How to generate the initialization vector (IV) for the key derivation algorithm PBKDF2?

[ankitbhalla14]

I use the openssl command to encrypt and use the password based approach to generate the key/IV:

Command:
openssl enc -aes-256-cbc -in input1 -out output1 -pass pass:password -nosalt -pbkdf2 -p

Output of command:
key=E11244295150E6713CD76E9A5112347093BDB6ACBF0C8021ABAE29881130B210
iv =6B7F0C406297F0D90E3BD65AD1FB94BA

How to generate the same IV (matching with openssl command) through openssl code?

Note: I am able to generate the key exactly same but not able to generate the IV as same.
I used below call to generate the key from PBKDF2 algorithm:
PKCS5_PBKDF2_HMAC(reinterpret_cast<const char*>(password.c_str()), -1, nullptr, 0, 10000, EVP_sha256(), keyLength, key);
I am using openssl v 1.1.1

[kulkarniamit]

When openssl enc is used with -pbkdf2 option, the IV is derived as part of key derivation process. It can be obtained in the out buffer by passing a larger buffer (enough to hold key and IV) to PKCS5_PBKDF2_HMAC() and extracting IV from it. Can you try allocating a buffer to hold both the key and IV, and try iterating over the returned buffer?

Here's a sample working program in C:

Program

#include <stdio.h>
#include <openssl/evp.h>

#define PBKDF2_ITER_DEFAULT 10000

int main() {
    unsigned int i = 0;
    int iter = PBKDF2_ITER_DEFAULT;
    const EVP_MD *digest = EVP_sha256();
    const EVP_CIPHER *cipher = EVP_aes_256_cbc();
    unsigned char keyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
    int key_len = EVP_CIPHER_key_length(cipher);
    int iv_len = EVP_CIPHER_iv_length(cipher);
    if (PKCS5_PBKDF2_HMAC("password", -1, NULL, 0, iter, digest, key_len + iv_len, keyiv)) {
        fprintf(stdout, "Key: ");
        while (i < key_len) {
            fprintf(stdout, "%02X", keyiv[i++]);
        }
        fprintf(stdout, "\nIV: ");
        while (i < key_len + iv_len) {
            fprintf(stdout, "%02X", keyiv[i++]);
        }
        fprintf(stdout, "\n");
    }
    return 0;
}

Output

$ ~/installers/openssl-1.1.1u/bin/openssl enc -aes-256-cbc -in input-file -out output-file \
-pass pass:password -nosalt -pbkdf2 -p
key=E11244295150E6713CD76E9A5112347093BDB6ACBF0C8021ABAE29881130B210
iv =6B7F0C406297F0D90E3BD65AD1FB94BA

$ gcc -L /home/alice/installers/openssl-1.1.1u/lib/ -I /home/alice/installers/openssl-1.1.1u/include/ \
-o program main.c -lcrypto -ldl -lpthread

$ ./program
Key: E11244295150E6713CD76E9A5112347093BDB6ACBF0C8021ABAE29881130B210
IV: 6B7F0C406297F0D90E3BD65AD1FB94BA