Add PBKDF1 to the legacy provider

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14326)

Author: jon-oracle

CHANGES.md

@@ -176,6 +176,19 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Matt Caswell*
 
+ * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into
+   the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
+   will need to load the legacy crypto provider. This includes these PBE
+   algorithms which use this KDF:
+   - NID_pbeWithMD2AndDES_CBC
+   - NID_pbeWithMD5AndDES_CBC
+   - NID_pbeWithSHA1AndRC2_CBC
+   - NID_pbeWithMD2AndRC2_CBC
+   - NID_pbeWithMD5AndRC2_CBC
+   - NID_pbeWithSHA1AndDES_CBC
+
+   *Jon Spillett*
+
  * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
    EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions.
 

crypto/evp/p5_crpt.c

@@ -12,6 +12,11 @@
 #include "internal/cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
+#include <openssl/core_names.h>
+#include <openssl/kdf.h>
+
+#define PKCS5_PBES1_OUTPUT_LENGTH   16
+#define PKCS5_PBES1_KEY_IV_LENGTH   8
 
 /*
  * Doesn't do anything now: Builtin PBE algorithms in static table.
@@ -25,15 +30,16 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
                        ASN1_TYPE *param, const EVP_CIPHER *cipher,
                        const EVP_MD *md, int en_de)
 {
-    EVP_MD_CTX *ctx;
-    unsigned char md_tmp[EVP_MAX_MD_SIZE];
-    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-    int i, ivl, kl;
-    PBEPARAM *pbe;
+    unsigned char out[PKCS5_PBES1_OUTPUT_LENGTH];
+    int ivl, kl;
+    PBEPARAM *pbe = NULL;
     int saltlen, iter;
     unsigned char *salt;
-    int mdsize;
     int rv = 0;
+    EVP_KDF *kdf;
+    EVP_KDF_CTX *kctx = NULL;
+    OSSL_PARAM params[5], *p = params;
+    const char *mdname = EVP_MD_name(md);
 
     /* Extract useful info from parameter */
     if (param == NULL || param->type != V_ASN1_SEQUENCE ||
@@ -49,16 +55,14 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     }
 
     ivl = EVP_CIPHER_iv_length(cipher);
-    if (ivl < 0 || ivl > 16) {
+    if (ivl != PKCS5_PBES1_KEY_IV_LENGTH) {
         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
-        PBEPARAM_free(pbe);
-        return 0;
+        goto err;
     }
     kl = EVP_CIPHER_key_length(cipher);
-    if (kl < 0 || kl > (int)sizeof(md_tmp)) {
+    if (kl != PKCS5_PBES1_KEY_IV_LENGTH) {
         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
-        PBEPARAM_free(pbe);
-        return 0;
+        goto err;
     }
 
     if (pbe->iter == NULL)
@@ -73,43 +77,29 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     else if (passlen == -1)
         passlen = strlen(pass);
 
-    ctx = EVP_MD_CTX_new();
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    if (!EVP_DigestInit_ex(ctx, md, NULL))
-        goto err;
-    if (!EVP_DigestUpdate(ctx, pass, passlen))
+    kdf = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF1, NULL);
+    kctx = EVP_KDF_CTX_new(kdf);
+    EVP_KDF_free(kdf);
+    if (kctx == NULL)
         goto err;
-    if (!EVP_DigestUpdate(ctx, salt, saltlen))
-        goto err;
-    PBEPARAM_free(pbe);
-    pbe = NULL;
-    if (!EVP_DigestFinal_ex(ctx, md_tmp, NULL))
+    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
+                                             (char *)pass, (size_t)passlen);
+    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
+                                             salt, saltlen);
+    *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_ITER, &iter);
+    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+                                            (char *)mdname, 0);
+    *p = OSSL_PARAM_construct_end();
+    if (EVP_KDF_derive(kctx, out, PKCS5_PBES1_OUTPUT_LENGTH, params) != 1)
         goto err;
-    mdsize = EVP_MD_size(md);
-    if (mdsize < 0)
-        goto err;
-    for (i = 1; i < iter; i++) {
-        if (!EVP_DigestInit_ex(ctx, md, NULL))
-            goto err;
-        if (!EVP_DigestUpdate(ctx, md_tmp, mdsize))
-            goto err;
-        if (!EVP_DigestFinal_ex(ctx, md_tmp, NULL))
-            goto err;
-    }
-    memcpy(key, md_tmp, kl);
-    memcpy(iv, md_tmp + (16 - ivl), ivl);
-    if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
+
+    if (!EVP_CipherInit_ex(cctx, cipher, NULL, out,
+                           out + PKCS5_PBES1_KEY_IV_LENGTH, en_de))
         goto err;
-    OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
-    OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
-    OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
+    OPENSSL_cleanse(out, PKCS5_PBES1_OUTPUT_LENGTH);
     rv = 1;
  err:
+    EVP_KDF_CTX_free(kctx);
     PBEPARAM_free(pbe);
-    EVP_MD_CTX_free(ctx);
     return rv;
 }

