2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/hmac.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include "internal/cryptlib.h"
17 #include "internal/evp_int.h"
18 #include "kdf_local.h"
20 /* Constants specified in SP800-132 */
21 #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112
22 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
23 #define KDF_PBKDF2_MIN_ITERATIONS 1000
24 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
26 * For backwards compatibility reasons,
27 * Extra checks are done by default in fips mode only.
30 # define KDF_PBKDF2_DEFAULT_CHECKS 1
32 # define KDF_PBKDF2_DEFAULT_CHECKS 0
33 #endif /* FIPS_MODE */
35 static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
36 static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl);
37 static int pbkdf2_derive(const char *pass, size_t passlen,
38 const unsigned char *salt, int saltlen, int iter,
39 const EVP_MD *digest, unsigned char *key,
40 size_t keylen, int extra_checks);
42 struct evp_kdf_impl_st {
49 int lower_bound_checks;
52 static EVP_KDF_IMPL *kdf_pbkdf2_new(void)
56 impl = OPENSSL_zalloc(sizeof(*impl));
58 KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE);
61 kdf_pbkdf2_init(impl);
65 static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl)
67 kdf_pbkdf2_reset(impl);
71 static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl)
73 OPENSSL_free(impl->salt);
74 OPENSSL_clear_free(impl->pass, impl->pass_len);
75 memset(impl, 0, sizeof(*impl));
76 kdf_pbkdf2_init(impl);
79 static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl)
81 impl->iter = PKCS5_DEFAULT_ITER;
82 impl->md = EVP_sha1();
83 impl->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS;
86 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
87 const unsigned char *new_buffer,
90 if (new_buffer == NULL)
93 OPENSSL_clear_free(*buffer, *buflen);
96 *buffer = OPENSSL_memdup(new_buffer, new_buflen);
98 *buffer = OPENSSL_malloc(1);
100 if (*buffer == NULL) {
101 KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
105 *buflen = new_buflen;
109 static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
111 int iter, pkcs5, min_iter;
112 const unsigned char *p;
117 case EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE:
118 pkcs5 = va_arg(args, int);
119 impl->lower_bound_checks = (pkcs5 == 0) ? 1 : 0;
121 case EVP_KDF_CTRL_SET_PASS:
122 p = va_arg(args, const unsigned char *);
123 len = va_arg(args, size_t);
124 return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len);
126 case EVP_KDF_CTRL_SET_SALT:
127 p = va_arg(args, const unsigned char *);
128 len = va_arg(args, size_t);
129 if (impl->lower_bound_checks != 0 && len < KDF_PBKDF2_MIN_SALT_LEN) {
130 KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_INVALID_SALT_LEN);
133 return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len);
135 case EVP_KDF_CTRL_SET_ITER:
136 iter = va_arg(args, int);
137 min_iter = impl->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1;
138 if (iter < min_iter) {
139 KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_INVALID_ITERATION_COUNT);
145 case EVP_KDF_CTRL_SET_MD:
146 md = va_arg(args, const EVP_MD *);
148 KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_VALUE_MISSING);
160 static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
164 KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING);
168 if (strcmp(type, "pass") == 0)
169 return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
172 if (strcmp(type, "hexpass") == 0)
173 return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
176 if (strcmp(type, "salt") == 0)
177 return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
180 if (strcmp(type, "hexsalt") == 0)
181 return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
184 if (strcmp(type, "iter") == 0)
185 return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER,
188 if (strcmp(type, "digest") == 0)
189 return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value);
191 if (strcmp(type, "pkcs5") == 0)
192 return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl,
193 EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE, value);
197 static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key,
200 if (impl->pass == NULL) {
201 KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS);
205 if (impl->salt == NULL) {
206 KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT);
210 return pbkdf2_derive((char *)impl->pass, impl->pass_len,
211 impl->salt, impl->salt_len, impl->iter,
212 impl->md, key, keylen, impl->lower_bound_checks);
215 const EVP_KDF pbkdf2_kdf_meth = {
227 * This is an implementation of PKCS#5 v2.0 password based encryption key
228 * derivation function PBKDF2. SHA1 version verified against test vectors
229 * posted by Peter Gutmann to the PKCS-TNG mailing list.
231 * The constraints specified by SP800-132 have been added i.e.
232 * - Check the range of the key length.
233 * - Minimum iteration count of 1000.
234 * - Randomly-generated portion of the salt shall be at least 128 bits.
236 static int pbkdf2_derive(const char *pass, size_t passlen,
237 const unsigned char *salt, int saltlen, int iter,
238 const EVP_MD *digest, unsigned char *key,
239 size_t keylen, int lower_bound_checks)
242 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
243 int cplen, j, k, tkeylen, mdlen;
245 HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
247 mdlen = EVP_MD_size(digest);
252 * This check should always be done because keylen / mdlen >= (2^32 - 1)
253 * results in an overflow of the loop counter 'i'.
255 if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) {
256 KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_KEY_LEN);
260 if (lower_bound_checks) {
261 if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
262 KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_KEY_LEN);
265 if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) {
266 KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_SALT_LEN);
269 if (iter < KDF_PBKDF2_MIN_ITERATIONS) {
270 KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_ITERATION_COUNT);
275 hctx_tpl = HMAC_CTX_new();
276 if (hctx_tpl == NULL)
280 if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
282 hctx = HMAC_CTX_new();
291 * We are unlikely to ever use more than 256 blocks (5120 bits!) but
294 itmp[0] = (unsigned char)((i >> 24) & 0xff);
295 itmp[1] = (unsigned char)((i >> 16) & 0xff);
296 itmp[2] = (unsigned char)((i >> 8) & 0xff);
297 itmp[3] = (unsigned char)(i & 0xff);
298 if (!HMAC_CTX_copy(hctx, hctx_tpl))
300 if (!HMAC_Update(hctx, salt, saltlen)
301 || !HMAC_Update(hctx, itmp, 4)
302 || !HMAC_Final(hctx, digtmp, NULL))
304 memcpy(p, digtmp, cplen);
305 for (j = 1; j < iter; j++) {
306 if (!HMAC_CTX_copy(hctx, hctx_tpl))
308 if (!HMAC_Update(hctx, digtmp, mdlen)
309 || !HMAC_Final(hctx, digtmp, NULL))
311 for (k = 0; k < cplen; k++)
322 HMAC_CTX_free(hctx_tpl);