From 9b5e88561167529bd41cbf1db3e1d7f3e5173d22 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Fri, 28 Jun 2013 16:12:50 +0200
Subject: [PATCH] PKCS#5 PBES2 now uses OID database for algorithm detection

---
 include/polarssl/oid.h   | 52 +++++++++++++++++++++++++++++++++++++++-
 include/polarssl/pkcs5.h | 18 --------------
 library/oid.c            | 46 ++++++++++++++++++++++++++++++++++-
 library/pkcs5.c          | 17 ++++---------
 4 files changed, 100 insertions(+), 33 deletions(-)

diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h
index d3a6552a5..b6b55c85f 100644
--- a/include/polarssl/oid.h
+++ b/include/polarssl/oid.h
@@ -29,6 +29,7 @@
 
 #include <string.h>
 #include "asn1.h"
+#include "cipher.h"
 #include "md.h"
 #include "pk.h"
 #include "x509.h"
@@ -55,7 +56,10 @@
  * ISO Identified organization OID parts
  */
 #define OID_ORG_DOD                     "\x06"          /* {dod(6)} */
-#define OID_OIW_SECSIG_SHA1             "\x0e\x03\x02\x1a"
+#define OID_ORG_OIW                     "\x0e"
+#define OID_OIW_SECSIG                  OID_ORG_OIW "\x03"
+#define OID_OIW_SECSIG_ALG              OID_OIW_SECSIG "\x02"
+#define OID_OIW_SECSIG_SHA1             OID_OIW_SECSIG_ALG "\x1a"
 
 /*
  * ISO ITU OID parts
@@ -143,10 +147,18 @@
 #define OID_TIME_STAMPING               OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
 #define OID_OCSP_SIGNING                OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
 
+/*
+ * PKCS definition OIDs
+ */
+
 #define OID_PKCS                OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
 #define OID_PKCS1               OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
+#define OID_PKCS5               OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
 #define OID_PKCS9               OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
 
+/*
+ * PKCS#1 OIDs
+ */
 #define OID_PKCS1_RSA           OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
 #define OID_PKCS1_MD2           OID_PKCS1 "\x02" /**< md2WithRSAEncryption ::= { pkcs-1 2 } */
 #define OID_PKCS1_MD4           OID_PKCS1 "\x03" /**< md4WithRSAEncryption ::= { pkcs-1 3 } */
@@ -161,6 +173,9 @@
 
 #define OID_PKCS9_EMAIL         OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
 
+/*
+ * Digest algorithms
+ */
 #define OID_DIGEST_ALG_MD2              OID_RSA_COMPANY "\x02\x02" /**< id-md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } */
 #define OID_DIGEST_ALG_MD4              OID_RSA_COMPANY "\x02\x04" /**< id-md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
 #define OID_DIGEST_ALG_MD5              OID_RSA_COMPANY "\x02\x05" /**< id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
@@ -172,6 +187,31 @@
 
 #define OID_DIGEST_ALG_SHA512           OID_GOV "\x03\x04\x02\x03" /**< id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
 
+#define OID_HMAC_SHA1                   OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
+
+/*
+ * Encryption algorithms
+ */
+#define OID_DES_CBC                     OID_ISO_IDENTIFIED_ORG OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
+#define OID_DES_EDE3_CBC                OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+
+/*
+ * PKCS#5 OIDs
+ */
+#define OID_PKCS5_PBKDF2                OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
+#define OID_PKCS5_PBES2                 OID_PKCS5 "\x0d" /**< id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} */
+#define OID_PKCS5_PBMAC1                OID_PKCS5 "\x0e" /**< id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14} */
+
+/*
+ * PKCS#5 PBES1 algorithms
+ */
+#define OID_PKCS5_PBE_MD2_DES_CBC       OID_PKCS5 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */
+#define OID_PKCS5_PBE_MD2_RC2_CBC       OID_PKCS5 "\x04" /**< pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} */
+#define OID_PKCS5_PBE_MD5_DES_CBC       OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
+#define OID_PKCS5_PBE_MD5_RC2_CBC       OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
+#define OID_PKCS5_PBE_SHA1_DES_CBC      OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
+#define OID_PKCS5_PBE_SHA1_RC2_CBC      OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -294,6 +334,16 @@ int oid_get_extended_key_usage( const asn1_buf *oid, const char **desc );
  */
 int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str );
 
+/**
+ * \brief          Translate encryption algorithm OID into cipher_type
+ *
+ * \param oid           OID to use
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_cipher_alg( const asn1_buf *oid, cipher_type_t *cipher_alg );
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/polarssl/pkcs5.h b/include/polarssl/pkcs5.h
index b8c742e97..6c5b21a68 100644
--- a/include/polarssl/pkcs5.h
+++ b/include/polarssl/pkcs5.h
@@ -49,24 +49,6 @@ typedef UINT32 uint32_t;
 #define PKCS5_DECRYPT      0
 #define PKCS5_ENCRYPT      1
 