doc/man3/PKCS5_PBE_keyivgen.pod

@@ -158,6 +158,9 @@ PKCS5_v2_PBE_keyivgen_ex(), EVP_PBE_scrypt_ex(), PKCS5_v2_scrypt_keyivgen_ex(),
 PKCS5_pbe_set0_algor_ex(), PKCS5_pbe_set_ex(), PKCS5_pbe2_set_iv_ex() and
 PKCS5_pbkdf2_set_ex() were added in OpenSSL 3.0.
 
+From OpenSSL 3.0 the PBKDF1 algorithm used in PKCS5_PBE_keyivgen() and
+PKCS5_PBE_keyivgen_ex() has been moved to the legacy provider as an EVP_KDF.
+
 =head1 COPYRIGHT
 
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.

doc/man7/OSSL_PROVIDER-legacy.pod

@@ -79,6 +79,14 @@ Disabled by default. Use I<enable-rc5> config option to enable.
 
 =back
 
+=head2 Key Derivation Function (KDF)
+
+=over 4
+
+=item PBKDF1
+
+=back
+
 =begin comment
 
 When algorithms for other operations start appearing, the

include/openssl/core_names.h

@@ -220,6 +220,7 @@ extern "C" {
 
 /* Known KDF names */
 #define OSSL_KDF_NAME_HKDF           "HKDF"
+#define OSSL_KDF_NAME_PBKDF1         "PBKDF1"
 #define OSSL_KDF_NAME_PBKDF2         "PBKDF2"
 #define OSSL_KDF_NAME_SCRYPT         "SCRYPT"
 #define OSSL_KDF_NAME_SSHKDF         "SSHKDF"

providers/common/build.info

@@ -4,4 +4,7 @@ SOURCE[../libcommon.a]=provider_err.c provider_ctx.c
 $FIPSCOMMON=provider_util.c capabilities.c bio_prov.c digest_to_nid.c\
             securitycheck.c provider_seeding.c
 SOURCE[../libdefault.a]=$FIPSCOMMON securitycheck_default.c
+IF[{- !$disabled{module} && !$disabled{shared} -}]
+  SOURCE[../liblegacy.a]=provider_util.c
+ENDIF
 SOURCE[../libfips.a]=$FIPSCOMMON securitycheck_fips.c

providers/implementations/include/prov/implementations.h

@@ -249,6 +249,7 @@ extern const OSSL_DISPATCH ossl_siphash_functions[];
 extern const OSSL_DISPATCH ossl_poly1305_functions[];
 
 /* KDFs / PRFs */
+extern const OSSL_DISPATCH ossl_kdf_pbkdf1_functions[];
 extern const OSSL_DISPATCH ossl_kdf_pbkdf2_functions[];
 extern const OSSL_DISPATCH ossl_kdf_pkcs12_functions[];
 #ifndef OPENSSL_NO_SCRYPT

providers/implementations/kdfs/build.info

@@ -5,6 +5,7 @@ $TLS1_PRF_GOAL=../../libdefault.a ../../libfips.a
 $HKDF_GOAL=../../libdefault.a ../../libfips.a
 $KBKDF_GOAL=../../libdefault.a ../../libfips.a
 $KRB5KDF_GOAL=../../libdefault.a
+$PBKDF1_GOAL=../../liblegacy.a
 $PBKDF2_GOAL=../../libdefault.a ../../libfips.a
 $PKCS12KDF_GOAL=../../libdefault.a
 $SSKDF_GOAL=../../libdefault.a ../../libfips.a
@@ -20,6 +21,8 @@ SOURCE[$KBKDF_GOAL]=kbkdf.c
 
 SOURCE[$KRB5KDF_GOAL]=krb5kdf.c
 
+SOURCE[$PBKDF1_GOAL]=pbkdf1.c
+
 SOURCE[$PBKDF2_GOAL]=pbkdf2.c
 # Extra code to satisfy the FIPS and non-FIPS separation.
 # When the PBKDF2 moves to legacy, this can be removed.