Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make it possible to use without nifs #13

Merged
merged 1 commit into from
Dec 28, 2023
Merged

Make it possible to use without nifs #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,20 @@ and also that other defence mechanisms like IP blacklisting or traffic shaping,
It all boils down to the right PBKDF2 implementation, as done in [fast_pbkdf2][fast_pbkdf2], which is on average 10x faster on the machines I've tested it.
But while the erlang implementation consumes memory linearly to the iteration count, the NIF implementation does not allocate any more memory.

### Running without NIFs
Note that since OTP24.2, the `crypto` application exposes a native `pbkdf2_hmac` function. However, the NIF implementation from [fast_pbkdf2] is twice as fast, so that one is left as a default.

If for any particular reason you want to skip compiling and loading custom NIFs, you can override the dependency using `rebar3`'s overrides as below, this way the dependency will not be fetched and code will be compiled to use the `crypto` callback instead.

```erlang
{overrides,
[
{override, fast_scram, [{erl_opts, [{d, 'WITHOUT_NIFS'}]}, {deps, []}]},
]
}.

```

## Read more:
* SCRAM: [RFC5802](https://tools.ietf.org/html/rfc5802)
* SCRAM-SHA-256 update: [RFC7677](https://tools.ietf.org/html/rfc7677)
Expand Down
1 change: 1 addition & 0 deletions src/fast_scram.app.src
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
crypto,
fast_pbkdf2
]},
{optional_applications, [fast_pbkdf2]},
{env,[]},
{modules, []},
{licenses, ["Apache 2.0"]},
Expand Down
8 changes: 8 additions & 0 deletions src/fast_scram_definitions.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,18 @@
%% ServerKey := HMAC(SaltedPassword, "Server Key")
%% ServerSignature := HMAC(ServerKey, AuthMessage)

-ifdef(WITHOUT_NIFS).
-spec salted_password(sha_type(), binary(), binary(), non_neg_integer()) -> binary().
salted_password(Sha, Password, Salt, IterationCount)
when ?is_valid_hash(Sha), is_binary(Password), is_binary(Salt), ?is_positive_integer(IterationCount) ->
#{size := KeyLength} = crypto:hash_info(Sha),
crypto:pbkdf2_hmac(Sha, Password, Salt, IterationCount, KeyLength).
-else.
-spec salted_password(sha_type(), binary(), binary(), non_neg_integer()) -> binary().
salted_password(Sha, Password, Salt, IterationCount)
when ?is_valid_hash(Sha), is_binary(Password), is_binary(Salt), ?is_positive_integer(IterationCount) ->
fast_pbkdf2:pbkdf2(Sha, Password, Salt, IterationCount).
-endif.

-spec client_key(sha_type(), binary()) -> binary().
client_key(Sha, SaltedPassword)
Expand Down