Botan 3.8.1
Crypto and TLS for C&
pbkdf2.cpp
Go to the documentation of this file.
1/*
2* PBKDF2
3* (C) 1999-2007 Jack Lloyd
4* (C) 2018 Ribose Inc
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/pbkdf2.h>
10
11#include <botan/exceptn.h>
12#include <botan/mem_ops.h>
13#include <botan/internal/fmt.h>
14#include <botan/internal/time_utils.h>
15
16namespace Botan {
17
18namespace {
19
20void pbkdf2_set_key(MessageAuthenticationCode& prf, const char* password, size_t password_len) {
21 try {
22 prf.set_key(cast_char_ptr_to_uint8(password), password_len);
23 } catch(Invalid_Key_Length&) {
24 throw Invalid_Argument("PBKDF2 cannot accept passphrase of the given size");
25 }
26}
27
28size_t tune_pbkdf2(MessageAuthenticationCode& prf,
29 size_t output_length,
30 std::chrono::milliseconds msec,
31 std::chrono::milliseconds tune_time = std::chrono::milliseconds(10)) {
32 if(output_length == 0) {
33 output_length = 1;
34 }
35
36 const size_t prf_sz = prf.output_length();
37 BOTAN_ASSERT_NOMSG(prf_sz > 0);
38 secure_vector<uint8_t> U(prf_sz);
39
40 const size_t trial_iterations = 2000;
41
42 // Short output ensures we only need a single PBKDF2 block
43
44 prf.set_key(nullptr, 0);
45
46 const uint64_t duration_nsec = measure_cost(tune_time, [&]() {
47 uint8_t out[12] = {0};
48 uint8_t salt[12] = {0};
49 pbkdf2(prf, out, sizeof(out), salt, sizeof(salt), trial_iterations);
50 });
51
52 const uint64_t desired_nsec = static_cast<uint64_t>(msec.count()) * 1000000;
53
54 if(duration_nsec > desired_nsec) {
55 return trial_iterations;
56 }
57
58 const size_t blocks_needed = (output_length + prf_sz - 1) / prf_sz;
59
60 const size_t multiplier = static_cast<size_t>(desired_nsec / duration_nsec / blocks_needed);
61
62 if(multiplier == 0) {
63 return trial_iterations;
64 } else {
65 return trial_iterations * multiplier;
66 }
67}
68
69} // namespace
70
72 uint8_t out[],
73 size_t out_len,
74 std::string_view password,
75 const uint8_t salt[],
76 size_t salt_len,
77 size_t iterations,
78 std::chrono::milliseconds msec) {
79 if(iterations == 0) {
80 iterations = tune_pbkdf2(prf, out_len, msec);
81 }
82
83 PBKDF2 pbkdf2(prf, iterations);
84
85 pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
86
87 return iterations;
88}
89
91 uint8_t out[],
92 size_t out_len,
93 const uint8_t salt[],
94 size_t salt_len,
95 size_t iterations) {
96 if(iterations == 0) {
97 throw Invalid_Argument("PBKDF2: Invalid iteration count");
98 }
99
100 clear_mem(out, out_len);
101
102 if(out_len == 0) {
103 return;
104 }
105
106 const size_t prf_sz = prf.output_length();
107 BOTAN_ASSERT_NOMSG(prf_sz > 0);
108
109 secure_vector<uint8_t> U(prf_sz);
110
111 uint32_t counter = 1;
112 while(out_len) {
113 const size_t prf_output = std::min<size_t>(prf_sz, out_len);
114
115 prf.update(salt, salt_len);
116 prf.update_be(counter++);
117 prf.final(U.data());
118
119 xor_buf(out, U.data(), prf_output);
120
121 for(size_t i = 1; i != iterations; ++i) {
122 prf.update(U);
123 prf.final(U.data());
124 xor_buf(out, U.data(), prf_output);
125 }
126
127 out_len -= prf_output;
128 out += prf_output;
129 }
130}
131
132// PBKDF interface
133size_t PKCS5_PBKDF2::pbkdf(uint8_t key[],
134 size_t key_len,
135 std::string_view password,
136 const uint8_t salt[],
137 size_t salt_len,
138 size_t iterations,
139 std::chrono::milliseconds msec) const {
140 if(iterations == 0) {
141 iterations = tune_pbkdf2(*m_mac, key_len, msec);
142 }
143
144 PBKDF2 pbkdf2(*m_mac, iterations);
145
146 pbkdf2.derive_key(key, key_len, password.data(), password.size(), salt, salt_len);
