Configurable PBKDF2 iteration count

KDF makes computations slow but fuzzing requires a lot of encryption and decryption. Let's make the default iteration count to be configurable at compile time and use a lower number for fuzzer builds. This drastically increases efficiency of AFL search. This feature is intended to be used mostly for debugging, and maybe to provide custom builds on demand, so it's not documented anywhere except for the code.
cossacklabs · Mar 5, 2020 · 66fca22 · 66fca22
1 parent 90e710f
commit 66fca22
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -148,6 +148,7 @@ jobs:
       - image: cossacklabs/build:ubuntu-bionic
     environment:
       FUZZ_TIMEOUT: 30s
+      THEMIS_DEFAULT_PBKDF2_ITERATIONS: 10
       WITH_FATAL_WARNINGS: yes
       WITH_FATAL_SANITIZERS: yes
     steps:

diff --git a/src/themis/secure_cell_alg.h b/src/themis/secure_cell_alg.h
@@ -19,14 +19,18 @@
 
 #include <soter/soter_sym.h>
 
+#ifndef THEMIS_DEFAULT_PBKDF2_ITERATIONS
+#define THEMIS_DEFAULT_PBKDF2_ITERATIONS 200000
+#endif
+
 #ifdef THEMIS_AUTH_SYM_ALG_AES_256_GCM
 #define THEMIS_AUTH_SYM_KEY_LENGTH SOTER_SYM_256_KEY_LENGTH
 #define THEMIS_AUTH_SYM_ALG (SOTER_SYM_AES_GCM | THEMIS_AUTH_SYM_KEY_LENGTH)
 #define THEMIS_AUTH_SYM_IV_LENGTH 12
 #define THEMIS_AUTH_SYM_AUTH_TAG_LENGTH 16
 #define THEMIS_AUTH_SYM_PASSPHRASE_ALG (THEMIS_AUTH_SYM_ALG | SOTER_SYM_PBKDF2)
 #define THEMIS_AUTH_SYM_PBKDF2_SALT_LENGTH 16
-#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS 200000
+#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS (THEMIS_DEFAULT_PBKDF2_ITERATIONS)
 #endif
 
 #ifdef THEMIS_AUTH_SYM_ALG_AES_128_GCM
@@ -36,7 +40,7 @@
 #define THEMIS_AUTH_SYM_AUTH_TAG_LENGTH 16
 #define THEMIS_AUTH_SYM_PASSPHRASE_ALG (THEMIS_AUTH_SYM_ALG | SOTER_SYM_PBKDF2)
 #define THEMIS_AUTH_SYM_PBKDF2_SALT_LENGTH 16
-#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS 200000
+#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS (THEMIS_DEFAULT_PBKDF2_ITERATIONS)
 #endif
 
 #ifdef THEMIS_AUTH_SYM_ALG_AES_192_GCM
@@ -46,7 +50,7 @@
 #define THEMIS_AUTH_SYM_AUTH_TAG_LENGTH 16
 #define THEMIS_AUTH_SYM_PASSPHRASE_ALG (THEMIS_AUTH_SYM_ALG | SOTER_SYM_PBKDF2)
 #define THEMIS_AUTH_SYM_PBKDF2_SALT_LENGTH 16
-#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS 200000
+#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS (THEMIS_DEFAULT_PBKDF2_ITERATIONS)
 #endif
 
 /*default values*/
@@ -57,7 +61,7 @@
 #define THEMIS_AUTH_SYM_AUTH_TAG_LENGTH 16
 #define THEMIS_AUTH_SYM_PASSPHRASE_ALG (THEMIS_AUTH_SYM_ALG | SOTER_SYM_PBKDF2)
 #define THEMIS_AUTH_SYM_PBKDF2_SALT_LENGTH 16
-#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS 200000
+#define THEMIS_AUTH_SYM_PBKDF2_ITERATIONS (THEMIS_DEFAULT_PBKDF2_ITERATIONS)
 #endif
 
 #define THEMIS_AUTH_SYM_MAX_KEY_LENGTH SOTER_SYM_256_KEY_LENGTH

diff --git a/src/themis/themis.mk b/src/themis/themis.mk
@@ -50,6 +50,10 @@ THEMIS_STATIC = $(BIN_PATH)/$(LIBTHEMIS_A) $(SOTER_STATIC)
 
 $(THEMIS_OBJ): CFLAGS += -DTHEMIS_EXPORT
 
+ifneq ($(THEMIS_DEFAULT_PBKDF2_ITERATIONS),)
+$(THEMIS_OBJ): CFLAGS += -DTHEMIS_DEFAULT_PBKDF2_ITERATIONS=$(THEMIS_DEFAULT_PBKDF2_ITERATIONS)
+endif
+
 $(BIN_PATH)/$(LIBTHEMIS_A): CMD = $(AR) rcs $@ $(filter %.o, $^)
 
 $(BIN_PATH)/$(LIBTHEMIS_A): $(THEMIS_OBJ)