/src/botan/src/lib/pbkdf/bcrypt_pbkdf/bcrypt_pbkdf.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * (C) 2018,2019 Jack Lloyd |
3 | | * |
4 | | * Botan is released under the Simplified BSD License (see license.txt) |
5 | | */ |
6 | | |
7 | | #include <botan/bcrypt_pbkdf.h> |
8 | | #include <botan/internal/loadstor.h> |
9 | | #include <botan/internal/blowfish.h> |
10 | | #include <botan/hash.h> |
11 | | #include <botan/internal/timer.h> |
12 | | |
13 | | namespace Botan { |
14 | | |
15 | | void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len, |
16 | | const char* password, size_t password_len, |
17 | | const uint8_t salt[], size_t salt_len) const |
18 | 0 | { |
19 | 0 | bcrypt_pbkdf(output, output_len, |
20 | 0 | password, password_len, |
21 | 0 | salt, salt_len, |
22 | 0 | m_iterations); |
23 | 0 | } |
24 | | |
25 | | std::string Bcrypt_PBKDF::to_string() const |
26 | 0 | { |
27 | 0 | return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")"; |
28 | 0 | } |
29 | | |
30 | | std::string Bcrypt_PBKDF_Family::name() const |
31 | 0 | { |
32 | 0 | return "Bcrypt-PBKDF"; |
33 | 0 | } |
34 | | |
35 | | std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length, |
36 | | std::chrono::milliseconds msec, |
37 | | size_t /*max_memory*/) const |
38 | 0 | { |
39 | 0 | Timer timer("Bcrypt_PBKDF"); |
40 | 0 | const auto tune_time = BOTAN_PBKDF_TUNING_TIME; |
41 | |
|
42 | 0 | const size_t blocks = (output_length + 32 - 1) / 32; |
43 | |
|
44 | 0 | if(blocks == 0) |
45 | 0 | return default_params(); |
46 | | |
47 | 0 | const size_t starting_iter = 2; |
48 | |
|
49 | 0 | timer.run_until_elapsed(tune_time, [&]() { |
50 | 0 | uint8_t output[32] = { 0 }; |
51 | 0 | bcrypt_pbkdf(output, sizeof(output), "test", 4, nullptr, 0, starting_iter); |
52 | 0 | }); |
53 | |
|
54 | 0 | if(timer.events() < blocks || timer.value() == 0) |
55 | 0 | return default_params(); |
56 | | |
57 | 0 | const uint64_t measured_time = timer.value() / (timer.events() / blocks); |
58 | |
|
59 | 0 | const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000); |
60 | |
|
61 | 0 | const uint64_t desired_increase = target_nsec / measured_time; |
62 | |
|
63 | 0 | if(desired_increase == 0) |
64 | 0 | return this->from_iterations(starting_iter); |
65 | | |
66 | 0 | return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter)); |
67 | 0 | } |
68 | | |
69 | | std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const |
70 | 0 | { |
71 | 0 | return this->from_iterations(32); // About 100 ms on fast machine |
72 | 0 | } |
73 | | |
74 | | std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const |
75 | 0 | { |
76 | 0 | return std::unique_ptr<PasswordHash>(new Bcrypt_PBKDF(iter)); |
77 | 0 | } |
78 | | |
79 | | std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const |
80 | 0 | { |
81 | 0 | return this->from_iterations(iter); |
82 | 0 | } |
83 | | |
84 | | namespace { |
85 | | |
86 | | void bcrypt_round(Blowfish& blowfish, |
87 | | const secure_vector<uint8_t>& pass_hash, |
88 | | const secure_vector<uint8_t>& salt_hash, |
89 | | secure_vector<uint8_t>& out, |
90 | | secure_vector<uint8_t>& tmp) |
91 | 0 | { |
92 | 0 | const size_t BCRYPT_PBKDF_OUTPUT = 32; |
93 | | |
94 | | // "OxychromaticBlowfishSwatDynamite" |
95 | 0 | alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = { |
96 | 0 | 0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D, |
