2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * HMAC low level APIs are deprecated for public use, but still ok for internal
14 #include "internal/deprecated.h"
19 #include <openssl/hmac.h>
20 #include <openssl/evp.h>
21 #include <openssl/kdf.h>
22 #include <openssl/core_names.h>
23 #include <openssl/proverr.h>
24 #include "internal/cryptlib.h"
25 #include "internal/numbers.h"
26 #include "crypto/evp.h"
27 #include "prov/provider_ctx.h"
28 #include "prov/providercommon.h"
29 #include "prov/implementations.h"
30 #include "prov/provider_util.h"
33 /* Constants specified in SP800-132 */
34 #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112
35 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
36 #define KDF_PBKDF2_MIN_ITERATIONS 1000
37 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
39 static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new
;
40 static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup
;
41 static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free
;
42 static OSSL_FUNC_kdf_reset_fn kdf_pbkdf2_reset
;
43 static OSSL_FUNC_kdf_derive_fn kdf_pbkdf2_derive
;
44 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pbkdf2_settable_ctx_params
;
45 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params
;
46 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pbkdf2_gettable_ctx_params
;
47 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pbkdf2_get_ctx_params
;
49 static int pbkdf2_derive(const char *pass
, size_t passlen
,
50 const unsigned char *salt
, int saltlen
, uint64_t iter
,
51 const EVP_MD
*digest
, unsigned char *key
,
52 size_t keylen
, int extra_checks
);
62 int lower_bound_checks
;
65 static void kdf_pbkdf2_init(KDF_PBKDF2
*ctx
);
67 static void *kdf_pbkdf2_new_no_init(void *provctx
)
71 if (!ossl_prov_is_running())
74 ctx
= OPENSSL_zalloc(sizeof(*ctx
));
77 ctx
->provctx
= provctx
;
81 static void *kdf_pbkdf2_new(void *provctx
)
83 KDF_PBKDF2
*ctx
= kdf_pbkdf2_new_no_init(provctx
);
90 static void kdf_pbkdf2_cleanup(KDF_PBKDF2
*ctx
)
92 ossl_prov_digest_reset(&ctx
->digest
);
93 OPENSSL_free(ctx
->salt
);
94 OPENSSL_clear_free(ctx
->pass
, ctx
->pass_len
);
95 memset(ctx
, 0, sizeof(*ctx
));
98 static void kdf_pbkdf2_free(void *vctx
)
100 KDF_PBKDF2
*ctx
= (KDF_PBKDF2
*)vctx
;
103 kdf_pbkdf2_cleanup(ctx
);
108 static void kdf_pbkdf2_reset(void *vctx
)
110 KDF_PBKDF2
*ctx
= (KDF_PBKDF2
*)vctx
;
111 void *provctx
= ctx
->provctx
;
113 kdf_pbkdf2_cleanup(ctx
);
114 ctx
->provctx
= provctx
;
115 kdf_pbkdf2_init(ctx
);
118 static void *kdf_pbkdf2_dup(void *vctx
)
120 const KDF_PBKDF2
*src
= (const KDF_PBKDF2
*)vctx
;
123 /* We need a new PBKDF2 object but uninitialised since we're filling it */
124 dest
= kdf_pbkdf2_new_no_init(src
->provctx
);
126 if (!ossl_prov_memdup(src
->salt
, src
->salt_len
,
127 &dest
->salt
, &dest
->salt_len
)
128 || !ossl_prov_memdup(src
->pass
, src
->pass_len
,
129 &dest
->pass
, &dest
->pass_len
)
130 || !ossl_prov_digest_copy(&dest
->digest
, &src
->digest
))
132 dest
->iter
= src
->iter
;
133 dest
->lower_bound_checks
= src
->lower_bound_checks
;
138 kdf_pbkdf2_free(dest
);
142 static void kdf_pbkdf2_init(KDF_PBKDF2
*ctx
)
144 OSSL_PARAM params
[2] = { OSSL_PARAM_END
, OSSL_PARAM_END
};
145 OSSL_LIB_CTX
*provctx
= PROV_LIBCTX_OF(ctx
->provctx
);
147 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST
,
149 if (!ossl_prov_digest_load_from_params(&ctx
->digest
, params
, provctx
))
150 /* This is an error, but there is no way to indicate such directly */
151 ossl_prov_digest_reset(&ctx
->digest
);
152 ctx
->iter
= PKCS5_DEFAULT_ITER
;
153 ctx
->lower_bound_checks
= ossl_kdf_pbkdf2_default_checks
;
156 static int pbkdf2_set_membuf(unsigned char **buffer
, size_t *buflen
,
159 OPENSSL_clear_free(*buffer
, *buflen
);
163 if (p
->data_size
== 0) {
164 if ((*buffer
= OPENSSL_malloc(1)) == NULL
)
166 } else if (p
->data
!= NULL
) {
167 if (!OSSL_PARAM_get_octet_string(p
, (void **)buffer
, 0, buflen
))
173 static int kdf_pbkdf2_derive(void *vctx
, unsigned char *key
, size_t keylen
,
174 const OSSL_PARAM params
[])
176 KDF_PBKDF2
*ctx
= (KDF_PBKDF2
*)vctx
;
179 if (!ossl_prov_is_running() || !kdf_pbkdf2_set_ctx_params(ctx
, params
))
182 if (ctx
->pass
== NULL
) {
183 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_PASS
);
187 if (ctx
->salt
== NULL
) {
188 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SALT
);
192 md
= ossl_prov_digest_md(&ctx
->digest
);
193 return pbkdf2_derive((char *)ctx
->pass
, ctx
->pass_len
,
194 ctx
->salt
, ctx
->salt_len
, ctx
->iter
,
195 md
, key
, keylen
, ctx
->lower_bound_checks
);
198 static int kdf_pbkdf2_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
201 KDF_PBKDF2
*ctx
= vctx
;
202 OSSL_LIB_CTX
*provctx
= PROV_LIBCTX_OF(ctx
->provctx
);
204 uint64_t iter
, min_iter
;
209 if (!ossl_prov_digest_load_from_params(&ctx
->digest
, params
, provctx
))
212 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_PKCS5
)) != NULL
) {
213 if (!OSSL_PARAM_get_int(p
, &pkcs5
))
215 ctx
->lower_bound_checks
= pkcs5
== 0;
218 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_PASSWORD
)) != NULL
)
219 if (!pbkdf2_set_membuf(&ctx
->pass
, &ctx
->pass_len
, p
))
222 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SALT
)) != NULL
) {
223 if (ctx
->lower_bound_checks
!= 0
224 && p
->data_size
< KDF_PBKDF2_MIN_SALT_LEN
) {
225 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_SALT_LENGTH
);
228 if (!pbkdf2_set_membuf(&ctx
->salt
, &ctx
->salt_len
, p
))
232 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_ITER
)) != NULL
) {
233 if (!OSSL_PARAM_get_uint64(p
, &iter
))
235 min_iter
= ctx
->lower_bound_checks
!= 0 ? KDF_PBKDF2_MIN_ITERATIONS
: 1;
236 if (iter
< min_iter
) {
237 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_ITERATION_COUNT
);
245 static const OSSL_PARAM
*kdf_pbkdf2_settable_ctx_params(ossl_unused
void *ctx
,
246 ossl_unused
void *p_ctx
)
248 static const OSSL_PARAM known_settable_ctx_params
[] = {
249 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES
, NULL
, 0),
250 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST
, NULL
, 0),
251 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD
, NULL
, 0),
252 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT
, NULL
, 0),
253 OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER
, NULL
),
254 OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS5
, NULL
),
257 return known_settable_ctx_params
;
260 static int kdf_pbkdf2_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
264 if ((p
= OSSL_PARAM_locate(params
, OSSL_KDF_PARAM_SIZE
)) != NULL
)
265 return OSSL_PARAM_set_size_t(p
, SIZE_MAX
);
269 static const OSSL_PARAM
*kdf_pbkdf2_gettable_ctx_params(ossl_unused
void *ctx
,
270 ossl_unused
void *p_ctx
)
272 static const OSSL_PARAM known_gettable_ctx_params
[] = {
273 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE
, NULL
),
276 return known_gettable_ctx_params
;
279 const OSSL_DISPATCH ossl_kdf_pbkdf2_functions
[] = {
280 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))kdf_pbkdf2_new
},
281 { OSSL_FUNC_KDF_DUPCTX
, (void(*)(void))kdf_pbkdf2_dup
},
282 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))kdf_pbkdf2_free
},
283 { OSSL_FUNC_KDF_RESET
, (void(*)(void))kdf_pbkdf2_reset
},
284 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))kdf_pbkdf2_derive
},
285 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
286 (void(*)(void))kdf_pbkdf2_settable_ctx_params
},
287 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))kdf_pbkdf2_set_ctx_params
},
288 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
289 (void(*)(void))kdf_pbkdf2_gettable_ctx_params
},
290 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))kdf_pbkdf2_get_ctx_params
},
295 * This is an implementation of PKCS#5 v2.0 password based encryption key
296 * derivation function PBKDF2. SHA1 version verified against test vectors
297 * posted by Peter Gutmann to the PKCS-TNG mailing list.
299 * The constraints specified by SP800-132 have been added i.e.
300 * - Check the range of the key length.
301 * - Minimum iteration count of 1000.
302 * - Randomly-generated portion of the salt shall be at least 128 bits.
304 static int pbkdf2_derive(const char *pass
, size_t passlen
,
305 const unsigned char *salt
, int saltlen
, uint64_t iter
,
306 const EVP_MD
*digest
, unsigned char *key
,
307 size_t keylen
, int lower_bound_checks
)
310 unsigned char digtmp
[EVP_MAX_MD_SIZE
], *p
, itmp
[4];
311 int cplen
, k
, tkeylen
, mdlen
;
314 HMAC_CTX
*hctx_tpl
= NULL
, *hctx
= NULL
;
316 mdlen
= EVP_MD_get_size(digest
);
321 * This check should always be done because keylen / mdlen >= (2^32 - 1)
322 * results in an overflow of the loop counter 'i'.
324 if ((keylen
/ mdlen
) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO
) {
325 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
329 if (lower_bound_checks
) {
330 if ((keylen
* 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS
) {
331 ERR_raise(ERR_LIB_PROV
, PROV_R_KEY_SIZE_TOO_SMALL
);
334 if (saltlen
< KDF_PBKDF2_MIN_SALT_LEN
) {
335 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_SALT_LENGTH
);
338 if (iter
< KDF_PBKDF2_MIN_ITERATIONS
) {
339 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_ITERATION_COUNT
);
344 hctx_tpl
= HMAC_CTX_new();
345 if (hctx_tpl
== NULL
)
349 if (!HMAC_Init_ex(hctx_tpl
, pass
, passlen
, digest
, NULL
))
351 hctx
= HMAC_CTX_new();
360 * We are unlikely to ever use more than 256 blocks (5120 bits!) but
363 itmp
[0] = (unsigned char)((i
>> 24) & 0xff);
364 itmp
[1] = (unsigned char)((i
>> 16) & 0xff);
365 itmp
[2] = (unsigned char)((i
>> 8) & 0xff);
366 itmp
[3] = (unsigned char)(i
& 0xff);
367 if (!HMAC_CTX_copy(hctx
, hctx_tpl
))
369 if (!HMAC_Update(hctx
, salt
, saltlen
)
370 || !HMAC_Update(hctx
, itmp
, 4)
371 || !HMAC_Final(hctx
, digtmp
, NULL
))
373 memcpy(p
, digtmp
, cplen
);
374 for (j
= 1; j
< iter
; j
++) {
375 if (!HMAC_CTX_copy(hctx
, hctx_tpl
))
377 if (!HMAC_Update(hctx
, digtmp
, mdlen
)
378 || !HMAC_Final(hctx
, digtmp
, NULL
))
380 for (k
= 0; k
< cplen
; k
++)
391 HMAC_CTX_free(hctx_tpl
);