1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
/*
* PBKDF2
* (C) 1999-2007 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include <botan/internal/pbkdf_utils.h>
#include <botan/pbkdf2.h>
#include <botan/get_byte.h>
#include <botan/internal/xor_buf.h>
#include <botan/internal/rounding.h>
namespace Botan {
BOTAN_REGISTER_NAMED_T(PBKDF, "PBKDF2", PKCS5_PBKDF2, PKCS5_PBKDF2::make);
PKCS5_PBKDF2* PKCS5_PBKDF2::make(const Spec& spec)
{
if(auto mac = make_a<MessageAuthenticationCode>(spec.arg(0)))
return new PKCS5_PBKDF2(mac);
if(auto mac = make_a<MessageAuthenticationCode>("HMAC(" + spec.arg(0) + ")"))
return new PKCS5_PBKDF2(mac);
return nullptr;
}
size_t
pbkdf2(MessageAuthenticationCode& prf,
byte out[],
size_t out_len,
const std::string& passphrase,
const byte salt[], size_t salt_len,
size_t iterations,
std::chrono::milliseconds msec)
{
clear_mem(out, out_len);
if(out_len == 0)
return 0;
try
{
prf.set_key(reinterpret_cast<const byte*>(passphrase.data()), passphrase.size());
}
catch(Invalid_Key_Length)
{
throw std::runtime_error("PBKDF2 with " + prf.name() +
" cannot accept passphrases of length " +
std::to_string(passphrase.size()));
}
const size_t prf_sz = prf.output_length();
secure_vector<byte> U(prf_sz);
const size_t blocks_needed = round_up(out_len, prf_sz) / prf_sz;
std::chrono::microseconds usec_per_block =
std::chrono::duration_cast<std::chrono::microseconds>(msec) / blocks_needed;
u32bit counter = 1;
while(out_len)
{
const size_t prf_output = std::min<size_t>(prf_sz, out_len);
prf.update(salt, salt_len);
prf.update_be(counter++);
prf.final(&U[0]);
xor_buf(out, &U[0], prf_output);
if(iterations == 0)
{
/*
If no iterations set, run the first block to calibrate based
on how long hashing takes on whatever machine we're running on.
*/
const auto start = std::chrono::high_resolution_clock::now();
iterations = 1; // the first iteration we did above
while(true)
{
prf.update(U);
prf.final(&U[0]);
xor_buf(out, &U[0], prf_output);
iterations++;
/*
Only break on relatively 'even' iterations. For one it
avoids confusion, and likely some broken implementations
break on getting completely randomly distributed values
*/
if(iterations % 10000 == 0)
{
auto time_taken = std::chrono::high_resolution_clock::now() - start;
auto usec_taken = std::chrono::duration_cast<std::chrono::microseconds>(time_taken);
if(usec_taken > usec_per_block)
break;
}
}
}
else
{
for(size_t i = 1; i != iterations; ++i)
{
prf.update(U);
prf.final(&U[0]);
xor_buf(out, &U[0], prf_output);
}
}
out_len -= prf_output;
out += prf_output;
}
return iterations;
}
size_t
PKCS5_PBKDF2::pbkdf(byte key[], size_t key_len,
const std::string& passphrase,
const byte salt[], size_t salt_len,
size_t iterations,
std::chrono::milliseconds msec) const
{
return pbkdf2(*mac.get(), key, key_len, passphrase, salt, salt_len, iterations, msec);
}
}
|
