/src/botan/src/lib/pbkdf/bcrypt_pbkdf/bcrypt_pbkdf.cpp

Source (jump to first uncovered line)
/*
* (C) 2018,2019 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/bcrypt_pbkdf.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/blowfish.h>
#include <botan/hash.h>
#include <botan/internal/timer.h>

namespace Botan {

Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) :
   m_iterations(iterations)
   {
   BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");
   }

std::string Bcrypt_PBKDF::to_string() const
   {
   return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")";
   }

std::string Bcrypt_PBKDF_Family::name() const
   {
   return "Bcrypt-PBKDF";
   }

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
                                                        std::chrono::milliseconds msec,
                                                        size_t /*max_memory*/) const
   {
   Timer timer("Bcrypt_PBKDF");
   const auto tune_time = BOTAN_PBKDF_TUNING_TIME;

   const size_t blocks = (output_length + 32 - 1) / 32;

   if(blocks == 0)
      return default_params();

   const size_t starting_iter = 2;

   auto pwhash = this->from_iterations(starting_iter);

   timer.run_until_elapsed(tune_time, [&]() {
      uint8_t output[32] = { 0 };
      pwhash->derive_key(output, sizeof(output),
                         "test", 4,
                         nullptr, 0);
      });

   if(timer.events() < blocks || timer.value() == 0)
      return default_params();

   const uint64_t measured_time = timer.value() / (timer.events() / blocks);

   const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);

   const uint64_t desired_increase = target_nsec / measured_time;

   if(desired_increase == 0)
      return this->from_iterations(starting_iter);

   return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
   }

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
   {
   return this->from_iterations(32); // About 100 ms on fast machine
   }

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
   {
   return std::make_unique<Bcrypt_PBKDF>(iter);
   }

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const
   {
   return this->from_iterations(iter);
   }

namespace {

void bcrypt_round(Blowfish& blowfish,
                  const secure_vector<uint8_t>& pass_hash,
                  const secure_vector<uint8_t>& salt_hash,
                  secure_vector<uint8_t>& out,
                  secure_vector<uint8_t>& tmp)
   {
   const size_t BCRYPT_PBKDF_OUTPUT = 32;

   // "OxychromaticBlowfishSwatDynamite"
   alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
      0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
      0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
      0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
      0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
   };

   const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
   const size_t BCRYPT_PBKDF_ROUNDS = 64;

   blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
                           salt_hash.data(), salt_hash.size(),
                           BCRYPT_PBKDF_WORKFACTOR, true);

   copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
   for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
      blowfish.encrypt(tmp);

   /*
   Bcrypt PBKDF loads the Blowfish output as big endian for no reason
   in particular. We can't just swap everything once at the end
   because the (big-endian) values are fed into SHA-512 to generate
   the salt for the next round
   */
   for(size_t i = 0; i != 32/4; ++i)
      {
      const uint32_t w = load_le<uint32_t>(tmp.data(), i);
      store_be(w, &tmp[sizeof(uint32_t)*i]);
      }

   xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
   }

}

void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
                              const char* password, size_t password_len,
                              const uint8_t salt[], size_t salt_len) const
   {
   // No output desired, so we are all done already...
   if(output_len == 0)
      return;

   BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");

   const size_t BCRYPT_BLOCK_SIZE = 32;
   const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;

   auto sha512 = HashFunction::create_or_throw("SHA-512");
   const auto pass_hash =
      sha512->process(reinterpret_cast<const uint8_t*>(password), password_len);

   secure_vector<uint8_t> salt_hash(sha512->output_length());

   Blowfish blowfish;
   secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
   secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);

   for(size_t block = 0; block != blocks; ++block)
      {
      clear_mem(out.data(), out.size());

      sha512->update(salt, salt_len);
      sha512->update_be(static_cast<uint32_t>(block + 1));
      sha512->final(salt_hash.data());

      bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);

      for(size_t r = 1; r < m_iterations; ++r)
         {
         // Next salt is H(prev_output)
         sha512->update(tmp);
         sha512->final(salt_hash.data());

         bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
         }

      for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
         {
         const size_t dest = i * blocks + block;
         if(dest < output_len)
            output[dest] = out[i];
         }
      }
   }

