]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/common/kdfs/pbkdf2.c
projects / thirdparty / openssl.git / blob
? search:


e0b4550d6271a5bb394166fdbe2bfdd61d0dc7f7
[thirdparty/openssl.git] / providers / common / kdfs / pbkdf2.c
1 /*
2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdlib.h>
11 #include <stdarg.h>
12 #include <string.h>
13 #include <openssl/hmac.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include <openssl/core_names.h>
17 #include "internal/cryptlib.h"
18 #include "internal/numbers.h"
19 #include "internal/evp_int.h"
20 #include "internal/provider_ctx.h"
21 #include "internal/providercommonerr.h"
22 #include "internal/provider_algs.h"
23
24 /* Constants specified in SP800-132 */
25 #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112
26 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
27 #define KDF_PBKDF2_MIN_ITERATIONS 1000
28 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
29 /*
30 * For backwards compatibility reasons,
31 * Extra checks are done by default in fips mode only.
32 */
33 #ifdef FIPS_MODE
34 # define KDF_PBKDF2_DEFAULT_CHECKS 1
35 #else
36 # define KDF_PBKDF2_DEFAULT_CHECKS 0
37 #endif /* FIPS_MODE */
38
39 static OSSL_OP_kdf_newctx_fn kdf_pbkdf2_new;
40 static OSSL_OP_kdf_freectx_fn kdf_pbkdf2_free;
41 static OSSL_OP_kdf_reset_fn kdf_pbkdf2_reset;
42 static OSSL_OP_kdf_derive_fn kdf_pbkdf2_derive;
43 static OSSL_OP_kdf_settable_ctx_params_fn kdf_pbkdf2_settable_ctx_params;
44 static OSSL_OP_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params;
45
46 static int pbkdf2_derive(const char *pass, size_t passlen,
47 const unsigned char *salt, int saltlen, uint64_t iter,
48 const EVP_MD *digest, unsigned char *key,
49 size_t keylen, int extra_checks);
50
51 typedef struct {
52 void *provctx;
53 unsigned char *pass;
54 size_t pass_len;
55 unsigned char *salt;
56 size_t salt_len;
57 uint64_t iter;
58 EVP_MD *md;
59 int lower_bound_checks;
60 } KDF_PBKDF2;
61
62 static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx);
63
64 static void *kdf_pbkdf2_new(void *provctx)
65 {
66 KDF_PBKDF2 *ctx;
67
68 ctx = OPENSSL_zalloc(sizeof(*ctx));
69 if (ctx == NULL) {
70 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
71 return NULL;
72 }
73 ctx->provctx = provctx;
74 kdf_pbkdf2_init(ctx);
75 return ctx;
76 }
77
78 static void kdf_pbkdf2_free(void *vctx)
79 {
80 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
81
82 kdf_pbkdf2_reset(ctx);
83 EVP_MD_meth_free(ctx->md);
84 OPENSSL_free(ctx);
85 }
86
87 static void kdf_pbkdf2_reset(void *vctx)
88 {
89 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
90
91 OPENSSL_free(ctx->salt);
92 OPENSSL_clear_free(ctx->pass, ctx->pass_len);
93 memset(ctx, 0, sizeof(*ctx));
94 kdf_pbkdf2_init(ctx);
95 }
96
97 static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx)
98 {
99 ctx->iter = PKCS5_DEFAULT_ITER;
100 ctx->md = EVP_MD_fetch(PROV_LIBRARY_CONTEXT_OF(ctx->provctx), SN_sha1,
101 NULL);
102 ctx->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS;
103 }
104
105 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
106 const OSSL_PARAM *p)
107 {
108 OPENSSL_clear_free(*buffer, *buflen);
109 if (p->data_size == 0) {
110 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
111 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
112 return 0;
113 }
114 } else if (p->data != NULL) {
115 *buffer = NULL;
116 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
117 return 0;
118 }
119 return 1;
120 }
121
122 static int kdf_pbkdf2_derive(void *vctx, unsigned char *key,
123 size_t keylen)
124 {
125 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
126
127 if (ctx->pass == NULL) {
128 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
129 return 0;
130 }
131
132 if (ctx->salt == NULL) {
133 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
134 return 0;
135 }
136
137 return pbkdf2_derive((char *)ctx->pass, ctx->pass_len,
138 ctx->salt, ctx->salt_len, ctx->iter,
139 ctx->md, key, keylen, ctx->lower_bound_checks);
140 }
141
142 static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
143 {
144 const OSSL_PARAM *p;
145 KDF_PBKDF2 *ctx = vctx;
146 EVP_MD *md;
147 int pkcs5;
148 uint64_t iter, min_iter;
149 const char *properties = NULL;
150
151 /* Grab search properties, this should be before the digest lookup */
152 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES))
153 != NULL) {
154 if (p->data_type != OSSL_PARAM_UTF8_STRING)
155 return 0;
156 properties = p->data;
157 }
158 /* Handle aliasing of digest parameter names */
159 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) {
160 if (p->data_type != OSSL_PARAM_UTF8_STRING)
161 return 0;
162 md = EVP_MD_fetch(PROV_LIBRARY_CONTEXT_OF(ctx->provctx), p->data,
163 properties);
164 if (md == NULL) {
165 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
166 return 0;
167 }
168 EVP_MD_meth_free(ctx->md);
169 ctx->md = md;
170 }
171
172 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) {
173 if (!OSSL_PARAM_get_int(p, &pkcs5))
174 return 0;
175 ctx->lower_bound_checks = pkcs5 == 0;
176 }
177
178 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
179 if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
180 return 0;
181
182 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
183 if (ctx->lower_bound_checks != 0
