providers/common/kdfs/pbkdf2.c

   1 /*
   2  * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdlib.h>
  11 #include <stdarg.h>
  12 #include <string.h>
  13 #include <openssl/hmac.h>
  14 #include <openssl/evp.h>
  15 #include <openssl/kdf.h>
  16 #include <openssl/core_names.h>
  17 #include "internal/cryptlib.h"
  18 #include "internal/numbers.h"
  19 #include "crypto/evp.h"
  20 #include "internal/provider_ctx.h"
  21 #include "internal/providercommonerr.h"
  22 #include "internal/provider_algs.h"
  23 #include "internal/provider_util.h"
  24
  25 /* Constants specified in SP800-132 */
  26 #define KDF_PBKDF2_MIN_KEY_LEN_BITS  112
  27 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
  28 #define KDF_PBKDF2_MIN_ITERATIONS 1000
  29 #define KDF_PBKDF2_MIN_SALT_LEN   (128 / 8)
  30 /*
  31  * For backwards compatibility reasons,
  32  * Extra checks are done by default in fips mode only.
  33  */
  34 #ifdef FIPS_MODE
  35 # define KDF_PBKDF2_DEFAULT_CHECKS 1
  36 #else
  37 # define KDF_PBKDF2_DEFAULT_CHECKS 0
  38 #endif /* FIPS_MODE */
  39
  40 static OSSL_OP_kdf_newctx_fn kdf_pbkdf2_new;
  41 static OSSL_OP_kdf_freectx_fn kdf_pbkdf2_free;
  42 static OSSL_OP_kdf_reset_fn kdf_pbkdf2_reset;
  43 static OSSL_OP_kdf_derive_fn kdf_pbkdf2_derive;
  44 static OSSL_OP_kdf_settable_ctx_params_fn kdf_pbkdf2_settable_ctx_params;
  45 static OSSL_OP_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params;
  46
  47 static int  pbkdf2_derive(const char *pass, size_t passlen,
  48                           const unsigned char *salt, int saltlen, uint64_t iter,
  49                           const EVP_MD *digest, unsigned char *key,
  50                           size_t keylen, int extra_checks);
  51
  52 typedef struct {
  53     void *provctx;
  54     unsigned char *pass;
  55     size_t pass_len;
  56     unsigned char *salt;
  57     size_t salt_len;
  58     uint64_t iter;
  59     PROV_DIGEST digest;
  60     int lower_bound_checks;
  61 } KDF_PBKDF2;
  62
  63 static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx);
  64
  65 static void *kdf_pbkdf2_new(void *provctx)
  66 {
  67     KDF_PBKDF2 *ctx;
  68
  69     ctx = OPENSSL_zalloc(sizeof(*ctx));
  70     if (ctx == NULL) {
  71         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  72         return NULL;
  73     }
  74     ctx->provctx = provctx;
  75     kdf_pbkdf2_init(ctx);
  76     return ctx;
  77 }
  78
  79 static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
  80 {
  81     ossl_prov_digest_reset(&ctx->digest);
  82     OPENSSL_free(ctx->salt);
  83     OPENSSL_clear_free(ctx->pass, ctx->pass_len);
  84     memset(ctx, 0, sizeof(*ctx));
  85 }
  86
  87 static void kdf_pbkdf2_free(void *vctx)
  88 {
  89     KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
  90
  91     kdf_pbkdf2_cleanup(ctx);
  92     OPENSSL_free(ctx);
  93 }
  94
  95 static void kdf_pbkdf2_reset(void *vctx)
  96 {
  97     KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
  98
  99     kdf_pbkdf2_cleanup(ctx);
 100     kdf_pbkdf2_init(ctx);
 101 }
 102
 103 static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx)
 104 {
 105     OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
 106     OPENSSL_CTX *provctx = PROV_LIBRARY_CONTEXT_OF(ctx->provctx);
 107
 108     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
 109                                                  SN_sha1, 0);
 110     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
 111         /* This is an error, but there is no way to indicate such directly */
 112         ossl_prov_digest_reset(&ctx->digest);
 113     ctx->iter = PKCS5_DEFAULT_ITER;
 114     ctx->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS;
 115 }
 116
 117 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
 118                              const OSSL_PARAM *p)
 119 {
 120     OPENSSL_clear_free(*buffer, *buflen);
 121     if (p->data_size == 0) {
 122         if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 123             ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 124             return 0;
 125         }
 126     } else if (p->data != NULL) {
 127         *buffer = NULL;
 128         if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 129             return 0;
 130     }
 131     return 1;
 132 }
 133
 134 static int kdf_pbkdf2_derive(void *vctx, unsigned char *key,
 135                              size_t keylen)
 136 {
 137     KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
 138     const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
 139
 140     if (ctx->pass == NULL) {
 141         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
 142         return 0;
 143     }
 144
 145     if (ctx->salt == NULL) {
 146         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
 147         return 0;
 148     }
 149
 150     return pbkdf2_derive((char *)ctx->pass, ctx->pass_len,
 151                          ctx->salt, ctx->salt_len, ctx->iter,
 152                          md, key, keylen, ctx->lower_bound_checks);
 153 }
 154
 155 static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 156 {
 157     const OSSL_PARAM *p;
 158     KDF_PBKDF2 *ctx = vctx;
 159     OPENSSL_CTX *provctx = PROV_LIBRARY_CONTEXT_OF(ctx->provctx);
 160     int pkcs5;
 161     uint64_t iter, min_iter;
 162
 163     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
 164         return 0;
 165
 166     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) {
 167         if (!OSSL_PARAM_get_int(p, &pkcs5))
 168             return 0;
 169         ctx->lower_bound_checks = pkcs5 == 0;
 170     }
 171
 172     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
 173         if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
 174             return 0;
 175
 176     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
 177         if (ctx->lower_bound_checks != 0
 178             && p->data_size < KDF_PBKDF2_MIN_SALT_LEN) {
 179             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
 180             return 0;
 181         }
 182         if (!pbkdf2_set_membuf(&ctx->salt, &ctx->salt_len,p))
 183             return 0;
 184     }
