PKCS5_PBKDF2_HMAC: binary password

Question

I am going to use PKCS5_PBKDF2_HMAC to derive keys. Password argument is const char*. Does it mean it must consist of printable characters only? Can I use binary password instead? OpenSSL Documentation says nothing about it. The only clue is using char instead of unsigned char, but nothing more:

 int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
                   const unsigned char *salt, int saltlen, int iter,
                   const EVP_MD *digest,
                   int keylen, unsigned char *out);

RFC mentions P shortcut for password, an octet string. Does it mean I can use a binary password being encoded as a hex string?

Answer 1

Does it mean it must consist of printable characters only?

NO.

If its a binary password, then that means you have to specify its length in passlen. You can't set passlen to -1 because strlen won't work as expected.

---

Can I use binary password instead?

YES.

Be sure to specify the length in passlen.

---

Does it mean I can use a binary password being encoded as a hex string?

YES.

There's no difference between raw octets, Hex encoding, Base32 encoding or Base64 encoding. They are presentation formats, and they all have the same entropy. The entropy will be extracted by the derivation functions.

The different encodings will result in different derived keys, but all the derived keys will have the same amount of entropy.

---

Related, see What does OpenSSL's PKCS5_PBKDF2_HMAC_SHA1 return value mean? for an analysis on the function. It was provided before OpenSSL provided the documentation on the function.

Also see other related questions, like How to use PKCS5_PBKDF2_HMAC_SHA1().