1 /* 2 * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * HMAC low level APIs are deprecated for public use, but still ok for internal 12 * use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdlib.h> 17 #include <stdarg.h> 18 #include <string.h> 19 #include <openssl/hmac.h> 20 #include <openssl/evp.h> 21 #include <openssl/kdf.h> 22 #include <openssl/core_names.h> 23 #include <openssl/proverr.h> 24 #include "internal/cryptlib.h" 25 #include "internal/numbers.h" 26 #include "crypto/evp.h" 27 #include "prov/provider_ctx.h" 28 #include "prov/providercommon.h" 29 #include "prov/implementations.h" 30 #include "prov/provider_util.h" 31 #include "prov/securitycheck.h" 32 #include "pbkdf2.h" 33 34 /* Constants specified in SP800-132 */ 35 #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112 36 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF 37 #define KDF_PBKDF2_MIN_ITERATIONS 1000 38 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) 39 40 static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; 41 static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; 42 static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free; 43 static OSSL_FUNC_kdf_reset_fn kdf_pbkdf2_reset; 44 static OSSL_FUNC_kdf_derive_fn kdf_pbkdf2_derive; 45 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pbkdf2_settable_ctx_params; 46 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params; 47 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pbkdf2_gettable_ctx_params; 48 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pbkdf2_get_ctx_params; 49 50 typedef struct { 51 void *provctx; 52 unsigned char *pass; 53 size_t pass_len; 54 unsigned char *salt; 55 size_t salt_len; 56 uint64_t iter; 57 PROV_DIGEST digest; 58 int lower_bound_checks; 59 OSSL_FIPS_IND_DECLARE 60 } KDF_PBKDF2; 61 62 static int pbkdf2_derive(KDF_PBKDF2 *ctx, const char *pass, size_t passlen, 63 const unsigned char *salt, int saltlen, uint64_t iter, 64 const EVP_MD *digest, unsigned char *key, 65 size_t keylen, int lower_bound_checks); 66 67 static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx); 68 69 static void *kdf_pbkdf2_new_no_init(void *provctx) 70 { 71 KDF_PBKDF2 *ctx; 72 73 if (!ossl_prov_is_running()) 74 return NULL; 75 76 ctx = OPENSSL_zalloc(sizeof(*ctx)); 77 if (ctx == NULL) 78 return NULL; 79 ctx->provctx = provctx; 80 OSSL_FIPS_IND_INIT(ctx); 81 return ctx; 82 } 83 84 static void *kdf_pbkdf2_new(void *provctx) 85 { 86 KDF_PBKDF2 *ctx = kdf_pbkdf2_new_no_init(provctx); 87 88 if (ctx != NULL) 89 kdf_pbkdf2_init(ctx); 90 return ctx; 91 } 92 93 static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) 94 { 95 ossl_prov_digest_reset(&ctx->digest); 96 #ifdef OPENSSL_PEDANTIC_ZEROIZATION 97 OPENSSL_clear_free(ctx->salt, ctx->salt_len); 98 #else 99 OPENSSL_free(ctx->salt); 100 #endif 101 OPENSSL_clear_free(ctx->pass, ctx->pass_len); 102 memset(ctx, 0, sizeof(*ctx)); 103 } 104 105 static void kdf_pbkdf2_free(void *vctx) 106 { 107 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; 108 109 if (ctx != NULL) { 110 kdf_pbkdf2_cleanup(ctx); 111 OPENSSL_free(ctx); 112 } 113 } 114 115 static void kdf_pbkdf2_reset(void *vctx) 116 { 117 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; 118 void *provctx = ctx->provctx; 119 120 kdf_pbkdf2_cleanup(ctx); 121 ctx->provctx = provctx; 122 kdf_pbkdf2_init(ctx); 123 } 124 125 static void *kdf_pbkdf2_dup(void *vctx) 126 { 127 const KDF_PBKDF2 *src = (const KDF_PBKDF2 *)vctx; 128 KDF_PBKDF2 *dest; 129 130 /* We need a new PBKDF2 object but uninitialised since we're filling it */ 131 dest = kdf_pbkdf2_new_no_init(src->provctx); 132 if (dest != NULL) { 133 if (!ossl_prov_memdup(src->salt, src->salt_len, 134 &dest->salt, &dest->salt_len) 135 || !ossl_prov_memdup(src->pass, src->pass_len, 136 &dest->pass, &dest->pass_len) 137 || !ossl_prov_digest_copy(&dest->digest, &src->digest)) 138 goto err; 139 dest->iter = src->iter; 140 dest->lower_bound_checks = src->lower_bound_checks; 141 OSSL_FIPS_IND_COPY(dest, src) 142 } 143 return dest; 144 145 err: 146 kdf_pbkdf2_free(dest); 147 return NULL; 148 } 149 150 static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx) 151 { 152 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; 153 OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); 154 155 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 156 SN_sha1, 0); 157 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) 158 /* This is an error, but there is no way to indicate such directly */ 159 ossl_prov_digest_reset(&ctx->digest); 160 ctx->iter = PKCS5_DEFAULT_ITER; 161 ctx->lower_bound_checks = ossl_kdf_pbkdf2_default_checks; 162 } 163 164 static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, 165 const OSSL_PARAM *p) 166 { 167 OPENSSL_clear_free(*buffer, *buflen); 168 *buffer = NULL; 169 *buflen = 0; 170 171 if (p->data_size == 0) { 172 if ((*buffer = OPENSSL_malloc(1)) == NULL) 173 return 0; 174 } else if (p->data != NULL) { 175 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) 176 return 0; 177 } 178 return 1; 179 } 180 181 static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter, 182 size_t keylen, int *error, 183 const char **desc) 184 { 185 if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { 186 *error = PROV_R_KEY_SIZE_TOO_SMALL; 187 if (desc != NULL) 188 *desc = "Key size"; 189 return 0; 190 } 191 if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) { 192 *error = PROV_R_INVALID_SALT_LENGTH; 193 if (desc != NULL) 194 *desc = "Salt size"; 195 return 0; 196 } 197 if (iter < KDF_PBKDF2_MIN_ITERATIONS) { 198 *error = PROV_R_INVALID_ITERATION_COUNT; 199 if (desc != NULL) 200 *desc = "Iteration count"; 201 return 0; 202 } 203 204 return 1; 205 } 206 207 #ifdef FIPS_MODULE 208 static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen) 209 { 210 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 211 int error = 0; 212 const char *desc = NULL; 213 int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter, 214 keylen, &error, &desc); 215 216 if (!approved) { 217 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, 218 "PBKDF2", desc, 219 ossl_fips_config_pbkdf2_lower_bound_check)) { 220 ERR_raise(ERR_LIB_PROV, error); 221 return 0; 222 } 223 } 224 return 1; 225 } 226 #endif 227 228 static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, size_t keylen, 229 const OSSL_PARAM params[]) 230 { 231 KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; 232 const EVP_MD *md; 233 234 if (!ossl_prov_is_running() || !kdf_pbkdf2_set_ctx_params(ctx, params)) 235 return 0; 236 237 if (ctx->pass == NULL) { 238 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); 239 return 0; 240 } 241 242 if (ctx->salt == NULL) { 243 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT); 244 return 0; 245 } 246 247 md = ossl_prov_digest_md(&ctx->digest); 248 return pbkdf2_derive(ctx, (char *)ctx->pass, ctx->pass_len, 249 ctx->salt, ctx->salt_len, ctx->iter, 250 md, key, keylen, ctx->lower_bound_checks); 251 } 252 253 static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 254 { 255 const OSSL_PARAM *p; 256 KDF_PBKDF2 *ctx = vctx; 257 OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); 258 int pkcs5; 259 uint64_t iter, min_iter; 260 const EVP_MD *md; 261 262 if (ossl_param_is_empty(params)) 263 return 1; 264 265 if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { 266 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) 267 return 0; 268 md = ossl_prov_digest_md(&ctx->digest); 269 if (EVP_MD_xof(md)) { 270 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 271 return 0; 272 } 273 } 274 275 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) { 276 if (!OSSL_PARAM_get_int(p, &pkcs5)) 277 return 0; 278 ctx->lower_bound_checks = pkcs5 == 0; 279 #ifdef FIPS_MODULE 280 ossl_FIPS_IND_set_settable(OSSL_FIPS_IND_GET(ctx), 281 OSSL_FIPS_IND_SETTABLE0, 282 ctx->lower_bound_checks); 283 #endif 284 } 285 286 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) 287 if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p)) 288 return 0; 289 290 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { 291 if (ctx->lower_bound_checks != 0 292 && p->data_size < KDF_PBKDF2_MIN_SALT_LEN) { 293 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 294 return 0; 295 } 296 if (!pbkdf2_set_membuf(&ctx->salt, &ctx->salt_len, p)) 297 return 0; 298 } 299 300 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) { 301 if (!OSSL_PARAM_get_uint64(p, &iter)) 302 return 0; 303 min_iter = ctx->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1; 304 if (iter < min_iter) { 305 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT); 306 return 0; 307 } 308 ctx->iter = iter; 309 } 310 return 1; 311 } 312 313 static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, 314 ossl_unused void *p_ctx) 315 { 316 static const OSSL_PARAM known_settable_ctx_params[] = { 317 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), 318 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), 319 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0), 320 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), 321 OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL), 322 OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS5, NULL), 323 OSSL_PARAM_END 324 }; 325 return known_settable_ctx_params; 326 } 327 328 static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) 329 { 330 OSSL_PARAM *p; 331 332 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) 333 if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) 334 return 0; 335 336 if (!OSSL_FIPS_IND_GET_CTX_PARAM((KDF_PBKDF2 *) vctx, params)) 337 return 0; 338 return 1; 339 } 340 341 static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, 342 ossl_unused void *p_ctx) 343 { 344 static const OSSL_PARAM known_gettable_ctx_params[] = { 345 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), 346 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 347 OSSL_PARAM_END 348 }; 349 return known_gettable_ctx_params; 350 } 351 352 const OSSL_DISPATCH ossl_kdf_pbkdf2_functions[] = { 353 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf2_new }, 354 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_pbkdf2_dup }, 355 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf2_free }, 356 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf2_reset }, 357 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf2_derive }, 358 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 359 (void(*)(void))kdf_pbkdf2_settable_ctx_params }, 360 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_set_ctx_params }, 361 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 362 (void(*)(void))kdf_pbkdf2_gettable_ctx_params }, 363 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_get_ctx_params }, 364 OSSL_DISPATCH_END 365 }; 366 367 /* 368 * This is an implementation of PKCS#5 v2.0 password based encryption key 369 * derivation function PBKDF2. SHA1 version verified against test vectors 370 * posted by Peter Gutmann to the PKCS-TNG mailing list. 371 * 372 * The constraints specified by SP800-132 have been added i.e. 373 * - Check the range of the key length. 374 * - Minimum iteration count of 1000. 375 * - Randomly-generated portion of the salt shall be at least 128 bits. 376 */ 377 static int pbkdf2_derive(KDF_PBKDF2 *ctx, const char *pass, size_t passlen, 378 const unsigned char *salt, int saltlen, uint64_t iter, 379 const EVP_MD *digest, unsigned char *key, 380 size_t keylen, int lower_bound_checks) 381 { 382 int ret = 0; 383 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; 384 int cplen, k, tkeylen, mdlen; 385 uint64_t j; 386 unsigned long i = 1; 387 HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; 388 389 mdlen = EVP_MD_get_size(digest); 390 if (mdlen <= 0) 391 return 0; 392 393 /* 394 * This check should always be done because keylen / mdlen >= (2^32 - 1) 395 * results in an overflow of the loop counter 'i'. 396 */ 397 if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) { 398 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 399 return 0; 400 } 401 402 #ifdef FIPS_MODULE 403 if (!fips_lower_bound_check_passed(ctx, keylen)) 404 return 0; 405 #else 406 if (lower_bound_checks) { 407 int error = 0; 408 int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen, 409 &error, NULL); 410 411 if (!passed) { 412 ERR_raise(ERR_LIB_PROV, error); 413 return 0; 414 } 415 } 416 #endif 417 418 hctx_tpl = HMAC_CTX_new(); 419 if (hctx_tpl == NULL) 420 return 0; 421 p = key; 422 tkeylen = keylen; 423 if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) 424 goto err; 425 hctx = HMAC_CTX_new(); 426 if (hctx == NULL) 427 goto err; 428 while (tkeylen) { 429 if (tkeylen > mdlen) 430 cplen = mdlen; 431 else 432 cplen = tkeylen; 433 /* 434 * We are unlikely to ever use more than 256 blocks (5120 bits!) but 435 * just in case... 436 */ 437 itmp[0] = (unsigned char)((i >> 24) & 0xff); 438 itmp[1] = (unsigned char)((i >> 16) & 0xff); 439 itmp[2] = (unsigned char)((i >> 8) & 0xff); 440 itmp[3] = (unsigned char)(i & 0xff); 441 if (!HMAC_CTX_copy(hctx, hctx_tpl)) 442 goto err; 443 if (!HMAC_Update(hctx, salt, saltlen) 444 || !HMAC_Update(hctx, itmp, 4) 445 || !HMAC_Final(hctx, digtmp, NULL)) 446 goto err; 447 memcpy(p, digtmp, cplen); 448 for (j = 1; j < iter; j++) { 449 if (!HMAC_CTX_copy(hctx, hctx_tpl)) 450 goto err; 451 if (!HMAC_Update(hctx, digtmp, mdlen) 452 || !HMAC_Final(hctx, digtmp, NULL)) 453 goto err; 454 for (k = 0; k < cplen; k++) 455 p[k] ^= digtmp[k]; 456 } 457 tkeylen -= cplen; 458 i++; 459 p += cplen; 460 } 461 ret = 1; 462 463 err: 464 HMAC_CTX_free(hctx); 465 HMAC_CTX_free(hctx_tpl); 466 return ret; 467 } 468