147
148 return iterations;
149}
150
151std::string PKCS5_PBKDF2::name() const {
152 return fmt("PBKDF2({})", m_mac->name());
153}
154
155std::unique_ptr<PBKDF> PKCS5_PBKDF2::new_object() const {
156 return std::make_unique<PKCS5_PBKDF2>(m_mac->new_object());
157}
158
159// PasswordHash interface
160
161PBKDF2::PBKDF2(const MessageAuthenticationCode& prf, size_t olen, std::chrono::milliseconds msec) :
162 m_prf(prf.new_object()), m_iterations(tune_pbkdf2(*m_prf, olen, msec)) {}
163
164std::string PBKDF2::to_string() const {
165 return fmt("PBKDF2({},{})", m_prf->name(), m_iterations);
166}
167
168void PBKDF2::derive_key(uint8_t out[],
169 size_t out_len,
170 const char* password,
171 const size_t password_len,
172 const uint8_t salt[],
173 size_t salt_len) const {
174 pbkdf2_set_key(*m_prf, password, password_len);
175 pbkdf2(*m_prf, out, out_len, salt, salt_len, m_iterations);
176}
177
178std::string PBKDF2_Family::name() const {
179 return fmt("PBKDF2({})", m_prf->name());
180}
181
182std::unique_ptr<PasswordHash> PBKDF2_Family::tune(size_t output_len,
183 std::chrono::milliseconds msec,
184 size_t /*max_memory_usage_mb*/,
185 std::chrono::milliseconds tune_time) const {
186 auto iterations = tune_pbkdf2(*m_prf, output_len, msec, tune_time);
187 return std::make_unique<PBKDF2>(*m_prf, iterations);
188}
189
190std::unique_ptr<PasswordHash> PBKDF2_Family::default_params() const {
191 return std::make_unique<PBKDF2>(*m_prf, 150000);
192}
193
194std::unique_ptr<PasswordHash> PBKDF2_Family::from_params(size_t iter, size_t /*i2*/, size_t /*i3*/) const {
195 return std::make_unique<PBKDF2>(*m_prf, iter);
196}
197
198std::unique_ptr<PasswordHash> PBKDF2_Family::from_iterations(size_t iter) const {
199 return std::make_unique<PBKDF2>(*m_prf, iter);
200}
201
202} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:61
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:34
virtual size_t output_length() const =0
void update_be(uint16_t val)
Definition buf_comp.cpp:17
void final(uint8_t out[])
Definition buf_comp.h:69
std::string name() const override
Definition pbkdf2.cpp:178
std::unique_ptr< PasswordHash > default_params() const override
Definition pbkdf2.cpp:190
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
Definition pbkdf2.cpp:198
std::unique_ptr< PasswordHash > tune(size_t output_len, std::chrono::milliseconds msec, size_t max_memory, std::chrono::milliseconds tune_msec) const override
Definition pbkdf2.cpp:182
std::unique_ptr< PasswordHash > from_params(size_t iter, size_t, size_t) const override
Definition pbkdf2.cpp:194
PBKDF2(const MessageAuthenticationCode &prf, size_t iter)
Definition pbkdf2.h:47
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition pbkdf2.cpp:168
std::string to_string() const override
Definition pbkdf2.cpp:164
size_t pbkdf(uint8_t output_buf[], size_t output_len, std::string_view passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition pbkdf2.cpp:133
std::string name() const override
Definition pbkdf2.cpp:151
std::unique_ptr< PBKDF > new_object() const override
Definition pbkdf2.cpp:155
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:344
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:65
uint64_t measure_cost(std::chrono::milliseconds trial_msec, F func)
Definition time_utils.h:21
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition pbkdf2.cpp:71
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:123
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:276