PKCS#5 v2 PBES2 support and use in PKCS#8 encrypted certificates

The error code POLARSSL_ERR_X509_PASSWORD_MISMATCH is now properly
returned in case of an encryption failure in the padding. The
POLARSSL_ERR_X509_PASSWORD_REQUIRED error code is only returned for PEM
formatted private keys as for DER formatted ones it is impossible to
distinguish if a DER blob is PKCS#8 encrypted or not.
(cherry picked from commit 1fd4321ba2016dfaff2b48c11f731fc9ccbd7ccf)

Conflicts:
	include/polarssl/error.h
	scripts/generate_errors.pl

include/polarssl/error.h

@@ -72,14 +72,14 @@
  * SHA4      1  0x007A-0x007A
  * PBKDF2    1  0x007C-0x007C
  * ECP       1  0x007E-0x007E
- * PKCS5     1  0x007C-0x007C
  *
  * High-level module nr (3 bits - 0x1...-0x8...)
  * Name     ID  Nr of Errors
  * PEM      1   9
  * PKCS#12  1   3 (Started from top)
- * X509     2   21
+ * X509     2   23
  * DHM      3   6
+ * PKCS5    3   4 (Started from top)
  * RSA      4   9
  * ECP      4   1 (Started from top)
  * MD       5   4

include/polarssl/pkcs5.h

@@ -31,6 +31,7 @@
 
 #include <string.h>
 
+#include "asn1.h"
 #include "md.h"
 
 #ifdef _MSC_VER
@@ -40,12 +41,54 @@ typedef UINT32 uint32_t;
 #include <inttypes.h>
 #endif
 
-#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA                -0x007C  /**< Bad input parameters to function. */
+#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA                  -0x3f80  /**< Bad input parameters to function. */
+#define POLARSSL_ERR_PKCS5_INVALID_FORMAT                  -0x3f00  /**< Unexpected ASN.1 data. */
+#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x3e80  /**< Requested encryption or digest alg not available. */
+#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH               -0x3e00  /**< Given private key password does not allow for correct decryption. */
+
+#define PKCS5_DECRYPT      0
+#define PKCS5_ENCRYPT      1
+
+/*
+ * PKCS#5 OIDs
+ */
+#define OID_PKCS5               "\x2a\x86\x48\x86\xf7\x0d\x01\x05"
+#define OID_PKCS5_PBES2         OID_PKCS5 "\x0d"
+#define OID_PKCS5_PBKDF2        OID_PKCS5 "\x0c"
+
+/*
+ * Encryption Algorithm OIDs
+ */
+#define OID_DES_CBC             "\x2b\x0e\x03\x02\x07"
+#define OID_DES_EDE3_CBC        "\x2a\x86\x48\x86\xf7\x0d\x03\x07"
+
+/*
+ * Digest Algorithm OIDs
+ */
+#define OID_HMAC_SHA1           "\x2a\x86\x48\x86\xf7\x0d\x02\x07"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+/**
+ * \brief          PKCS#5 PBES2 function
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode       either PKCS5_DECRYPT or PKCS5_ENCRYPT
+ * \param pwd        password to use when generating key
+ * \param plen       length of password
+ * \param data       data to process
+ * \param datalen    length of data
+ * \param output     output buffer
+ *
+ * \returns        0 on success, or a PolarSSL error code if verification fails.
+ */
+int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output );
+
 /**
  * \brief          PKCS#5 PBKDF2 using HMAC
  *

include/polarssl/x509.h

@@ -67,6 +67,8 @@
 #define POLARSSL_ERR_X509_INVALID_INPUT                    -0x2A00  /**< Input invalid. */
 #define POLARSSL_ERR_X509_MALLOC_FAILED                    -0x2A80  /**< Allocation of memory failed. */
 #define POLARSSL_ERR_X509_FILE_IO_ERROR                    -0x2B00  /**< Read/write of file failed. */
+#define POLARSSL_ERR_X509_PASSWORD_REQUIRED                -0x2B80  /**< Private key password can't be empty. */
+#define POLARSSL_ERR_X509_PASSWORD_MISMATCH                -0x2C00  /**< Given private key password does not allow for correct decryption. */
 /* \} name */
 
 /**