1/* 2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * HMAC low level APIs are deprecated for public use, but still ok for internal 12 * use. 13 */ 14#include "internal/deprecated.h" 15 16#include <stdlib.h> 17#include <stdarg.h> 18#include <string.h> 19#include <openssl/hmac.h> 20#include <openssl/evp.h> 21#include <openssl/kdf.h> 22#include <openssl/core_names.h> 23#include <openssl/proverr.h> 24#include "internal/cryptlib.h" 25#include "internal/numbers.h" 26#include "crypto/evp.h" 27#include "prov/provider_ctx.h" 28#include "prov/providercommon.h" 29#include "prov/implementations.h" 30#include "prov/provider_util.h" 31#include "pbkdf2.h" 32 33/* Constants specified in SP800-132 */ 34#define KDF_PBKDF2_MIN_KEY_LEN_BITS 112 35#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF 36#define KDF_PBKDF2_MIN_ITERATIONS 1000 37#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) 38 39static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; 40static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free; 41static OSSL_FUNC_kdf_reset_fn kdf_pbkdf2_reset; 42static OSSL_FUNC_kdf_derive_fn kdf_pbkdf2_derive; 43static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pbkdf2_settable_ctx_params; 44static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params; 45static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pbkdf2_gettable_ctx_params; 46static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pbkdf2_get_ctx_params; 47 48static int pbkdf2_derive(const char *pass, size_t passlen, 49 const unsigned char *salt, int saltlen, uint64_t iter, 50 const EVP_MD *digest, unsigned char *key, 51 size_t keylen, int extra_checks); 52 53typedef struct { 54 void *provctx; 55 unsigned char *pass; 56 size_t pass_len; 57 unsigned char *salt; 58 size_t salt_len; 59 uint64_t iter; 60 PROV_DIGEST digest; 61 int lower_bound_checks; 62} KDF_PBKDF2; 63 64static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx); 65 66static void *kdf_pbkdf2_new(void *provctx) 67{ 68 KDF_PBKDF2 *ctx; 69 70 if (!ossl_prov_is_running()) 71 return NULL; 72 73 ctx = OPENSSL_zalloc(sizeof(*ctx)); 74 if (ctx == NULL) { 75 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 76 return NULL; 77 } 78 ctx->provctx = provctx; 79 kdf_pbkdf2_init(ctx); 80 return ctx; 81} 82 83static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) 84{ 85 ossl_prov_digest_reset(&ctx->digest); 86 OPENSSL_free(ctx->salt); 87 OPENSSL_clear_free(ctx->pass, ctx->pass_len); 88 memset(ctx, 0, sizeof(*ctx)); 89} 90 91static void kdf_pbkdf2_free(void *vctx) 92{ 93 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; 94 95 if (ctx != NULL) { 96 kdf_pbkdf2_cleanup(ctx); 97 OPENSSL_free(ctx); 98 } 99} 100 101static void kdf_pbkdf2_reset(void *vctx) 102{ 103 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; 104 void *provctx = ctx->provctx; 105 106 kdf_pbkdf2_cleanup(ctx); 107 ctx->provctx = provctx; 108 kdf_pbkdf2_init(ctx); 109} 110 111static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx) 112{ 113 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; 114 OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); 115 116 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 117 SN_sha1, 0); 118 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) 119 /* This is an error, but there is no way to indicate such directly */ 120 ossl_prov_digest_reset(&ctx->digest); 121 ctx->iter = PKCS5_DEFAULT_ITER; 122 ctx->lower_bound_checks = ossl_kdf_pbkdf2_default_checks; 123} 124 125static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, 126 const OSSL_PARAM *p) 127{ 128 OPENSSL_clear_free(*buffer, *buflen); 129 *buffer = NULL; 130 *buflen = 0; 131 132 if (p->data_size == 0) { 133 if ((*buffer = OPENSSL_malloc(1)) == NULL) { 134 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 135 return 0; 136 } 137 } else if (p->data != NULL) { 138 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) 139 return 0; 140 } 141 return 1; 142} 143 144static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, size_t keylen, 145 const OSSL_PARAM params[]) 146{ 147 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; 148 const EVP_MD *md; 149 150 if (!ossl_prov_is_running() || !kdf_pbkdf2_set_ctx_params(ctx, params)) 151 return 0; 152 153 if (ctx->pass == NULL) { 154 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); 155 return 0; 156 } 157 158 if (ctx->salt == NULL) { 159 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT); 160 return 0; 161 } 162 163 md = ossl_prov_digest_md(&ctx->digest); 164 return pbkdf2_derive((char *)ctx->pass, ctx->pass_len, 165 ctx->salt, ctx->salt_len, ctx->iter, 166 md, key, keylen, ctx->lower_bound_checks); 167} 168 169static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 170{ 171 const OSSL_PARAM *p; 172 KDF_PBKDF2 *ctx = vctx; 173 OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); 174 int pkcs5; 175 uint64_t iter, min_iter; 176 177 if (params == NULL) 178 return 1; 179 180 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) 181 return 0; 182 183 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) { 184 if (!OSSL_PARAM_get_int(p, &pkcs5)) 185 return 0; 186 ctx->lower_bound_checks = pkcs5 == 0; 187 } 188 189 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) 190 if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p)) 191 return 0; 192 193 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { 194 if (ctx->lower_bound_checks != 0 195 && p->data_size < KDF_PBKDF2_MIN_SALT_LEN) { 196 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 197 return 0; 198 } 199 if (!pbkdf2_set_membuf(&ctx->salt, &ctx->salt_len,p)) 200 return 0; 201 } 202 203 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) { 204 if (!OSSL_PARAM_get_uint64(p, &iter)) 205 return 0; 206 min_iter = ctx->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1; 207 if (iter < min_iter) { 208 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT); 209 return 0; 210 } 211 ctx->iter = iter; 212 } 213 return 1; 214} 215 216static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, 217 ossl_unused void *p_ctx) 218{ 219 static const OSSL_PARAM known_settable_ctx_params[] = { 220 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), 221 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), 222 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0), 223 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), 224 OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL), 225 OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS5, NULL), 226 OSSL_PARAM_END 227 }; 228 return known_settable_ctx_params; 229} 230 231static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) 232{ 233 OSSL_PARAM *p; 234 235 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) 236 return OSSL_PARAM_set_size_t(p, SIZE_MAX); 237 return -2; 238} 239 240static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, 241 ossl_unused void *p_ctx) 242{ 243 static const OSSL_PARAM known_gettable_ctx_params[] = { 244 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), 245 OSSL_PARAM_END 246 }; 247 return known_gettable_ctx_params; 248} 249 250const OSSL_DISPATCH ossl_kdf_pbkdf2_functions[] = { 251 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf2_new }, 252 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf2_free }, 253 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf2_reset }, 254 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf2_derive }, 255 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 256 (void(*)(void))kdf_pbkdf2_settable_ctx_params }, 257 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_set_ctx_params }, 258 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 259 (void(*)(void))kdf_pbkdf2_gettable_ctx_params }, 260 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_get_ctx_params }, 261 { 0, NULL } 262}; 263 264/* 265 * This is an implementation of PKCS#5 v2.0 password based encryption key 266 * derivation function PBKDF2. SHA1 version verified against test vectors 267 * posted by Peter Gutmann to the PKCS-TNG mailing list. 268 * 269 * The constraints specified by SP800-132 have been added i.e. 270 * - Check the range of the key length. 271 * - Minimum iteration count of 1000. 272 * - Randomly-generated portion of the salt shall be at least 128 bits. 273 */ 274static int pbkdf2_derive(const char *pass, size_t passlen, 275 const unsigned char *salt, int saltlen, uint64_t iter, 276 const EVP_MD *digest, unsigned char *key, 277 size_t keylen, int lower_bound_checks) 278{ 279 int ret = 0; 280 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; 281 int cplen, k, tkeylen, mdlen; 282 uint64_t j; 283 unsigned long i = 1; 284 HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; 285 286 mdlen = EVP_MD_get_size(digest); 287 if (mdlen <= 0) 288 return 0; 289 290 /* 291 * This check should always be done because keylen / mdlen >= (2^32 - 1) 292 * results in an overflow of the loop counter 'i'. 293 */ 294 if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) { 295 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 296 return 0; 297 } 298 299 if (lower_bound_checks) { 300 if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { 301 ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); 302 return 0; 303 } 304 if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) { 305 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 306 return 0; 307 } 308 if (iter < KDF_PBKDF2_MIN_ITERATIONS) { 309 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT); 310 return 0; 311 } 312 } 313 314 hctx_tpl = HMAC_CTX_new(); 315 if (hctx_tpl == NULL) 316 return 0; 317 p = key; 318 tkeylen = keylen; 319 if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) 320 goto err; 321 hctx = HMAC_CTX_new(); 322 if (hctx == NULL) 323 goto err; 324 while (tkeylen) { 325 if (tkeylen > mdlen) 326 cplen = mdlen; 327 else 328 cplen = tkeylen; 329 /* 330 * We are unlikely to ever use more than 256 blocks (5120 bits!) but 331 * just in case... 332 */ 333 itmp[0] = (unsigned char)((i >> 24) & 0xff); 334 itmp[1] = (unsigned char)((i >> 16) & 0xff); 335 itmp[2] = (unsigned char)((i >> 8) & 0xff); 336 itmp[3] = (unsigned char)(i & 0xff); 337 if (!HMAC_CTX_copy(hctx, hctx_tpl)) 338 goto err; 339 if (!HMAC_Update(hctx, salt, saltlen) 340 || !HMAC_Update(hctx, itmp, 4) 341 || !HMAC_Final(hctx, digtmp, NULL)) 342 goto err; 343 memcpy(p, digtmp, cplen); 344 for (j = 1; j < iter; j++) { 345 if (!HMAC_CTX_copy(hctx, hctx_tpl)) 346 goto err; 347 if (!HMAC_Update(hctx, digtmp, mdlen) 348 || !HMAC_Final(hctx, digtmp, NULL)) 349 goto err; 350 for (k = 0; k < cplen; k++) 351 p[k] ^= digtmp[k]; 352 } 353 tkeylen -= cplen; 354 i++; 355 p += cplen; 356 } 357 ret = 1; 358 359err: 360 HMAC_CTX_free(hctx); 361 HMAC_CTX_free(hctx_tpl); 362 return ret; 363} 364