);
+ }
+
+ gcry_md_write(md, buf_i, pw ? 128 : 64);
gcry_md_final (md);
memcpy (hash, gcry_md_read (md, 0), 20);
-
- gcry_md_close (md);
-
- for (i = 1; i < iter; i++)
- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20);
+
+ gcry_md_close (md);
+
+ for (i = 1; i < iter; i++)
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20);
for (i = 0; i < 20 && cur_keylen < req_keylen; i++)
- keybuf[cur_keylen++] = hash[i];
+ keybuf[cur_keylen++] = hash[i];
- if (cur_keylen == req_keylen) {
- gcry_mpi_release (num_b1);
- return TRUE; /* ready */
- }
+ if (cur_keylen == req_keylen)
+ {
+ gcry_mpi_release (num_b1);
+ return TRUE; /* ready */
+ }
/* need more bytes. */
for (i = 0; i < 64; i++)
- buf_b[i] = hash[i % 20];
+ buf_b[i] = hash[i % 20];
- n = 64;
+ n = 64;
- rc = gcry_mpi_scan (&num_b1, GCRYMPI_FMT_USG, buf_b, n, &n);
+ rc = gcry_mpi_scan (&num_b1, GCRYMPI_FMT_USG, buf_b, n, &n);
- if (rc != 0) {
- return FALSE;
- }
+ if (rc != 0)
+ {
+ return FALSE;
+ }
- gcry_mpi_add_ui (num_b1, num_b1, 1);
+ gcry_mpi_add_ui (num_b1, num_b1, 1);
- for (i = 0; i < 128; i += 64) {
- gcry_mpi_t num_ij;
-
- n = 64;
- rc = gcry_mpi_scan (&num_ij, GCRYMPI_FMT_USG, buf_i + i, n, &n);
+ for (i = 0; i < 128; i += 64)
+ {
+ gcry_mpi_t num_ij;
- if (rc != 0) {
- return FALSE;
- }
-
- gcry_mpi_add (num_ij, num_ij, num_b1);
- gcry_mpi_clear_highbit (num_ij, 64 * 8);
-
- n = 64;
-
- rc = gcry_mpi_print (GCRYMPI_FMT_USG, buf_i + i, n, &n, num_ij);
- if (rc != 0){
- return FALSE;
- }
+ n = 64;
+ rc = gcry_mpi_scan (&num_ij, GCRYMPI_FMT_USG, buf_i + i, n, &n);
+
+ if (rc != 0)
+ {
+ return FALSE;
+ }
+
+ gcry_mpi_add (num_ij, num_ij, num_b1);
+ gcry_mpi_clear_highbit (num_ij, 64 * 8);
+
+ n = 64;
+
+ rc = gcry_mpi_print (GCRYMPI_FMT_USG, buf_i + i, n, &n, num_ij);
+ if (rc != 0)
+ {
+ return FALSE;
+ }
- gcry_mpi_release (num_ij);
- }
+ gcry_mpi_release (num_ij);
+ }
}
}
-#endif
+#endif
-void PBE_reset_parameters()
+void PBE_reset_parameters(void)
{
iteration_count = 0;
salt = NULL;
}
-int PBE_decrypt_data(const char *object_identifier_id _U_, tvbuff_t *encrypted_tvb _U_, asn1_ctx_t *actx _U_, proto_item *item _U_)
+int PBE_decrypt_data(const char *object_identifier_id_param _U_, tvbuff_t *encrypted_tvb _U_, asn1_ctx_t *actx _U_, proto_item *item _U_)
{
#ifdef HAVE_LIBGCRYPT
const char *encryption_algorithm;
proto_tree *tree;
char byte;
gboolean decrypt_ok = TRUE;
-
+
if(((password == NULL) || (*password == '\0')) && (try_null_password == FALSE)) {
/* we are not configured to decrypt */
return FALSE;
mode = GCRY_CIPHER_MODE_CBC;
} else {
/* we don't know how to decrypt this */
-
+
proto_item_append_text(item, " [Unsupported encryption algorithm]");
return FALSE;
}
- if((iteration_count == 0) || (salt == NULL)) {
+ if((iteration_count == 0) || (salt == NULL)) {
proto_item_append_text(item, " [Insufficient parameters]");
return FALSE;
}
/* allocate buffers */
- key = ep_alloc(keylen);
+ key = (char *)wmem_alloc(wmem_packet_scope(), keylen);
if(!generate_key_or_iv(1 /*LEY */, salt, iteration_count, password, keylen, key))
return FALSE;
if(ivlen) {
-
- iv = ep_alloc(ivlen);
-
+
+ iv = (char *)wmem_alloc(wmem_packet_scope(), ivlen);
+
if(!generate_key_or_iv(2 /* IV */, salt, iteration_count, password, ivlen, iv))
return FALSE;
}
if (gcry_err_code (err))
return FALSE;
- err = gcry_cipher_setkey (cipher, key, keylen);
+ err = gcry_cipher_setkey (cipher, key, keylen);
if (gcry_err_code (err)) {
gcry_cipher_close (cipher);
return FALSE;
}
-
+
if(ivlen) {
- err = gcry_cipher_setiv (cipher, iv, ivlen);
+ err = gcry_cipher_setiv (cipher, iv, ivlen);
if (gcry_err_code (err)) {
gcry_cipher_close (cipher);
return FALSE;
}
}
- datalen = tvb_length(encrypted_tvb);
- clear_data = g_malloc(datalen);
+ datalen = tvb_captured_length(encrypted_tvb);
+ clear_data = (char *)g_malloc(datalen);
- err = gcry_cipher_decrypt (cipher, clear_data, datalen, tvb_get_ephemeral_string(encrypted_tvb, 0, datalen), datalen);
+ err = gcry_cipher_decrypt (cipher, clear_data, datalen, (char *)tvb_memdup(wmem_packet_scope(), encrypted_tvb, 0, datalen), datalen);
if (gcry_err_code (err)) {
proto_item_append_text(item, " [Failed to decrypt with password preference]");
gcry_cipher_close (cipher);
/* We don't know if we have successfully decrypted the data or not so we:
- a) check the trailing bytes
+ a) check the trailing bytes
b) see if we start with a sequence or a set (is this too constraining?
*/
break;
}
}
- } else {
+ } else {
/* XXX: is this a failure? */
}
/* OK - so now clear_data contains the decrypted data */
- clear_tvb = tvb_new_real_data((const guint8 *)clear_data, datalen, datalen);
+ clear_tvb = tvb_new_child_real_data(encrypted_tvb,(const guint8 *)clear_data, datalen, datalen);
tvb_set_free_cb(clear_tvb, g_free);
name = g_string_new("");
- oidname = oid_resolved_from_string(object_identifier_id);
- g_string_sprintf(name, "Decrypted %s", oidname ? oidname : object_identifier_id);
+ oidname = oid_resolved_from_string(wmem_packet_scope(), object_identifier_id_param);
+ g_string_printf(name, "Decrypted %s", oidname ? oidname : object_identifier_id_param);
/* add it as a new source */
add_new_data_source(actx->pinfo, clear_tvb, name->str);
-
+
g_string_free(name, TRUE);
/* now try and decode it */
- call_ber_oid_callback(object_identifier_id, clear_tvb, 0, actx->pinfo, tree);
+ call_ber_oid_callback(object_identifier_id_param, clear_tvb, 0, actx->pinfo, tree, NULL);
- return TRUE;
+ return TRUE;
#else
/* we cannot decrypt */
return FALSE;
#include "packet-pkcs12-fn.c"
-static int strip_octet_string(tvbuff_t *tvb)
+static int strip_octet_string(tvbuff_t *tvb)
{
- gint8 class;
+ gint8 ber_class;
gboolean pc, ind;
gint32 tag;
guint32 len;
/* if we use CMS (rather than PKCS#7) - which we are - we need to strip the OCTET STRING tag */
/* before proceeding */
- offset = get_ber_identifier(tvb, 0, &class, &pc, &tag);
+ offset = get_ber_identifier(tvb, 0, &ber_class, &pc, &tag);
offset = get_ber_length(tvb, offset, &len, &ind);
- if((class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_OCTETSTRING))
+ if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_OCTETSTRING))
return offset;
return 0;
if((offset = strip_octet_string(tvb)) > 0)
dissect_pkcs12_AuthenticatedSafe(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs12_AuthenticatedSafe_PDU);
else
- proto_tree_add_text(tree, tvb, 0, 1, "BER Error: OCTET STRING expected");
+ proto_tree_add_expert(tree, pinfo, &ei_pkcs12_octet_string_expected, tvb, 0, 1);
}
-static void dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+static void dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
int offset = 0;
asn1_ctx_t asn1_ctx;
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
offset = strip_octet_string(tvb);
-
+
dissect_pkcs12_SafeContents(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs12_SafeContents_PDU);
}
-static void dissect_X509Certificate_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+static void dissect_X509Certificate_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
int offset = 0;
asn1_ctx_t asn1_ctx;
if((offset = strip_octet_string(tvb)) > 0)
dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs12_X509Certificate_PDU);
else
- proto_tree_add_text(tree, tvb, 0, 1, "BER Error: OCTET STRING expected");
+ proto_tree_add_expert(tree, pinfo, &ei_pkcs12_octet_string_expected, tvb, 0, 1);
}
/*--- proto_register_pkcs12 ----------------------------------------------*/
/* List of fields */
static hf_register_info hf[] = {
- { &hf_pkcs12_X509Certificate_PDU,
+ { &hf_pkcs12_X509Certificate_PDU,
{ "X509Certificate", "pkcs12.X509Certificate",
FT_NONE, BASE_NONE, NULL, 0,
"pkcs12.X509Certificate", HFILL }},
+ { &hf_pkcs12_AuthenticatedSafe_PDU,
+ { "AuthenticatedSafe", "pkcs12.AuthenticatedSafe",
+ FT_UINT32, BASE_DEC, NULL, 0,
+ NULL, HFILL }},
+
#include "packet-pkcs12-hfarr.c"
};
&ett_decrypted_pbe,
#include "packet-pkcs12-ettarr.c"
};
+ static ei_register_info ei[] = {
+ { &ei_pkcs12_octet_string_expected, { "pkcs12.octet_string_expected", PI_PROTOCOL, PI_WARN, "BER Error: OCTET STRING expected", EXPFILL }},
+ };
+
module_t *pkcs12_module;
+ expert_module_t* expert_pkcs12;
/* Register protocol */
proto_pkcs12 = proto_register_protocol(PNAME, PSNAME, PFNAME);
/* Register fields and subtrees */
proto_register_field_array(proto_pkcs12, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
+ expert_pkcs12 = expert_register_protocol(proto_pkcs12);
+ expert_register_field_array(expert_pkcs12, ei, array_length(ei));
/* Register preferences */
pkcs12_module = prefs_register_protocol(proto_pkcs12, NULL);
"Whether to try and decrypt the encrypted data within the"
" PKCS#12 with a NULL password", &try_null_password);
- register_ber_syntax_dissector("PKCS#12", proto_pkcs12, dissect_PFX_PDU);
+ new_register_ber_syntax_dissector("PKCS#12", proto_pkcs12, dissect_PFX_PDU);
register_ber_oid_syntax(".p12", NULL, "PKCS#12");
register_ber_oid_syntax(".pfx", NULL, "PKCS#12");
}