2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/hmac.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include "internal/cryptlib.h"
17 #include "internal/evp_int.h"
18 #include "kdf_local.h"
20 /* Constants specified in SP800-132 */
21 #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112
22 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
23 #define KDF_PBKDF2_MIN_ITERATIONS 1000
24 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
26 * For backwards compatibility reasons,
27 * Extra checks are done by default in fips mode only.
30 # define KDF_PBKDF2_DEFAULT_CHECKS 1
32 # define KDF_PBKDF2_DEFAULT_CHECKS 0
33 #endif /* FIPS_MODE */
35 static void kdf_pbkdf2_reset(EVP_KDF_IMPL
*impl
);
36 static void kdf_pbkdf2_init(EVP_KDF_IMPL
*impl
);
37 static int pbkdf2_derive(const char *pass
, size_t passlen
,
38 const unsigned char *salt
, int saltlen
, int iter
,
39 const EVP_MD
*digest
, unsigned char *key
,
40 size_t keylen
, int extra_checks
);
42 struct evp_kdf_impl_st
{
49 int lower_bound_checks
;
52 static EVP_KDF_IMPL
*kdf_pbkdf2_new(void)
56 impl
= OPENSSL_zalloc(sizeof(*impl
));
58 KDFerr(KDF_F_KDF_PBKDF2_NEW
, ERR_R_MALLOC_FAILURE
);
61 kdf_pbkdf2_init(impl
);
65 static void kdf_pbkdf2_free(EVP_KDF_IMPL
*impl
)
67 kdf_pbkdf2_reset(impl
);
71 static void kdf_pbkdf2_reset(EVP_KDF_IMPL
*impl
)
73 OPENSSL_free(impl
->salt
);
74 OPENSSL_clear_free(impl
->pass
, impl
->pass_len
);
75 memset(impl
, 0, sizeof(*impl
));
76 kdf_pbkdf2_init(impl
);
79 static void kdf_pbkdf2_init(EVP_KDF_IMPL
*impl
)
81 impl
->iter
= PKCS5_DEFAULT_ITER
;
82 impl
->md
= EVP_sha1();
83 impl
->lower_bound_checks
= KDF_PBKDF2_DEFAULT_CHECKS
;
86 static int pbkdf2_set_membuf(unsigned char **buffer
, size_t *buflen
,
87 const unsigned char *new_buffer
,
90 if (new_buffer
== NULL
)
93 OPENSSL_clear_free(*buffer
, *buflen
);
96 *buffer
= OPENSSL_memdup(new_buffer
, new_buflen
);
98 *buffer
= OPENSSL_malloc(1);
100 if (*buffer
== NULL
) {
101 KDFerr(KDF_F_PBKDF2_SET_MEMBUF
, ERR_R_MALLOC_FAILURE
);
105 *buflen
= new_buflen
;
109 static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL
*impl
, int cmd
, va_list args
)
111 int iter
, pkcs5
, min_iter
;
112 const unsigned char *p
;
117 case EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE
:
118 pkcs5
= va_arg(args
, int);
119 impl
->lower_bound_checks
= (pkcs5
== 0) ? 1 : 0;
121 case EVP_KDF_CTRL_SET_PASS
:
122 p
= va_arg(args
, const unsigned char *);
123 len
= va_arg(args
, size_t);
124 return pbkdf2_set_membuf(&impl
->pass
, &impl
->pass_len
, p
, len
);
126 case EVP_KDF_CTRL_SET_SALT
:
127 p
= va_arg(args
, const unsigned char *);
128 len
= va_arg(args
, size_t);
129 if (impl
->lower_bound_checks
!= 0 && len
< KDF_PBKDF2_MIN_SALT_LEN
) {
130 KDFerr(KDF_F_KDF_PBKDF2_CTRL
, KDF_R_INVALID_SALT_LEN
);
133 return pbkdf2_set_membuf(&impl
->salt
, &impl
->salt_len
, p
, len
);
135 case EVP_KDF_CTRL_SET_ITER
:
136 iter
= va_arg(args
, int);
137 min_iter
= impl
->lower_bound_checks
!= 0 ? KDF_PBKDF2_MIN_ITERATIONS
: 1;
138 if (iter
< min_iter
) {
139 KDFerr(KDF_F_KDF_PBKDF2_CTRL
, KDF_R_INVALID_ITERATION_COUNT
);
145 case EVP_KDF_CTRL_SET_MD
:
146 md
= va_arg(args
, const EVP_MD
*);
148 KDFerr(KDF_F_KDF_PBKDF2_CTRL
, KDF_R_VALUE_MISSING
);
160 static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL
*impl
, const char *type
,
164 KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR
, KDF_R_VALUE_MISSING
);
168 if (strcmp(type
, "pass") == 0)
169 return kdf_str2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_PASS
,
172 if (strcmp(type
, "hexpass") == 0)
173 return kdf_hex2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_PASS
,
176 if (strcmp(type
, "salt") == 0)
177 return kdf_str2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_SALT
,
180 if (strcmp(type
, "hexsalt") == 0)
181 return kdf_hex2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_SALT
,
184 if (strcmp(type
, "iter") == 0)
185 return call_ctrl(kdf_pbkdf2_ctrl
, impl
, EVP_KDF_CTRL_SET_ITER
,
188 if (strcmp(type
, "digest") == 0)
189 return kdf_md2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_MD
, value
);
191 if (strcmp(type
, "pkcs5") == 0)
192 return kdf_str2ctrl(impl
, kdf_pbkdf2_ctrl
,
193 EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE
, value
);
197 static int kdf_pbkdf2_derive(EVP_KDF_IMPL
*impl
, unsigned char *key
,
200 if (impl
->pass
== NULL
) {
201 KDFerr(KDF_F_KDF_PBKDF2_DERIVE
, KDF_R_MISSING_PASS
);
205 if (impl
->salt
== NULL
) {
206 KDFerr(KDF_F_KDF_PBKDF2_DERIVE
, KDF_R_MISSING_SALT
);
210 return pbkdf2_derive((char *)impl
->pass
, impl
->pass_len
,
211 impl
->salt
, impl
->salt_len
, impl
->iter
,
212 impl
->md
, key
, keylen
, impl
->lower_bound_checks
);
215 const EVP_KDF pbkdf2_kdf_meth
= {
227 * This is an implementation of PKCS#5 v2.0 password based encryption key
228 * derivation function PBKDF2. SHA1 version verified against test vectors
229 * posted by Peter Gutmann to the PKCS-TNG mailing list.
231 * The constraints specified by SP800-132 have been added i.e.
232 * - Check the range of the key length.
233 * - Minimum iteration count of 1000.
234 * - Randomly-generated portion of the salt shall be at least 128 bits.
236 static int pbkdf2_derive(const char *pass
, size_t passlen
,
237 const unsigned char *salt
, int saltlen
, int iter
,
238 const EVP_MD
*digest
, unsigned char *key
,
239 size_t keylen
, int lower_bound_checks
)
242 unsigned char digtmp
[EVP_MAX_MD_SIZE
], *p
, itmp
[4];
243 int cplen
, j
, k
, tkeylen
, mdlen
;
245 HMAC_CTX
*hctx_tpl
= NULL
, *hctx
= NULL
;
247 mdlen
= EVP_MD_size(digest
);
252 * This check should always be done because keylen / mdlen >= (2^32 - 1)
253 * results in an overflow of the loop counter 'i'.
255 if ((keylen
/ mdlen
) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO
) {
256 KDFerr(KDF_F_PBKDF2_DERIVE
, KDF_R_INVALID_KEY_LEN
);
260 if (lower_bound_checks
) {
261 if ((keylen
* 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS
) {
262 KDFerr(KDF_F_PBKDF2_DERIVE
, KDF_R_INVALID_KEY_LEN
);
265 if (saltlen
< KDF_PBKDF2_MIN_SALT_LEN
) {
266 KDFerr(KDF_F_PBKDF2_DERIVE
, KDF_R_INVALID_SALT_LEN
);
269 if (iter
< KDF_PBKDF2_MIN_ITERATIONS
) {
270 KDFerr(KDF_F_PBKDF2_DERIVE
, KDF_R_INVALID_ITERATION_COUNT
);
275 hctx_tpl
= HMAC_CTX_new();
276 if (hctx_tpl
== NULL
)
280 if (!HMAC_Init_ex(hctx_tpl
, pass
, passlen
, digest
, NULL
))
282 hctx
= HMAC_CTX_new();
291 * We are unlikely to ever use more than 256 blocks (5120 bits!) but
294 itmp
[0] = (unsigned char)((i
>> 24) & 0xff);
295 itmp
[1] = (unsigned char)((i
>> 16) & 0xff);
296 itmp
[2] = (unsigned char)((i
>> 8) & 0xff);
297 itmp
[3] = (unsigned char)(i
& 0xff);
298 if (!HMAC_CTX_copy(hctx
, hctx_tpl
))
300 if (!HMAC_Update(hctx
, salt
, saltlen
)
301 || !HMAC_Update(hctx
, itmp
, 4)
302 || !HMAC_Final(hctx
, digtmp
, NULL
))
304 memcpy(p
, digtmp
, cplen
);
305 for (j
= 1; j
< iter
; j
++) {
306 if (!HMAC_CTX_copy(hctx
, hctx_tpl
))
308 if (!HMAC_Update(hctx
, digtmp
, mdlen
)
309 || !HMAC_Final(hctx
, digtmp
, NULL
))
311 for (k
= 0; k
< cplen
; k
++)
322 HMAC_CTX_free(hctx_tpl
);