Botan 3.3.0
Crypto and TLS for C&
pbkdf2.cpp
Go to the documentation of this file.
1/*
2* PBKDF2
3* (C) 1999-2007 Jack Lloyd
4* (C) 2018 Ribose Inc
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/pbkdf2.h>
10
11#include <botan/exceptn.h>
12#include <botan/internal/fmt.h>
13#include <botan/internal/timer.h>
14
15namespace Botan {
16
17namespace {
18
19void pbkdf2_set_key(MessageAuthenticationCode& prf, const char* password, size_t password_len) {
20 try {
21 prf.set_key(cast_char_ptr_to_uint8(password), password_len);
22 } catch(Invalid_Key_Length&) {
23 throw Invalid_Argument("PBKDF2 cannot accept passphrase of the given size");
24 }
25}
26
27size_t tune_pbkdf2(MessageAuthenticationCode& prf,
28 size_t output_length,
29 std::chrono::milliseconds msec,
30 std::chrono::milliseconds tune_time = std::chrono::milliseconds(10)) {
31 if(output_length == 0) {
32 output_length = 1;
33 }
34
35 const size_t prf_sz = prf.output_length();
36 BOTAN_ASSERT_NOMSG(prf_sz > 0);
37 secure_vector<uint8_t> U(prf_sz);
38
39 const size_t trial_iterations = 2000;
40
41 // Short output ensures we only need a single PBKDF2 block
42
43 Timer timer("PBKDF2");
44
45 prf.set_key(nullptr, 0);
46
47 timer.run_until_elapsed(tune_time, [&]() {
48 uint8_t out[12] = {0};
49 uint8_t salt[12] = {0};
50 pbkdf2(prf, out, sizeof(out), salt, sizeof(salt), trial_iterations);
51 });
52
53 if(timer.events() == 0) {
54 return trial_iterations;
55 }
56
57 const uint64_t duration_nsec = timer.value() / timer.events();
58
59 const uint64_t desired_nsec = static_cast<uint64_t>(msec.count()) * 1000000;
60
61 if(duration_nsec > desired_nsec) {
62 return trial_iterations;
63 }
64
65 const size_t blocks_needed = (output_length + prf_sz - 1) / prf_sz;
66
67 const size_t multiplier = static_cast<size_t>(desired_nsec / duration_nsec / blocks_needed);
68
69 if(multiplier == 0) {
70 return trial_iterations;
71 } else {
72 return trial_iterations * multiplier;
73 }
74}
75
76} // namespace
77
79 uint8_t out[],
80 size_t out_len,
81 std::string_view password,
82 const uint8_t salt[],
83 size_t salt_len,
84 size_t iterations,
85 std::chrono::milliseconds msec) {
86 if(iterations == 0) {
87 iterations = tune_pbkdf2(prf, out_len, msec);
88 }
89
90 PBKDF2 pbkdf2(prf, iterations);
91
92 pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
93
94 return iterations;
95}
96
98 uint8_t out[],
99 size_t out_len,
100 const uint8_t salt[],
101 size_t salt_len,
102 size_t iterations) {
103 if(iterations == 0) {
104 throw Invalid_Argument("PBKDF2: Invalid iteration count");
105 }
106
107 clear_mem(out, out_len);
108
109 if(out_len == 0) {
110 return;
111 }
112
113 const size_t prf_sz = prf.output_length();
114 BOTAN_ASSERT_NOMSG(prf_sz > 0);
115
116 secure_vector<uint8_t> U(prf_sz);
117
118 uint32_t counter = 1;
119 while(out_len) {
120 const size_t prf_output = std::min<size_t>(prf_sz, out_len);
121
122 prf.update(salt, salt_len);
123 prf.update_be(counter++);
124 prf.final(U.data());
125
126 xor_buf(out, U.data(), prf_output);
127
128 for(size_t i = 1; i != iterations; ++i) {
129 prf.update(U);
130 prf.final(U.data());
131 xor_buf(out, U.data(), prf_output);
132 }
133
134 out_len -= prf_output;
135 out += prf_output;
136 }
137}
138
139// PBKDF interface
140size_t PKCS5_PBKDF2::pbkdf(uint8_t key[],
141 size_t key_len,
142 std::string_view password,
143 const uint8_t salt[],
144 size_t salt_len,
145 size_t iterations,
146 std::chrono::milliseconds msec) const {
