2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/hmac.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include "internal/cryptlib.h"
17 #include "internal/evp_int.h"
18 #include "kdf_local.h"
20 static void kdf_pbkdf2_reset(EVP_KDF_IMPL
*impl
);
21 static void kdf_pbkdf2_init(EVP_KDF_IMPL
*impl
);
22 static int pkcs5_pbkdf2_alg(const char *pass
, size_t passlen
,
23 const unsigned char *salt
, int saltlen
, int iter
,
24 const EVP_MD
*digest
, unsigned char *key
,
27 struct evp_kdf_impl_st
{
36 static EVP_KDF_IMPL
*kdf_pbkdf2_new(void)
40 impl
= OPENSSL_zalloc(sizeof(*impl
));
42 KDFerr(KDF_F_KDF_PBKDF2_NEW
, ERR_R_MALLOC_FAILURE
);
45 kdf_pbkdf2_init(impl
);
49 static void kdf_pbkdf2_free(EVP_KDF_IMPL
*impl
)
51 kdf_pbkdf2_reset(impl
);
55 static void kdf_pbkdf2_reset(EVP_KDF_IMPL
*impl
)
57 OPENSSL_free(impl
->salt
);
58 OPENSSL_clear_free(impl
->pass
, impl
->pass_len
);
59 memset(impl
, 0, sizeof(*impl
));
60 kdf_pbkdf2_init(impl
);
63 static void kdf_pbkdf2_init(EVP_KDF_IMPL
*impl
)
65 impl
->iter
= PKCS5_DEFAULT_ITER
;
66 impl
->md
= EVP_sha1();
69 static int pbkdf2_set_membuf(unsigned char **buffer
, size_t *buflen
,
70 const unsigned char *new_buffer
,
73 if (new_buffer
== NULL
)
76 OPENSSL_clear_free(*buffer
, *buflen
);
79 *buffer
= OPENSSL_memdup(new_buffer
, new_buflen
);
81 *buffer
= OPENSSL_malloc(1);
83 if (*buffer
== NULL
) {
84 KDFerr(KDF_F_PBKDF2_SET_MEMBUF
, ERR_R_MALLOC_FAILURE
);
92 static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL
*impl
, int cmd
, va_list args
)
95 const unsigned char *p
;
100 case EVP_KDF_CTRL_SET_PASS
:
101 p
= va_arg(args
, const unsigned char *);
102 len
= va_arg(args
, size_t);
103 return pbkdf2_set_membuf(&impl
->pass
, &impl
->pass_len
, p
, len
);
105 case EVP_KDF_CTRL_SET_SALT
:
106 p
= va_arg(args
, const unsigned char *);
107 len
= va_arg(args
, size_t);
108 return pbkdf2_set_membuf(&impl
->salt
, &impl
->salt_len
, p
, len
);
110 case EVP_KDF_CTRL_SET_ITER
:
111 iter
= va_arg(args
, int);
118 case EVP_KDF_CTRL_SET_MD
:
119 md
= va_arg(args
, const EVP_MD
*);
131 static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL
*impl
, const char *type
,
135 KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR
, KDF_R_VALUE_MISSING
);
139 if (strcmp(type
, "pass") == 0)
140 return kdf_str2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_PASS
,
143 if (strcmp(type
, "hexpass") == 0)
144 return kdf_hex2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_PASS
,
147 if (strcmp(type
, "salt") == 0)
148 return kdf_str2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_SALT
,
151 if (strcmp(type
, "hexsalt") == 0)
152 return kdf_hex2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_SALT
,
155 if (strcmp(type
, "iter") == 0)
156 return call_ctrl(kdf_pbkdf2_ctrl
, impl
, EVP_KDF_CTRL_SET_ITER
,
159 if (strcmp(type
, "digest") == 0)
160 return kdf_md2ctrl(impl
, kdf_pbkdf2_ctrl
, EVP_KDF_CTRL_SET_MD
, value
);
165 static int kdf_pbkdf2_derive(EVP_KDF_IMPL
*impl
, unsigned char *key
,
168 if (impl
->pass
== NULL
) {
169 KDFerr(KDF_F_KDF_PBKDF2_DERIVE
, KDF_R_MISSING_PASS
);
173 if (impl
->salt
== NULL
) {
174 KDFerr(KDF_F_KDF_PBKDF2_DERIVE
, KDF_R_MISSING_SALT
);
178 return pkcs5_pbkdf2_alg((char *)impl
->pass
, impl
->pass_len
,
179 impl
->salt
, impl
->salt_len
, impl
->iter
,
180 impl
->md
, key
, keylen
);
183 const EVP_KDF_METHOD pbkdf2_kdf_meth
= {
195 * This is an implementation of PKCS#5 v2.0 password based encryption key
196 * derivation function PBKDF2. SHA1 version verified against test vectors
197 * posted by Peter Gutmann to the PKCS-TNG mailing list.
200 static int pkcs5_pbkdf2_alg(const char *pass
, size_t passlen
,
201 const unsigned char *salt
, int saltlen
, int iter
,
202 const EVP_MD
*digest
, unsigned char *key
,
206 unsigned char digtmp
[EVP_MAX_MD_SIZE
], *p
, itmp
[4];
207 int cplen
, j
, k
, tkeylen
, mdlen
;
209 HMAC_CTX
*hctx_tpl
= NULL
, *hctx
= NULL
;
211 mdlen
= EVP_MD_size(digest
);
215 hctx_tpl
= HMAC_CTX_new();
216 if (hctx_tpl
== NULL
)
220 if (!HMAC_Init_ex(hctx_tpl
, pass
, passlen
, digest
, NULL
))
222 hctx
= HMAC_CTX_new();
231 * We are unlikely to ever use more than 256 blocks (5120 bits!) but
234 itmp
[0] = (unsigned char)((i
>> 24) & 0xff);
235 itmp
[1] = (unsigned char)((i
>> 16) & 0xff);
236 itmp
[2] = (unsigned char)((i
>> 8) & 0xff);
237 itmp
[3] = (unsigned char)(i
& 0xff);
238 if (!HMAC_CTX_copy(hctx
, hctx_tpl
))
240 if (!HMAC_Update(hctx
, salt
, saltlen
)
241 || !HMAC_Update(hctx
, itmp
, 4)
242 || !HMAC_Final(hctx
, digtmp
, NULL
))
244 memcpy(p
, digtmp
, cplen
);
245 for (j
= 1; j
< iter
; j
++) {
246 if (!HMAC_CTX_copy(hctx
, hctx_tpl
))
248 if (!HMAC_Update(hctx
, digtmp
, mdlen
)
249 || !HMAC_Final(hctx
, digtmp
, NULL
))
251 for (k
= 0; k
< cplen
; k
++)
262 HMAC_CTX_free(hctx_tpl
);