-/*
- * PKCS#5 OIDs
- */
-#define OID_PKCS5               "\x2a\x86\x48\x86\xf7\x0d\x01\x05"
-#define OID_PKCS5_PBES2         OID_PKCS5 "\x0d"
-#define OID_PKCS5_PBKDF2        OID_PKCS5 "\x0c"
-
-/*
- * Encryption Algorithm OIDs
- */
-#define OID_DES_CBC             "\x2b\x0e\x03\x02\x07"
-#define OID_DES_EDE3_CBC        "\x2a\x86\x48\x86\xf7\x0d\x03\x07"
-
-/*
- * Digest Algorithm OIDs
- */
-#define OID_HMAC_SHA1           "\x2a\x86\x48\x86\xf7\x0d\x02\x07"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
diff --git a/library/oid.c b/library/oid.c
index a280070a8..371d1ba16 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -30,7 +30,6 @@
 #if defined(POLARSSL_OID_C)
 
 #include "polarssl/oid.h"
-#include "polarssl/md.h"
 #include "polarssl/rsa.h"
 
 #include <stdio.h>
@@ -201,6 +200,30 @@ static const oid_pk_alg_t oid_pk_alg[] =
     },
 };
 
+/*
+ * For PKCS#5 PBES2 encryption algorithm
+ */
+typedef struct {
+    oid_descriptor_t    descriptor;
+    cipher_type_t       cipher_alg;
+} oid_cipher_alg_t;
+
+static const oid_cipher_alg_t oid_cipher_alg[] =
+{
+    {
+        { OID_DES_CBC,              "desCBC",       "DES-CBC" },
+        POLARSSL_CIPHER_DES_CBC,
+    },
+    {
+        { OID_DES_EDE3_CBC,         "des-ede3-cbc", "DES-EDE3-CBC" },
+        POLARSSL_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { NULL, NULL, NULL },
+        0,
+    },
+};
+
 /*
  * For digestAlgorithm
  */
@@ -452,6 +475,14 @@ static const oid_md_alg_t *oid_md_alg_from_asn1( const asn1_buf *oid )
                                 oid );
 }
 
+static const oid_cipher_alg_t *oid_cipher_alg_from_asn1( const asn1_buf *oid )
+{
+    return (const oid_cipher_alg_t *) oid_descriptor_from_asn1(
+                                oid_cipher_alg,
+                                sizeof(oid_cipher_alg_t),
+                                oid );
+}
+
 int oid_get_attr_short_name( const asn1_buf *oid, const char **short_name )
 {
     const oid_x520_attr_t *data = oid_x520_attr_from_asn1( oid );
@@ -554,4 +585,17 @@ int oid_get_oid_by_md( md_type_t md_alg,
     return( POLARSSL_ERR_OID_NOT_FOUND );
 }
 
+int oid_get_cipher_alg( const asn1_buf *oid,
+                        cipher_type_t *cipher_alg )
+{
+    const oid_cipher_alg_t *data = oid_cipher_alg_from_asn1( oid );
+
+    if( data == NULL )
+        return( POLARSSL_ERR_OID_NOT_FOUND );
+
+    *cipher_alg = data->cipher_alg;
+
+    return( 0 );
+}
+
 #endif /* POLARSSL_OID_C */
diff --git a/library/pkcs5.c b/library/pkcs5.c
index fa9111541..c41927b63 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@@ -40,6 +40,7 @@
 #include "polarssl/pkcs5.h"
 #include "polarssl/asn1.h"
 #include "polarssl/cipher.h"
+#include "polarssl/oid.h"
 
 static int pkcs5_parse_pbkdf2_params( unsigned char **p,
                                       const unsigned char *end,
@@ -117,6 +118,7 @@ int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
     const md_info_t *md_info;
     const cipher_info_t *cipher_info;
     md_context_t md_ctx;
+    cipher_type_t cipher_alg;
     cipher_context_t cipher_ctx;
 
     p = pbe_params->p;
@@ -178,21 +180,10 @@ int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
     enc_scheme_oid.p = p;
     p += enc_scheme_oid.len;
 
-#if defined(POLARSSL_DES_C)
-    // Only DES-CBC and DES-EDE3-CBC supported at the moment
-    //
-    if( OID_CMP( OID_DES_EDE3_CBC, &enc_scheme_oid ) )
-    {
-        cipher_info = cipher_info_from_type( POLARSSL_CIPHER_DES_EDE3_CBC );
-    }
-    else if( OID_CMP( OID_DES_CBC, &enc_scheme_oid ) )
-    {
-        cipher_info = cipher_info_from_type( POLARSSL_CIPHER_DES_CBC );
-    }
-    else
-#endif /* POLARSSL_DES_C */
+    if ( oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
         return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
 
+    cipher_info = cipher_info_from_type( cipher_alg );
     if( cipher_info == NULL )
         return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );