From 1af7c6487e5dc5e62ff67abb6ddf1f3bea077ad8 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 14 Feb 2025 18:47:54 +0000 Subject: [PATCH] Fix ASN implementation to support both template and original modes - Add support for extracting hash type from PBES2 parameters - Handle both WOLFSSL_ASN_TEMPLATE and original ASN implementations - Return ASN_PARSE_E if hash type cannot be determined - Add proper error handling and messages Co-Authored-By: lealem@wolfssl.com --- wolfcrypt/src/asn.c | 76 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index daff303cc..a752c9f8c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -25786,7 +25786,81 @@ int PemToDer(const unsigned char* buff, long longSz, int type, #endif ret = wc_BufferKeyDecrypt(info, der->buffer, der->length, - (byte*)password, passwordSz, WC_MD5); + /* Extract hash type from PBES2 parameters */ +#ifndef WOLFSSL_ASN_TEMPLATE + word32 idx = 0; + word32 length; + word32 kdfOid; + word32 prfOid; + int hashType = WC_HASH_TYPE_NONE; + + /* Get PBES2 parameters sequence */ + if (GetSequence(der->buffer, &idx, &length, der->length) < 0) + ret = ASN_PARSE_E; + + /* Get KDF algorithm identifier */ + if (ret == 0 && GetAlgoId(der->buffer, &idx, &kdfOid, + oidKdfType, der->length) < 0) + ret = ASN_PARSE_E; + + /* Get PBKDF2 parameters sequence */ + if (ret == 0 && GetSequence(der->buffer, &idx, &length, + der->length) < 0) + ret = ASN_PARSE_E; + + /* Skip salt and iterations */ + if (ret == 0 && GetOctetString(der->buffer, &idx, &length, + der->length) < 0) + ret = ASN_PARSE_E; + idx += length; + if (ret == 0 && GetInteger(der->buffer, &idx, &length, + der->length) < 0) + ret = ASN_PARSE_E; + + /* Get PRF algorithm sequence */ + if (ret == 0 && GetSequence(der->buffer, &idx, &length, + der->length) < 0) + ret = ASN_PARSE_E; + + /* Get PRF algorithm OID */ + if (ret == 0 && GetAlgoId(der->buffer, &idx, &prfOid, + oidHmacType, der->length) < 0) + ret = ASN_PARSE_E; + + if (ret == 0) { + hashType = wc_OidGetHash(prfOid); + if (hashType == WC_HASH_TYPE_NONE) { + WOLFSSL_MSG("Hash algorithm not supported"); + ret = ASN_PARSE_E; + } + } +#else + int hashType; + word32 idx = 0; + DECL_ASNGETDATA(dataASN, pbes2ParamsASN_Length); + CALLOC_ASNGETDATA(dataASN, pbes2ParamsASN_Length, ret, NULL); + if (ret == 0) { + GetASN_OID(&dataASN[PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF_OID], oidHmacType); + ret = GetASN_Items(pbes2ParamsASN, dataASN, pbes2ParamsASN_Length, + 0, der->buffer, &idx, der->length); + if (ret == 0) { + hashType = wc_OidGetHash(dataASN[PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF_OID].data.oid.sum); + if (hashType == WC_HASH_TYPE_NONE) { + WOLFSSL_MSG("Hash algorithm not supported"); + ret = ASN_PARSE_E; + } + } + } + FREE_ASNGETDATA(dataASN, NULL); +#endif + if (ret == 0) + ret = wc_BufferKeyDecrypt(info, der->buffer, der->length, + (byte*)password, passwordSz, hashType); + + if (ret != 0) { + WOLFSSL_MSG("Error extracting hash type from PBES2"); + WOLFSSL_ERROR_VERBOSE(ret); + } #ifndef NO_WOLFSSL_SKIP_TRAILING_PAD #ifndef NO_DES3