doxygen/pbkdf2_8cpp_source.html

/*

* PBKDF2

* (C) 1999-2007 Jack Lloyd

* (C) 2018 Ribose Inc

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/pbkdf2.h>


#include <botan/exceptn.h>

#include <botan/mem_ops.h>

#include <botan/internal/bit_ops.h>

#include <botan/internal/fmt.h>

#include <botan/internal/mem_utils.h>

#include <botan/internal/time_utils.h>


namespace Botan {


namespace {


void pbkdf2_set_key(MessageAuthenticationCode& prf, const char* password, size_t password_len) {

   try {

      prf.set_key(as_span_of_bytes(password, password_len));

   } catch(Invalid_Key_Length&) {

      throw Invalid_Argument("PBKDF2 cannot accept passphrase of the given size");

   }

}


size_t tune_pbkdf2(MessageAuthenticationCode& prf,

                   size_t output_length,

                   uint64_t desired_msec,

                   uint64_t tuning_msec = 10) {

   if(output_length == 0) {

      output_length = 1;

   }


   const size_t prf_sz = prf.output_length();

   BOTAN_ASSERT_NOMSG(prf_sz > 0);

   const secure_vector<uint8_t> U(prf_sz);


   const size_t trial_iterations = 2000;


   // Short output ensures we only need a single PBKDF2 block


   prf.set_key(nullptr, 0);


   const uint64_t duration_nsec = measure_cost(tuning_msec, [&]() {

      uint8_t out[12] = {0};

      uint8_t salt[12] = {0};

      pbkdf2(prf, out, sizeof(out), salt, sizeof(salt), trial_iterations);

   });


   const uint64_t desired_nsec = desired_msec * 1000000;


   if(duration_nsec > desired_nsec) {

      return trial_iterations;

   }


   const size_t blocks_needed = (output_length + prf_sz - 1) / prf_sz;


   const size_t multiplier = static_cast<size_t>(desired_nsec / duration_nsec / blocks_needed);


   if(multiplier == 0) {

      return trial_iterations;

   } else {

      return trial_iterations * multiplier;

   }

}


}  // namespace


size_t pbkdf2(MessageAuthenticationCode& prf,

              uint8_t out[],

              size_t out_len,

              std::string_view password,

              const uint8_t salt[],

              size_t salt_len,

              size_t iterations,

              std::chrono::milliseconds msec) {

   if(iterations == 0) {

      iterations = tune_pbkdf2(prf, out_len, msec.count());

   }


   const PBKDF2 pbkdf2(prf, iterations);


   pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);


   return iterations;

}


void pbkdf2(MessageAuthenticationCode& prf,

            uint8_t out[],

            size_t out_len,

            const uint8_t salt[],

            size_t salt_len,

            size_t iterations) {

   if(iterations == 0) {

      throw Invalid_Argument("PBKDF2: Invalid iteration count");

   }


   clear_mem(out, out_len);


   if(out_len == 0) {

      return;

   }


   const size_t prf_sz = prf.output_length();

   BOTAN_ASSERT_NOMSG(prf_sz > 0);


   // RFC 2898 Section 5.2: derived key length limited to (2^32 - 1) * hLen

   const auto blocks_required = ceil_division<uint64_t>(out_len, prf_sz);

   BOTAN_ARG_CHECK(blocks_required <= 0xFFFFFFFE, "PBKDF2 maximum output length exceeded");


   secure_vector<uint8_t> U(prf_sz);


   uint32_t counter = 1;

   while(out_len > 0) {

      const size_t prf_output = std::min<size_t>(prf_sz, out_len);


      prf.update(salt, salt_len);

      prf.update_be(counter++);

      prf.final(U.data());


      xor_buf(out, U.data(), prf_output);


      for(size_t i = 1; i != iterations; ++i) {

         prf.update(U);

         prf.final(U.data());

         xor_buf(out, U.data(), prf_output);

      }


      out_len -= prf_output;

      out += prf_output;

   }

}


// PBKDF interface


size_t PKCS5_PBKDF2::pbkdf(uint8_t key[],

                           size_t key_len,

                           std::string_view password,

                           const uint8_t salt[],

                           size_t salt_len,

                           size_t iterations,

                           std::chrono::milliseconds msec) const {

   if(iterations == 0) {

      iterations = tune_pbkdf2(*m_mac, key_len, msec.count());

   }


   const PBKDF2 pbkdf2(*m_mac, iterations);


   pbkdf2.derive_key(key, key_len, password.data(), password.size(), salt, salt_len);


   return iterations;

}


std::string PKCS5_PBKDF2::name() const {

   return fmt("PBKDF2({})", m_mac->name());

