/src/botan/src/lib/pbkdf/pbkdf2/pbkdf2.cpp

Source (jump to first uncovered line)
/*
* PBKDF2
* (C) 1999-2007 Jack Lloyd
* (C) 2018 Ribose Inc
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/pbkdf2.h>

#include <botan/exceptn.h>
#include <botan/internal/fmt.h>
#include <botan/internal/timer.h>

namespace Botan {

namespace {

void pbkdf2_set_key(MessageAuthenticationCode& prf, const char* password, size_t password_len) {
   try {
      prf.set_key(cast_char_ptr_to_uint8(password), password_len);
   } catch(Invalid_Key_Length&) {
      throw Invalid_Argument("PBKDF2 cannot accept passphrase of the given size");
   }
}

size_t tune_pbkdf2(MessageAuthenticationCode& prf,
                   size_t output_length,
                   std::chrono::milliseconds msec,
                   std::chrono::milliseconds tune_time = std::chrono::milliseconds(10)) {
   if(output_length == 0) {
      output_length = 1;
   }

   const size_t prf_sz = prf.output_length();
   BOTAN_ASSERT_NOMSG(prf_sz > 0);
   secure_vector<uint8_t> U(prf_sz);

   const size_t trial_iterations = 2000;

   // Short output ensures we only need a single PBKDF2 block

   Timer timer("PBKDF2");

   prf.set_key(nullptr, 0);

   timer.run_until_elapsed(tune_time, [&]() {
      uint8_t out[12] = {0};
      uint8_t salt[12] = {0};
      pbkdf2(prf, out, sizeof(out), salt, sizeof(salt), trial_iterations);
   });

   if(timer.events() == 0) {
      return trial_iterations;
   }

   const uint64_t duration_nsec = timer.value() / timer.events();

   const uint64_t desired_nsec = static_cast<uint64_t>(msec.count()) * 1000000;

   if(duration_nsec > desired_nsec) {
      return trial_iterations;
   }

   const size_t blocks_needed = (output_length + prf_sz - 1) / prf_sz;

   const size_t multiplier = static_cast<size_t>(desired_nsec / duration_nsec / blocks_needed);

   if(multiplier == 0) {
      return trial_iterations;
   } else {
      return trial_iterations * multiplier;
   }
}

}  // namespace

size_t pbkdf2(MessageAuthenticationCode& prf,
              uint8_t out[],
              size_t out_len,
              std::string_view password,
              const uint8_t salt[],
              size_t salt_len,
              size_t iterations,
              std::chrono::milliseconds msec) {
   if(iterations == 0) {
      iterations = tune_pbkdf2(prf, out_len, msec);
   }

   PBKDF2 pbkdf2(prf, iterations);

   pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);

   return iterations;
}

void pbkdf2(MessageAuthenticationCode& prf,
            uint8_t out[],
            size_t out_len,
            const uint8_t salt[],
            size_t salt_len,
            size_t iterations) {
   if(iterations == 0) {
      throw Invalid_Argument("PBKDF2: Invalid iteration count");
   }

   clear_mem(out, out_len);

   if(out_len == 0) {
      return;
   }

   const size_t prf_sz = prf.output_length();
   BOTAN_ASSERT_NOMSG(prf_sz > 0);

   secure_vector<uint8_t> U(prf_sz);

   uint32_t counter = 1;
   while(out_len) {
      const size_t prf_output = std::min<size_t>(prf_sz, out_len);

      prf.update(salt, salt_len);
      prf.update_be(counter++);
      prf.final(U.data());

      xor_buf(out, U.data(), prf_output);

      for(size_t i = 1; i != iterations; ++i) {
         prf.update(U);
         prf.final(U.data());
         xor_buf(out, U.data(), prf_output);
      }

      out_len -= prf_output;
      out += prf_output;
   }
}

// PBKDF interface
size_t PKCS5_PBKDF2::pbkdf(uint8_t key[],
                           size_t key_len,
                           std::string_view password,
                           const uint8_t salt[],
                           size_t salt_len,
                           size_t iterations,
                           std::chrono::milliseconds msec) const {
   if(iterations == 0) {
      iterations = tune_pbkdf2(*m_mac, key_len, msec);
   }

   PBKDF2 pbkdf2(*m_mac, iterations);

   pbkdf2.derive_key(key, key_len, password.data(), password.size(), salt, salt_len);

   return iterations;
}

std::string PKCS5_PBKDF2::name() const {
   return fmt("PBKDF2({})", m_mac->name());
}

std::unique_ptr<PBKDF> PKCS5_PBKDF2::new_object() const {
   return std::make_unique<PKCS5_PBKDF2>(m_mac->new_object());
}