184 && p->data_size < KDF_PBKDF2_MIN_SALT_LEN) {
185 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
186 return 0;
187 }
188 if (!pbkdf2_set_membuf(&ctx->salt, &ctx->salt_len,p))
189 return 0;
190 }
191
192 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {
193 if (!OSSL_PARAM_get_uint64(p, &iter))
194 return 0;
195 min_iter = ctx->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1;
196 if (iter < min_iter) {
197 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
198 return 0;
199 }
200 ctx->iter = iter;
201 }
202 return 1;
203 }
204
205 static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(void)
206 {
207 static const OSSL_PARAM known_settable_ctx_params[] = {
208 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
209 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
210 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
211 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
212 OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL),
213 OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS5, NULL),
214 OSSL_PARAM_END
215 };
216 return known_settable_ctx_params;
217 }
218
219 static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
220 {
221 OSSL_PARAM *p;
222
223 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
224 return OSSL_PARAM_set_size_t(p, SIZE_MAX);
225 return -2;
226 }
227
228 static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(void)
229 {
230 static const OSSL_PARAM known_gettable_ctx_params[] = {
231 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
232 OSSL_PARAM_END
233 };
234 return known_gettable_ctx_params;
235 }
236
237 const OSSL_DISPATCH kdf_pbkdf2_functions[] = {
238 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf2_new },
239 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf2_free },
240 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf2_reset },
241 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf2_derive },
242 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
243 (void(*)(void))kdf_pbkdf2_settable_ctx_params },
244 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_set_ctx_params },
245 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
246 (void(*)(void))kdf_pbkdf2_gettable_ctx_params },
247 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_get_ctx_params },
248 { 0, NULL }
249 };
250
251 /*
252 * This is an implementation of PKCS#5 v2.0 password based encryption key
253 * derivation function PBKDF2. SHA1 version verified against test vectors
254 * posted by Peter Gutmann to the PKCS-TNG mailing list.
255 *
256 * The constraints specified by SP800-132 have been added i.e.
257 * - Check the range of the key length.
258 * - Minimum iteration count of 1000.
259 * - Randomly-generated portion of the salt shall be at least 128 bits.
260 */
261 static int pbkdf2_derive(const char *pass, size_t passlen,
262 const unsigned char *salt, int saltlen, uint64_t iter,
263 const EVP_MD *digest, unsigned char *key,
264 size_t keylen, int lower_bound_checks)
265 {
266 int ret = 0;
267 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
268 int cplen, k, tkeylen, mdlen;
269 uint64_t j;
270 unsigned long i = 1;
271 HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
272
273 mdlen = EVP_MD_size(digest);
274 if (mdlen <= 0)
275 return 0;
276
277 /*
278 * This check should always be done because keylen / mdlen >= (2^32 - 1)
279 * results in an overflow of the loop counter 'i'.
280 */
281 if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) {
282 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LEN);
283 return 0;
284 }
285
286 if (lower_bound_checks) {
287 if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
288 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LEN);
289 return 0;
290 }
291 if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) {
292 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
293 return 0;
294 }
295 if (iter < KDF_PBKDF2_MIN_ITERATIONS) {
296 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
297 return 0;
298 }
299 }
300
301 hctx_tpl = HMAC_CTX_new();
302 if (hctx_tpl == NULL)
303 return 0;
304 p = key;
305 tkeylen = keylen;
306 if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
307 goto err;
308 hctx = HMAC_CTX_new();
309 if (hctx == NULL)
310 goto err;
311 while (tkeylen) {
312 if (tkeylen > mdlen)
313 cplen = mdlen;
314 else
315 cplen = tkeylen;
316 /*
317 * We are unlikely to ever use more than 256 blocks (5120 bits!) but
318 * just in case...
319 */
320 itmp[0] = (unsigned char)((i >> 24) & 0xff);
321 itmp[1] = (unsigned char)((i >> 16) & 0xff);
322 itmp[2] = (unsigned char)((i >> 8) & 0xff);
323 itmp[3] = (unsigned char)(i & 0xff);
324 if (!HMAC_CTX_copy(hctx, hctx_tpl))
325 goto err;
326 if (!HMAC_Update(hctx, salt, saltlen)
327 || !HMAC_Update(hctx, itmp, 4)
328 || !HMAC_Final(hctx, digtmp, NULL))
329 goto err;
330 memcpy(p, digtmp, cplen);
331 for (j = 1; j < iter; j++) {
332 if (!HMAC_CTX_copy(hctx, hctx_tpl))
333 goto err;
334 if (!HMAC_Update(hctx, digtmp, mdlen)
335 || !HMAC_Final(hctx, digtmp, NULL))
336 goto err;
337 for (k = 0; k < cplen; k++)
338 p[k] ^= digtmp[k];
339 }
340 tkeylen -= cplen;
341 i++;
342 p += cplen;
343 }
344 ret = 1;
345
346 err:
347 HMAC_CTX_free(hctx);
348 HMAC_CTX_free(hctx_tpl);
349 return ret;
350 }
A mirror of the official openssl repository