2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/hmac.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include "internal/cryptlib.h"
17 #include "internal/evp_int.h"
18 #include "kdf_local.h"
20 static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
21 static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl);
22 static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,
23 const unsigned char *salt, int saltlen, int iter,
24 const EVP_MD *digest, unsigned char *key,
27 struct evp_kdf_impl_st {
36 static EVP_KDF_IMPL *kdf_pbkdf2_new(void)
40 impl = OPENSSL_zalloc(sizeof(*impl));
42 KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE);
45 kdf_pbkdf2_init(impl);
49 static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl)
51 kdf_pbkdf2_reset(impl);
55 static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl)
57 OPENSSL_free(impl->salt);
58 OPENSSL_clear_free(impl->pass, impl->pass_len);
59 memset(impl, 0, sizeof(*impl));
60 kdf_pbkdf2_init(impl);
63 static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl)
65 impl->iter = PKCS5_DEFAULT_ITER;
66 impl->md = EVP_sha1();
69 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
70 const unsigned char *new_buffer,
73 if (new_buffer == NULL)
76 OPENSSL_clear_free(*buffer, *buflen);
79 *buffer = OPENSSL_memdup(new_buffer, new_buflen);
81 *buffer = OPENSSL_malloc(1);
83 if (*buffer == NULL) {
84 KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
92 static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
95 const unsigned char *p;
100 case EVP_KDF_CTRL_SET_PASS:
101 p = va_arg(args, const unsigned char *);
102 len = va_arg(args, size_t);
103 return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len);
105 case EVP_KDF_CTRL_SET_SALT:
106 p = va_arg(args, const unsigned char *);
107 len = va_arg(args, size_t);
108 return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len);
110 case EVP_KDF_CTRL_SET_ITER:
111 iter = va_arg(args, int);
118 case EVP_KDF_CTRL_SET_MD:
119 md = va_arg(args, const EVP_MD *);
131 static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
135 KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING);
139 if (strcmp(type, "pass") == 0)
140 return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
143 if (strcmp(type, "hexpass") == 0)
144 return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
147 if (strcmp(type, "salt") == 0)
148 return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
151 if (strcmp(type, "hexsalt") == 0)
152 return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
155 if (strcmp(type, "iter") == 0)
156 return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER,
159 if (strcmp(type, "digest") == 0)
160 return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value);
165 static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key,
168 if (impl->pass == NULL) {
169 KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS);
173 if (impl->salt == NULL) {
174 KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT);
178 return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
179 impl->salt, impl->salt_len, impl->iter,
180 impl->md, key, keylen);
183 const EVP_KDF_METHOD pbkdf2_kdf_meth = {
195 * This is an implementation of PKCS#5 v2.0 password based encryption key
196 * derivation function PBKDF2. SHA1 version verified against test vectors
197 * posted by Peter Gutmann to the PKCS-TNG mailing list.
200 static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,
201 const unsigned char *salt, int saltlen, int iter,
202 const EVP_MD *digest, unsigned char *key,
206 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
207 int cplen, j, k, tkeylen, mdlen;
209 HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
211 mdlen = EVP_MD_size(digest);
215 hctx_tpl = HMAC_CTX_new();
216 if (hctx_tpl == NULL)
220 if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
222 hctx = HMAC_CTX_new();
231 * We are unlikely to ever use more than 256 blocks (5120 bits!) but
234 itmp[0] = (unsigned char)((i >> 24) & 0xff);
235 itmp[1] = (unsigned char)((i >> 16) & 0xff);
236 itmp[2] = (unsigned char)((i >> 8) & 0xff);
237 itmp[3] = (unsigned char)(i & 0xff);
238 if (!HMAC_CTX_copy(hctx, hctx_tpl))
240 if (!HMAC_Update(hctx, salt, saltlen)
241 || !HMAC_Update(hctx, itmp, 4)
242 || !HMAC_Final(hctx, digtmp, NULL))
244 memcpy(p, digtmp, cplen);
245 for (j = 1; j < iter; j++) {
246 if (!HMAC_CTX_copy(hctx, hctx_tpl))
248 if (!HMAC_Update(hctx, digtmp, mdlen)
249 || !HMAC_Final(hctx, digtmp, NULL))
251 for (k = 0; k < cplen; k++)
262 HMAC_CTX_free(hctx_tpl);