// PasswordHash interface

PBKDF2::PBKDF2(const MessageAuthenticationCode& prf, size_t olen, std::chrono::milliseconds msec) :
      m_prf(prf.new_object()), m_iterations(tune_pbkdf2(*m_prf, olen, msec)) {}

std::string PBKDF2::to_string() const {
   return fmt("PBKDF2({},{})", m_prf->name(), m_iterations);
}

void PBKDF2::derive_key(uint8_t out[],
                        size_t out_len,
                        const char* password,
                        const size_t password_len,
                        const uint8_t salt[],
                        size_t salt_len) const {
   pbkdf2_set_key(*m_prf, password, password_len);
   pbkdf2(*m_prf, out, out_len, salt, salt_len, m_iterations);
}

std::string PBKDF2_Family::name() const {
   return fmt("PBKDF2({})", m_prf->name());
}

std::unique_ptr<PasswordHash> PBKDF2_Family::tune(size_t output_len,
                                                  std::chrono::milliseconds msec,
                                                  size_t /*max_memory_usage_mb*/,
                                                  std::chrono::milliseconds tune_time) const {
   auto iterations = tune_pbkdf2(*m_prf, output_len, msec, tune_time);
   return std::make_unique<PBKDF2>(*m_prf, iterations);
}

std::unique_ptr<PasswordHash> PBKDF2_Family::default_params() const {
   return std::make_unique<PBKDF2>(*m_prf, 150000);
}

std::unique_ptr<PasswordHash> PBKDF2_Family::from_params(size_t iter, size_t /*i2*/, size_t /*i3*/) const {
   return std::make_unique<PBKDF2>(*m_prf, iter);
}

std::unique_ptr<PasswordHash> PBKDF2_Family::from_iterations(size_t iter) const {
   return std::make_unique<PBKDF2>(*m_prf, iter);
}