}


std::unique_ptr<PBKDF> PKCS5_PBKDF2::new_object() const {

   return std::make_unique<PKCS5_PBKDF2>(m_mac->new_object());

}


// PasswordHash interface


PBKDF2::PBKDF2(const MessageAuthenticationCode& prf, size_t olen, std::chrono::milliseconds msec) :

      m_prf(prf.new_object()), m_iterations(tune_pbkdf2(*m_prf, olen, msec.count())) {}


std::string PBKDF2::to_string() const {

   return fmt("PBKDF2({},{})", m_prf->name(), m_iterations);

}


void PBKDF2::derive_key(uint8_t out[],

                        size_t out_len,

                        const char* password,

                        const size_t password_len,

                        const uint8_t salt[],

                        size_t salt_len) const {

   pbkdf2_set_key(*m_prf, password, password_len);

   pbkdf2(*m_prf, out, out_len, salt, salt_len, m_iterations);

}


std::string PBKDF2_Family::name() const {

   return fmt("PBKDF2({})", m_prf->name());

}


std::unique_ptr<PasswordHash> PBKDF2_Family::tune_params(size_t output_len,

                                                         uint64_t desired_runtime_msec,

                                                         std::optional<size_t> /*max_memory*/,

                                                         uint64_t tune_msec) const {

   auto iterations = tune_pbkdf2(*m_prf, output_len, desired_runtime_msec, tune_msec);

   return std::make_unique<PBKDF2>(*m_prf, iterations);

}


std::unique_ptr<PasswordHash> PBKDF2_Family::default_params() const {

   return std::make_unique<PBKDF2>(*m_prf, 150000);

}


std::unique_ptr<PasswordHash> PBKDF2_Family::from_params(size_t iter, size_t /*i2*/, size_t /*i3*/) const {

   return std::make_unique<PBKDF2>(*m_prf, iter);

}


std::unique_ptr<PasswordHash> PBKDF2_Family::from_iterations(size_t iter) const {

   return std::make_unique<PBKDF2>(*m_prf, iter);

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33

Botan::Buffered_Computation::update
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:34

Botan::Buffered_Computation::output_length
virtual size_t output_length() const =0

Botan::Buffered_Computation::update_be
void update_be(uint16_t val)
Definition buf_comp.cpp:18

Botan::Buffered_Computation::final
void final(uint8_t out[])
Definition buf_comp.h:69

Botan::Invalid_Argument
Definition exceptn.h:132

Botan::Invalid_Key_Length
Definition exceptn.h:154

Botan::MessageAuthenticationCode
Definition mac.h:23

Botan::PBKDF2_Family::tune_params
std::unique_ptr< PasswordHash > tune_params(size_t output_len, uint64_t desired_runtime_msec, std::optional< size_t > max_memory, uint64_t tune_msec) const override
Definition pbkdf2.cpp:188

Botan::PBKDF2_Family::name
std::string name() const override
Definition pbkdf2.cpp:184

Botan::PBKDF2_Family::default_params
std::unique_ptr< PasswordHash > default_params() const override
Definition pbkdf2.cpp:196

Botan::PBKDF2_Family::from_iterations
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
Definition pbkdf2.cpp:204

Botan::PBKDF2_Family::from_params
std::unique_ptr< PasswordHash > from_params(size_t iter, size_t, size_t) const override
Definition pbkdf2.cpp:200

Botan::PBKDF2
Definition pbkdf2.h:45

Botan::PBKDF2::PBKDF2
PBKDF2(const MessageAuthenticationCode &prf, size_t iter)
Definition pbkdf2.h:47

Botan::PBKDF2::derive_key
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition pbkdf2.cpp:174

Botan::PBKDF2::to_string
std::string to_string() const override
Definition pbkdf2.cpp:170

Botan::PKCS5_PBKDF2::pbkdf
size_t pbkdf(uint8_t output_buf[], size_t output_len, std::string_view passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition pbkdf2.cpp:139

Botan::PKCS5_PBKDF2::name
std::string name() const override
Definition pbkdf2.cpp:157

Botan::PKCS5_PBKDF2::new_object
std::unique_ptr< PBKDF > new_object() const override
Definition pbkdf2.cpp:161

Botan
Definition alg_id.cpp:13

Botan::as_span_of_bytes
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:59

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::ceil_division
BOTAN_FORCE_INLINE constexpr T ceil_division(T a, T b)
Definition bit_ops.h:167

Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68

Botan::pbkdf2
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition pbkdf2.cpp:73

Botan::measure_cost
uint64_t measure_cost(uint64_t trial_msec, F func)
Definition time_utils.h:19

Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:118