Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/pbkdf/bcrypt_pbkdf/bcrypt_pbkdf.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* (C) 2018,2019 Jack Lloyd
3
*
4
* Botan is released under the Simplified BSD License (see license.txt)
5
*/
6
7
#include <botan/bcrypt_pbkdf.h>
8
#include <botan/internal/loadstor.h>
9
#include <botan/internal/blowfish.h>
10
#include <botan/hash.h>
11
#include <botan/internal/timer.h>
12
13
namespace Botan {
14
15
void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
16
                              const char* password, size_t password_len,
17
                              const uint8_t salt[], size_t salt_len) const
18
0
   {
19
0
   bcrypt_pbkdf(output, output_len,
20
0
                password, password_len,
21
0
                salt, salt_len,
22
0
                m_iterations);
23
0
   }
24
25
std::string Bcrypt_PBKDF::to_string() const
26
0
   {
27
0
   return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")";
28
0
   }
29
30
std::string Bcrypt_PBKDF_Family::name() const
31
0
   {
32
0
   return "Bcrypt-PBKDF";
33
0
   }
34
35
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
36
                                                        std::chrono::milliseconds msec,
37
                                                        size_t /*max_memory*/) const
38
0
   {
39
0
   Timer timer("Bcrypt_PBKDF");
40
0
   const auto tune_time = BOTAN_PBKDF_TUNING_TIME;
41
42
0
   const size_t blocks = (output_length + 32 - 1) / 32;
43
44
0
   if(blocks == 0)
45
0
      return default_params();
46
47
0
   const size_t starting_iter = 2;
48
49
0
   timer.run_until_elapsed(tune_time, [&]() {
50
0
      uint8_t output[32] = { 0 };
51
0
      bcrypt_pbkdf(output, sizeof(output), "test", 4, nullptr, 0, starting_iter);
52
0
      });
53
54
0
   if(timer.events() < blocks || timer.value() == 0)
55
0
      return default_params();
56
57
0
   const uint64_t measured_time = timer.value() / (timer.events() / blocks);
58
59
0
   const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
60
61
0
   const uint64_t desired_increase = target_nsec / measured_time;
62
63
0
   if(desired_increase == 0)
64
0
      return this->from_iterations(starting_iter);
65
66
0
   return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
67
0
   }
68
69
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
70
0
   {
71
0
   return this->from_iterations(32); // About 100 ms on fast machine
72
0
   }
73
74
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
75
0
   {
76
0
   return std::unique_ptr<PasswordHash>(new Bcrypt_PBKDF(iter));
77
0
   }
78
79
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const
80
0
   {
81
0
   return this->from_iterations(iter);
82
0
   }
83
84
namespace {
85
86
void bcrypt_round(Blowfish& blowfish,
87
                  const secure_vector<uint8_t>& pass_hash,
88
                  const secure_vector<uint8_t>& salt_hash,
89
                  secure_vector<uint8_t>& out,
90
                  secure_vector<uint8_t>& tmp)
91
0
   {
92
0
   const size_t BCRYPT_PBKDF_OUTPUT = 32;
93
94
   // "OxychromaticBlowfishSwatDynamite"
95
0
   alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
96
0
      0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
97
0
      0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
98
0
      0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
99
0
      0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
100
0
   };
101
102
0
   const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
103
0
   const size_t BCRYPT_PBKDF_ROUNDS = 64;
104
105
0
   blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
106
0
                           salt_hash.data(), salt_hash.size(),
107
0
                           BCRYPT_PBKDF_WORKFACTOR, true);
108
109
0
   copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
110
0
   for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
111
0
      blowfish.encrypt(tmp);
112
113
   /*
114
   Bcrypt PBKDF loads the Blowfish output as big endian for no reason
115
   in particular. We can't just swap everything once at the end
116
   because the (big-endian) values are fed into SHA-512 to generate
117
   the salt for the next round
118
   */
119
0
   for(size_t i = 0; i != 32/4; ++i)
120
0
      {
121
0
      const uint32_t w = load_le<uint32_t>(tmp.data(), i);
122
0
      store_be(w, &tmp[sizeof(uint32_t)*i]);
123
0
      }
124
125
0
   xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
126
0
   }
127
128
}
129
130
void bcrypt_pbkdf(uint8_t output[], size_t output_len,
131
                  const char* pass, size_t pass_len,
132
                  const uint8_t salt[], size_t salt_len,
133
                  size_t rounds)
134
0
   {
135
0
   BOTAN_ARG_CHECK(rounds >= 1, "Invalid rounds for Bcrypt PBKDF");
136
137
   // No output desired, so we are all done already...
138
0
   if(output_len == 0)
139
0
      return;
140
141
0
   BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");
142
143
0
   const size_t BCRYPT_BLOCK_SIZE = 32;
144
0
   const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
145
146
0
   std::unique_ptr<HashFunction> sha512 = HashFunction::create_or_throw("SHA-512");
147
0
   const secure_vector<uint8_t> pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(pass), pass_len);
148
149
0
   secure_vector<uint8_t> salt_hash(sha512->output_length());
150
151
0
   Blowfish blowfish;
152
0
   secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
153
0
   secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
154
155
0
   for(size_t block = 0; block != blocks; ++block)
156
0
      {
157
0
      clear_mem(out.data(), out.size());
158
159
0
      sha512->update(salt, salt_len);
160
0
      sha512->update_be(static_cast<uint32_t>(block + 1));
161
0
      sha512->final(salt_hash.data());
162
163
0
      bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
164
165
0
      for(size_t r = 1; r != rounds; ++r)
166
0
         {
167
         // Next salt is H(prev_output)
168
0
         sha512->update(tmp);
169
0
         sha512->final(salt_hash.data());
170
171
0
         bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
172
0
         }
173
174
0
      for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
175
0
         {
176
0
         const size_t dest = i * blocks + block;
177
0
         if(dest < output_len)
178
0
            output[dest] = out[i];
179
0
         }
180
0
      }
181
0
   }
182
183
}