}  // namespace Botan

Coverage Report

Created: 2024-06-28 06:39

Line	Count	Source (jump to first uncovered line)
1		/*
2		* PBKDF2
3		* (C) 1999-2007 Jack Lloyd
4		* (C) 2018 Ribose Inc
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/pbkdf2.h>
10
11		#include <botan/exceptn.h>
12		#include <botan/internal/fmt.h>
13		#include <botan/internal/timer.h>
14
15		namespace Botan {
16
17		namespace {
18
19	1.20k	void pbkdf2_set_key(MessageAuthenticationCode& prf, const char* password, size_t password_len) {
20	1.20k	try {
21	1.20k	prf.set_key(cast_char_ptr_to_uint8(password), password_len);
22	1.20k	} catch(Invalid_Key_Length&) {
23	106	throw Invalid_Argument("PBKDF2 cannot accept passphrase of the given size");
24	106	}
25	1.20k	}
26
27		size_t tune_pbkdf2(MessageAuthenticationCode& prf,
28		size_t output_length,
29		std::chrono::milliseconds msec,
30	0	std::chrono::milliseconds tune_time = std::chrono::milliseconds(10)) {
31	0	if(output_length == 0) {
32	0	output_length = 1;
33	0	}
34
35	0	const size_t prf_sz = prf.output_length();
36	0	BOTAN_ASSERT_NOMSG(prf_sz > 0);
37	0	secure_vector<uint8_t> U(prf_sz);
38
39	0	const size_t trial_iterations = 2000;
40
41		// Short output ensures we only need a single PBKDF2 block
42
43	0	Timer timer("PBKDF2");
44
45	0	prf.set_key(nullptr, 0);
46
47	0	timer.run_until_elapsed(tune_time, [&]() {
48	0	uint8_t out[12] = {0};
49	0	uint8_t salt[12] = {0};
50	0	pbkdf2(prf, out, sizeof(out), salt, sizeof(salt), trial_iterations);
51	0	});
52
53	0	if(timer.events() == 0) {
54	0	return trial_iterations;
55	0	}
56
57	0	const uint64_t duration_nsec = timer.value() / timer.events();
58
59	0	const uint64_t desired_nsec = static_cast<uint64_t>(msec.count()) * 1000000;
60
61	0	if(duration_nsec > desired_nsec) {
62	0	return trial_iterations;
63	0	}
64
65	0	const size_t blocks_needed = (output_length + prf_sz - 1) / prf_sz;
66
67	0	const size_t multiplier = static_cast<size_t>(desired_nsec / duration_nsec / blocks_needed);
68
69	0	if(multiplier == 0) {
70	0	return trial_iterations;
71	0	} else {
72	0	return trial_iterations * multiplier;
73	0	}
74	0	}
75
76		} // namespace
77
78		size_t pbkdf2(MessageAuthenticationCode& prf,
79		uint8_t out[],
80		size_t out_len,
81		std::string_view password,
82		const uint8_t salt[],
83		size_t salt_len,
84		size_t iterations,
85	0	std::chrono::milliseconds msec) {
86	0	if(iterations == 0) {
87	0	iterations = tune_pbkdf2(prf, out_len, msec);
88	0	}
89
90	0	PBKDF2 pbkdf2(prf, iterations);
91
92	0	pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
93
94	0	return iterations;
95	0	}
96
97		void pbkdf2(MessageAuthenticationCode& prf,
98		uint8_t out[],
99		size_t out_len,
100		const uint8_t salt[],
101		size_t salt_len,
102	2.01k	size_t iterations) {
103	2.01k	if(iterations == 0) {
104	218	throw Invalid_Argument("PBKDF2: Invalid iteration count");
105	218	}
106
107	1.79k	clear_mem(out, out_len);
108
109	1.79k	if(out_len == 0) {
110	192	return;
111	192	}
112
113	1.60k	const size_t prf_sz = prf.output_length();
114	1.60k	BOTAN_ASSERT_NOMSG(prf_sz > 0);
115
116	1.60k	secure_vector<uint8_t> U(prf_sz);
117
118	1.60k	uint32_t counter = 1;
119	41.0k	while(out_len) {
120	39.3k	const size_t prf_output = std::min<size_t>(prf_sz, out_len);
121
122	39.3k	prf.update(salt, salt_len);
123	39.3k	prf.update_be(counter++);
124	39.3k	prf.final(U.data());
125
126	39.3k	xor_buf(out, U.data(), prf_output);
127
128	58.4k	for(size_t i = 1; i != iterations; ++i) {
129	19.0k	prf.update(U);
130	19.0k	prf.final(U.data());
131	19.0k	xor_buf(out, U.data(), prf_output);
132	19.0k	}
133
134	39.3k	out_len -= prf_output;
135	39.3k	out += prf_output;
136	39.3k	}
137	1.60k	}
138
139		// PBKDF interface
140		size_t PKCS5_PBKDF2::pbkdf(uint8_t key[],
141		size_t key_len,
142		std::string_view password,
143		const uint8_t salt[],
144		size_t salt_len,
145		size_t iterations,
146	0	std::chrono::milliseconds msec) const {
147	0	if(iterations == 0) {
148	0	iterations = tune_pbkdf2(*m_mac, key_len, msec);
149	0	}
150
151	0	PBKDF2 pbkdf2(*m_mac, iterations);
152
153	0	pbkdf2.derive_key(key, key_len, password.data(), password.size(), salt, salt_len);
154
155	0	return iterations;
156	0	}
157
158	0	std::string PKCS5_PBKDF2::name() const {
159	0	return fmt("PBKDF2({})", m_mac->name());
160	0	}
161
162	0	std::unique_ptr<PBKDF> PKCS5_PBKDF2::new_object() const {
163	0	return std::make_unique<PKCS5_PBKDF2>(m_mac->new_object());
164	0	}
165
166		// PasswordHash interface
167
168		PBKDF2::PBKDF2(const MessageAuthenticationCode& prf, size_t olen, std::chrono::milliseconds msec) :
169	0	m_prf(prf.new_object()), m_iterations(tune_pbkdf2(*m_prf, olen, msec)) {}
170
171	0	std::string PBKDF2::to_string() const {
172	0	return fmt("PBKDF2({},{})", m_prf->name(), m_iterations);
173	0	}
174
175		void PBKDF2::derive_key(uint8_t out[],
176		size_t out_len,
177		const char* password,
178		const size_t password_len,
179		const uint8_t salt[],
180	1.20k	size_t salt_len) const {
181	1.20k	pbkdf2_set_key(*m_prf, password, password_len);
182	1.20k	pbkdf2(*m_prf, out, out_len, salt, salt_len, m_iterations);
183	1.20k	}
184
185	0	std::string PBKDF2_Family::name() const {
186	0	return fmt("PBKDF2({})", m_prf->name());
187	0	}
188
189		std::unique_ptr<PasswordHash> PBKDF2_Family::tune(size_t output_len,
190		std::chrono::milliseconds msec,
191		size_t /max_memory_usage_mb/,
192	0	std::chrono::milliseconds tune_time) const {
193	0	auto iterations = tune_pbkdf2(*m_prf, output_len, msec, tune_time);
194	0	return std::make_unique<PBKDF2>(*m_prf, iterations);
195	0	}
196
197	0	std::unique_ptr<PasswordHash> PBKDF2_Family::default_params() const {
198	0	return std::make_unique<PBKDF2>(*m_prf, 150000);
199	0	}
200
201	1.20k	std::unique_ptr<PasswordHash> PBKDF2_Family::from_params(size_t iter, size_t /i2/, size_t /i3/) const {
202	1.20k	return std::make_unique<PBKDF2>(*m_prf, iter);
203	1.20k	}
204
205	0	std::unique_ptr<PasswordHash> PBKDF2_Family::from_iterations(size_t iter) const {
206	0	return std::make_unique<PBKDF2>(*m_prf, iter);
207	0	}
208
209		} // namespace Botan