147 if(iterations == 0) {
148 iterations = tune_pbkdf2(*m_mac, key_len, msec);
149 }
150
151 PBKDF2 pbkdf2(*m_mac, iterations);
152
153 pbkdf2.derive_key(key, key_len, password.data(), password.size(), salt, salt_len);
154
155 return iterations;
156}
157
158std::string PKCS5_PBKDF2::name() const {
159 return fmt("PBKDF2({})", m_mac->name());
160}
161
162std::unique_ptr<PBKDF> PKCS5_PBKDF2::new_object() const {
163 return std::make_unique<PKCS5_PBKDF2>(m_mac->new_object());
164}
165
166// PasswordHash interface
167
168PBKDF2::PBKDF2(const MessageAuthenticationCode& prf, size_t olen, std::chrono::milliseconds msec) :
169 m_prf(prf.new_object()), m_iterations(tune_pbkdf2(*m_prf, olen, msec)) {}
170
171std::string PBKDF2::to_string() const {
172 return fmt("PBKDF2({},{})", m_prf->name(), m_iterations);
173}
174
175void PBKDF2::derive_key(uint8_t out[],
176 size_t out_len,
177 const char* password,
178 const size_t password_len,
179 const uint8_t salt[],
180 size_t salt_len) const {
181 pbkdf2_set_key(*m_prf, password, password_len);
182 pbkdf2(*m_prf, out, out_len, salt, salt_len, m_iterations);
183}
184
185std::string PBKDF2_Family::name() const {
186 return fmt("PBKDF2({})", m_prf->name());
187}
188
189std::unique_ptr<PasswordHash> PBKDF2_Family::tune(size_t output_len,
190 std::chrono::milliseconds msec,
191 size_t /*max_memory_usage_mb*/,
192 std::chrono::milliseconds tune_time) const {
193 auto iterations = tune_pbkdf2(*m_prf, output_len, msec, tune_time);
194 return std::make_unique<PBKDF2>(*m_prf, iterations);
195}
196
197std::unique_ptr<PasswordHash> PBKDF2_Family::default_params() const {
198 return std::make_unique<PBKDF2>(*m_prf, 150000);
199}
200
201std::unique_ptr<PasswordHash> PBKDF2_Family::from_params(size_t iter, size_t /*i2*/, size_t /*i3*/) const {
202 return std::make_unique<PBKDF2>(*m_prf, iter);
203}
204
205std::unique_ptr<PasswordHash> PBKDF2_Family::from_iterations(size_t iter) const {
206 return std::make_unique<PBKDF2>(*m_prf, iter);
207}
208
209} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:35
virtual size_t output_length() const =0
void update_be(uint16_t val)
Definition buf_comp.cpp:13
void final(uint8_t out[])
Definition buf_comp.h:70
std::string name() const override
Definition pbkdf2.cpp:185
std::unique_ptr< PasswordHash > default_params() const override
Definition pbkdf2.cpp:197
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
Definition pbkdf2.cpp:205
std::unique_ptr< PasswordHash > tune(size_t output_len, std::chrono::milliseconds msec, size_t max_memory, std::chrono::milliseconds tune_msec) const override
Definition pbkdf2.cpp:189
std::unique_ptr< PasswordHash > from_params(size_t iter, size_t, size_t) const override
Definition pbkdf2.cpp:201
PBKDF2(const MessageAuthenticationCode &prf, size_t iter)
Definition pbkdf2.h:47
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition pbkdf2.cpp:175
std::string to_string() const override
Definition pbkdf2.cpp:171
size_t pbkdf(uint8_t output_buf[], size_t output_len, std::string_view passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition pbkdf2.cpp:140
std::string name() const override
Definition pbkdf2.cpp:158
std::unique_ptr< PBKDF > new_object() const override
Definition pbkdf2.cpp:162
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:340
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition pbkdf2.cpp:78
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:272