 185
 186     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {
 187         if (!OSSL_PARAM_get_uint64(p, &iter))
 188             return 0;
 189         min_iter = ctx->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1;
 190         if (iter < min_iter) {
 191             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
 192             return 0;
 193         }
 194         ctx->iter = iter;
 195     }
 196     return 1;
 197 }
 198
 199 static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(void)
 200 {
 201     static const OSSL_PARAM known_settable_ctx_params[] = {
 202         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
 203         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
 204         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
 205         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
 206         OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL),
 207         OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS5, NULL),
 208         OSSL_PARAM_END
 209     };
 210     return known_settable_ctx_params;
 211 }
 212
 213 static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
 214 {
 215     OSSL_PARAM *p;
 216
 217     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
 218         return OSSL_PARAM_set_size_t(p, SIZE_MAX);
 219     return -2;
 220 }
 221
 222 static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(void)
 223 {
 224     static const OSSL_PARAM known_gettable_ctx_params[] = {
 225         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 226         OSSL_PARAM_END
 227     };
 228     return known_gettable_ctx_params;
 229 }
 230
 231 const OSSL_DISPATCH kdf_pbkdf2_functions[] = {
 232     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf2_new },
 233     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf2_free },
 234     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf2_reset },
 235     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf2_derive },
 236     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
 237       (void(*)(void))kdf_pbkdf2_settable_ctx_params },
 238     { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_set_ctx_params },
 239     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
 240       (void(*)(void))kdf_pbkdf2_gettable_ctx_params },
 241     { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_get_ctx_params },
 242     { 0, NULL }
 243 };
 244
 245 /*
 246  * This is an implementation of PKCS#5 v2.0 password based encryption key
 247  * derivation function PBKDF2. SHA1 version verified against test vectors
 248  * posted by Peter Gutmann to the PKCS-TNG mailing list.
 249  *
 250  * The constraints specified by SP800-132 have been added i.e.
 251  *  - Check the range of the key length.
 252  *  - Minimum iteration count of 1000.
 253  *  - Randomly-generated portion of the salt shall be at least 128 bits.
 254  */
 255 static int pbkdf2_derive(const char *pass, size_t passlen,
 256                          const unsigned char *salt, int saltlen, uint64_t iter,
 257                          const EVP_MD *digest, unsigned char *key,
 258                          size_t keylen, int lower_bound_checks)
 259 {
 260     int ret = 0;
 261     unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
 262     int cplen, k, tkeylen, mdlen;
 263     uint64_t j;
 264     unsigned long i = 1;
 265     HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
 266
 267     mdlen = EVP_MD_size(digest);
 268     if (mdlen <= 0)
 269         return 0;
 270
 271     /*
 272      * This check should always be done because keylen / mdlen >= (2^32 - 1)
 273      * results in an overflow of the loop counter 'i'.
 274      */
 275     if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) {
 276         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LEN);
 277         return 0;
 278     }
 279
 280     if (lower_bound_checks) {
 281         if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
 282             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LEN);
 283             return 0;
 284         }
 285         if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) {
 286             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
 287             return 0;
 288         }
 289         if (iter < KDF_PBKDF2_MIN_ITERATIONS) {
 290             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
 291             return 0;
 292         }
 293     }
 294
 295     hctx_tpl = HMAC_CTX_new();
 296     if (hctx_tpl == NULL)
 297         return 0;
 298     p = key;
 299     tkeylen = keylen;
 300     if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
 301         goto err;
 302     hctx = HMAC_CTX_new();
 303     if (hctx == NULL)
 304         goto err;
 305     while (tkeylen) {
 306         if (tkeylen > mdlen)
 307             cplen = mdlen;
 308         else
 309             cplen = tkeylen;
 310         /*
 311          * We are unlikely to ever use more than 256 blocks (5120 bits!) but
 312          * just in case...
 313          */
 314         itmp[0] = (unsigned char)((i >> 24) & 0xff);
 315         itmp[1] = (unsigned char)((i >> 16) & 0xff);
 316         itmp[2] = (unsigned char)((i >> 8) & 0xff);
 317         itmp[3] = (unsigned char)(i & 0xff);
 318         if (!HMAC_CTX_copy(hctx, hctx_tpl))
 319             goto err;
 320         if (!HMAC_Update(hctx, salt, saltlen)
 321                 || !HMAC_Update(hctx, itmp, 4)
 322                 || !HMAC_Final(hctx, digtmp, NULL))
 323             goto err;
 324         memcpy(p, digtmp, cplen);
 325         for (j = 1; j < iter; j++) {
 326             if (!HMAC_CTX_copy(hctx, hctx_tpl))
 327                 goto err;
 328             if (!HMAC_Update(hctx, digtmp, mdlen)
 329                     || !HMAC_Final(hctx, digtmp, NULL))
 330                 goto err;
 331             for (k = 0; k < cplen; k++)
 332                 p[k] ^= digtmp[k];
 333         }
 334         tkeylen -= cplen;
 335         i++;
 336         p += cplen;
 337     }
 338     ret = 1;
 339
 340 err:
 341     HMAC_CTX_free(hctx);
 342     HMAC_CTX_free(hctx_tpl);
 343     return ret;
 344 }