97 | 0 | 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77, |
98 | 0 | 0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74, |
99 | 0 | 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65 |
100 | 0 | }; |
101 | |
|
102 | 0 | const size_t BCRYPT_PBKDF_WORKFACTOR = 6; |
103 | 0 | const size_t BCRYPT_PBKDF_ROUNDS = 64; |
104 | |
|
105 | 0 | blowfish.salted_set_key(pass_hash.data(), pass_hash.size(), |
106 | 0 | salt_hash.data(), salt_hash.size(), |
107 | 0 | BCRYPT_PBKDF_WORKFACTOR, true); |
108 | |
|
109 | 0 | copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT); |
110 | 0 | for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i) |
111 | 0 | blowfish.encrypt(tmp); |
112 | | |
113 | | /* |
114 | | Bcrypt PBKDF loads the Blowfish output as big endian for no reason |
115 | | in particular. We can't just swap everything once at the end |
116 | | because the (big-endian) values are fed into SHA-512 to generate |
117 | | the salt for the next round |
118 | | */ |
119 | 0 | for(size_t i = 0; i != 32/4; ++i) |
120 | 0 | { |
121 | 0 | const uint32_t w = load_le<uint32_t>(tmp.data(), i); |
122 | 0 | store_be(w, &tmp[sizeof(uint32_t)*i]); |
123 | 0 | } |
124 | |
|
125 | 0 | xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT); |
126 | 0 | } |
127 | | |
128 | | } |
129 | | |
130 | | void bcrypt_pbkdf(uint8_t output[], size_t output_len, |
131 | | const char* pass, size_t pass_len, |
132 | | const uint8_t salt[], size_t salt_len, |
133 | | size_t rounds) |
134 | 0 | { |
135 | 0 | BOTAN_ARG_CHECK(rounds >= 1, "Invalid rounds for Bcrypt PBKDF"); |
136 | | |
137 | | // No output desired, so we are all done already... |
138 | 0 | if(output_len == 0) |
139 | 0 | return; |
140 | | |
141 | 0 | BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF"); |
142 | |
|
143 | 0 | const size_t BCRYPT_BLOCK_SIZE = 32; |
144 | 0 | const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE; |
145 | |
|
146 | 0 | std::unique_ptr<HashFunction> sha512 = HashFunction::create_or_throw("SHA-512"); |
147 | 0 | const secure_vector<uint8_t> pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(pass), pass_len); |
148 | |
|
149 | 0 | secure_vector<uint8_t> salt_hash(sha512->output_length()); |
150 | |
|
151 | 0 | Blowfish blowfish; |
152 | 0 | secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE); |
153 | 0 | secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE); |
154 | |
|
155 | 0 | for(size_t block = 0; block != blocks; ++block) |
156 | 0 | { |
157 | 0 | clear_mem(out.data(), out.size()); |
158 | |
|
159 | 0 | sha512->update(salt, salt_len); |
160 | 0 | sha512->update_be(static_cast<uint32_t>(block + 1)); |
161 | 0 | sha512->final(salt_hash.data()); |
162 | |
|
163 | 0 | bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp); |
164 | |
|
165 | 0 | for(size_t r = 1; r != rounds; ++r) |
166 | 0 | { |
167 | | // Next salt is H(prev_output) |
168 | 0 | sha512->update(tmp); |
169 | 0 | sha512->final(salt_hash.data()); |
170 | |
|
171 | 0 | bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp); |
172 | 0 | } |
173 | |
|
174 | 0 | for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i) |
175 | 0 | { |
176 | 0 | const size_t dest = i * blocks + block; |
177 | 0 | if(dest < output_len) |
178 | 0 | output[dest] = out[i]; |
179 | 0 | } |
180 | 0 | } |
181 | 0 | } |
182 | | |
183 | | } |