Add ability to specify iterations when encrypting a private key

GH #896
author: Jack Lloyd <[email protected]> 2017-02-26 15:48:35 -0500
committer: Jack Lloyd <[email protected]> 2017-02-26 15:48:35 -0500
commit: 8bbec86f8984b52b5d0cce8cd1309563d2b294cc (patch)
tree: 3c7b7c6aa275b66d3f3ae7c67e24ba64222591a4 /src/lib/ffi
parent: 70d9d062d095242bcfe8df25fc57fb88eadec3a9 (diff)
2 files changed, 105 insertions, 4 deletions
diff --git a/src/lib/ffi/ffi.cpp b/src/lib/ffi/ffi.cpp
index 80d7ec611..07c20ce3b 100644
--- a/src/lib/ffi/ffi.cpp
+++ b/src/lib/ffi/ffi.cpp
@@ -983,19 +983,93 @@ int botan_privkey_export_encrypted(botan_privkey_t key,
                                    uint8_t out[], size_t* out_len,
                                    botan_rng_t rng_obj,
                                    const char* pass,
-                                   const char* pbe,
+                                   const char* /*ignored - pbe*/,
                                    uint32_t flags)
    {
+   return botan_privkey_export_encrypted_pbkdf_iter(key, out, out_len, rng_obj, pass, 100000, nullptr, nullptr, flags);
+   }
+
+int botan_privkey_export_encrypted_pbkdf_msec(botan_privkey_t key,
+                                              uint8_t out[], size_t* out_len,
+                                              botan_rng_t rng_obj,
+                                              const char* pass,
+                                              uint32_t pbkdf_msec,
+                                              size_t* pbkdf_iters_out,
+                                              const char* maybe_cipher,
+                                              const char* maybe_pbkdf_hash,
+                                              uint32_t flags)
+   {
+   return BOTAN_FFI_DO(Botan::Private_Key, key, k, {
+      const std::chrono::milliseconds pbkdf_time(pbkdf_msec);
+      Botan::RandomNumberGenerator& rng = safe_get(rng_obj);
+
+      std::string cipher;
+      if(maybe_cipher)
+         {
+         cipher = maybe_cipher;
+         }
+
+      std::string pbkdf_hash;
+      if(maybe_pbkdf_hash)
+         {
+         pbkdf_hash = maybe_pbkdf_hash;
+         }
+
+      if(flags == BOTAN_PRIVKEY_EXPORT_FLAG_DER)
+         {
+         return write_vec_output(out, out_len,
+                                 Botan::PKCS8::BER_encode_encrypted_pbkdf_msec(k, rng, pass, pbkdf_time, pbkdf_iters_out, cipher, pbkdf_hash));
+         }
+      else if(flags == BOTAN_PRIVKEY_EXPORT_FLAG_PEM)
+         {
+         return write_str_output(out, out_len,
+                                 Botan::PKCS8::PEM_encode_encrypted_pbkdf_msec(k, rng, pass, pbkdf_time, pbkdf_iters_out, cipher, pbkdf_hash));
+         }
+      else
+         {
+         return -2;
+         }
+      });
+   }
+
+int botan_privkey_export_encrypted_pbkdf_iter(botan_privkey_t key,
+                                              uint8_t out[], size_t* out_len,
+                                              botan_rng_t rng_obj,
+                                              const char* pass,
+                                              size_t pbkdf_iter,
+                                              const char* maybe_cipher,
+                                              const char* maybe_pbkdf_hash,
+                                              uint32_t flags)
+   {
    return BOTAN_FFI_DO(Botan::Private_Key, key, k, {
-      auto pbkdf_time = std::chrono::milliseconds(300);
       Botan::RandomNumberGenerator& rng = safe_get(rng_obj);
 
+      std::string cipher;
+      if(maybe_cipher)
+         {
+         cipher = maybe_cipher;
+         }
+
+      std::string pbkdf_hash;
+      if(maybe_pbkdf_hash)
+         {
+         pbkdf_hash = maybe_pbkdf_hash;
+         }
+
       if(flags == BOTAN_PRIVKEY_EXPORT_FLAG_DER)
-         return write_vec_output(out, out_len, Botan::PKCS8::BER_encode(k, rng, pass, pbkdf_time, pbe));
+         {
+         return write_vec_output(out, out_len,
+                                 Botan::PKCS8::BER_encode_encrypted_pbkdf_iter(k, rng, pass, pbkdf_iter, cipher, pbkdf_hash));
+         }
       else if(flags == BOTAN_PRIVKEY_EXPORT_FLAG_PEM)
-         return write_str_output(out, out_len, Botan::PKCS8::PEM_encode(k, rng, pass, pbkdf_time, pbe));
+         {
+         return write_str_output(out, out_len,
+                                 Botan::PKCS8::PEM_encode_encrypted_pbkdf_iter(k, rng, pass, pbkdf_iter, cipher, pbkdf_hash));
+         }
       else
+         {
          return -2;
+         }
       });
    }
 
diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
index 264c3d24d..98792d4bd 100644
--- a/src/lib/ffi/ffi.h
+++ b/src/lib/ffi/ffi.h
@@ -506,6 +506,7 @@ BOTAN_DLL int botan_privkey_export(botan_privkey_t key,
 /*
 * Set encryption_algo to NULL or "" to have the library choose a default (recommended)
 */
+BOTAN_DEPRECATED("Use botan_privkey_export_encrypted_pbkdf_{msec,iter}")
 BOTAN_DLL int botan_privkey_export_encrypted(botan_privkey_t key,
                                              uint8_t out[], size_t* out_len,
                                              botan_rng_t rng,
@@ -513,6 +514,32 @@ BOTAN_DLL int botan_privkey_export_encrypted(botan_privkey_t key,
                                              const char* encryption_algo,
                                              uint32_t flags);
 
+/*
+* Export a private key, running PBKDF for specified amount of time
+* @param key the private key to export
+*/
+BOTAN_DLL int botan_privkey_export_encrypted_pbkdf_msec(botan_privkey_t key,
+                                                        uint8_t out[], size_t* out_len,
+                                                        botan_rng_t rng,
+                                                        const char* passphrase,
+                                                        uint32_t pbkdf_msec_runtime,
+                                                        size_t* pbkdf_iterations_out,
+                                                        const char* cipher_algo,
+                                                        const char* pbkdf_algo,
+                                                        uint32_t flags);
+
+/*
+* Export a private key using the specified number of iterations.
+*/
+BOTAN_DLL int botan_privkey_export_encrypted_pbkdf_iter(botan_privkey_t key,
+                                                        uint8_t out[], size_t* out_len,
+                                                        botan_rng_t rng,
+                                                        const char* passphrase,
+                                                        size_t pbkdf_iterations,
+                                                        const char* cipher_algo,
+                                                        const char* pbkdf_algo,
+                                                        uint32_t flags);
+
 typedef struct botan_pubkey_struct* botan_pubkey_t;
 
 BOTAN_DLL int botan_pubkey_load(botan_pubkey_t* key, const uint8_t bits[], size_t len);
author	Jack Lloyd <[email protected]>	2017-02-26 15:48:35 -0500
committer	Jack Lloyd <[email protected]>	2017-02-26 15:48:35 -0500
commit	8bbec86f8984b52b5d0cce8cd1309563d2b294cc (patch)
tree	3c7b7c6aa275b66d3f3ae7c67e24ba64222591a4 /src/lib/ffi
parent	70d9d062d095242bcfe8df25fc57fb88eadec3a9 (diff)