}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* (C) 2018,2019 Jack Lloyd
3		*
4		* Botan is released under the Simplified BSD License (see license.txt)
5		*/
6
7		#include <botan/bcrypt_pbkdf.h>
8		#include <botan/internal/loadstor.h>
9		#include <botan/internal/blowfish.h>
10		#include <botan/hash.h>
11		#include <botan/internal/timer.h>
12
13		namespace Botan {
14
15		Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) :
16		m_iterations(iterations)
17	0	{
18	0	BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");
19	0	}
20
21		std::string Bcrypt_PBKDF::to_string() const
22	0	{
23	0	return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")";
24	0	}
25
26		std::string Bcrypt_PBKDF_Family::name() const
27	0	{
28	0	return "Bcrypt-PBKDF";
29	0	}
30
31		std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
32		std::chrono::milliseconds msec,
33		size_t /max_memory/) const
34	0	{
35	0	Timer timer("Bcrypt_PBKDF");
36	0	const auto tune_time = BOTAN_PBKDF_TUNING_TIME;
37
38	0	const size_t blocks = (output_length + 32 - 1) / 32;
39
40	0	if(blocks == 0)
41	0	return default_params();
42
43	0	const size_t starting_iter = 2;
44
45	0	auto pwhash = this->from_iterations(starting_iter);
46
47	0	timer.run_until_elapsed(tune_time, [&]() {
48	0	uint8_t output[32] = { 0 };
49	0	pwhash->derive_key(output, sizeof(output),
50	0	"test", 4,
51	0	nullptr, 0);
52	0	});
53
54	0	if(timer.events() < blocks \|\| timer.value() == 0)
55	0	return default_params();
56
57	0	const uint64_t measured_time = timer.value() / (timer.events() / blocks);
58
59	0	const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
60
61	0	const uint64_t desired_increase = target_nsec / measured_time;
62
63	0	if(desired_increase == 0)
64	0	return this->from_iterations(starting_iter);
65
66	0	return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
67	0	}
68
69		std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
70	0	{
71	0	return this->from_iterations(32); // About 100 ms on fast machine
72	0	}
73
74		std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
75	0	{
76	0	return std::make_unique<Bcrypt_PBKDF>(iter);
77	0	}
78
79		std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /t/, size_t /p/) const
80	0	{
81	0	return this->from_iterations(iter);
82	0	}
83
84		namespace {
85
86		void bcrypt_round(Blowfish& blowfish,
87		const secure_vector<uint8_t>& pass_hash,
88		const secure_vector<uint8_t>& salt_hash,
89		secure_vector<uint8_t>& out,
90		secure_vector<uint8_t>& tmp)
91	0	{
92	0	const size_t BCRYPT_PBKDF_OUTPUT = 32;
93
94		// "OxychromaticBlowfishSwatDynamite"
95	0	alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
96	0	0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
97	0	0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
98	0	0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
99	0	0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
100	0	};
101
102	0	const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
103	0	const size_t BCRYPT_PBKDF_ROUNDS = 64;
104
105	0	blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
106	0	salt_hash.data(), salt_hash.size(),
107	0	BCRYPT_PBKDF_WORKFACTOR, true);
108
109	0	copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
110	0	for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
111	0	blowfish.encrypt(tmp);
112
113		/*
114		Bcrypt PBKDF loads the Blowfish output as big endian for no reason
115		in particular. We can't just swap everything once at the end
116		because the (big-endian) values are fed into SHA-512 to generate
117		the salt for the next round
118		*/
119	0	for(size_t i = 0; i != 32/4; ++i)
120	0	{
121	0	const uint32_t w = load_le<uint32_t>(tmp.data(), i);
122	0	store_be(w, &tmp[sizeof(uint32_t)*i]);
123	0	}
124
125	0	xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
126	0	}
127
128		}
129
130		void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
131		const char* password, size_t password_len,
132		const uint8_t salt[], size_t salt_len) const
133	0	{
134		// No output desired, so we are all done already...
135	0	if(output_len == 0)
136	0	return;
137
138	0	BOTAN_ARG_CHECK(output_len <= 1010241024, "Too much output for Bcrypt PBKDF");
139
140	0	const size_t BCRYPT_BLOCK_SIZE = 32;
141	0	const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
142
143	0	auto sha512 = HashFunction::create_or_throw("SHA-512");
144	0	const auto pass_hash =
145	0	sha512->process(reinterpret_cast<const uint8_t*>(password), password_len);
146
147	0	secure_vector<uint8_t> salt_hash(sha512->output_length());
148
149	0	Blowfish blowfish;
150	0	secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
151	0	secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
152
153	0	for(size_t block = 0; block != blocks; ++block)
154	0	{
155	0	clear_mem(out.data(), out.size());
156
157	0	sha512->update(salt, salt_len);
158	0	sha512->update_be(static_cast<uint32_t>(block + 1));
159	0	sha512->final(salt_hash.data());
160
161	0	bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
162
163	0	for(size_t r = 1; r < m_iterations; ++r)
164	0	{
165		// Next salt is H(prev_output)
166	0	sha512->update(tmp);
167	0	sha512->final(salt_hash.data());
168
169	0	bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
170	0	}
171
172	0	for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
173	0	{
174	0	const size_t dest = i * blocks + block;
175	0	if(dest < output_len)
176	0	output[dest] = out[i];
177	0	}
178	0	}
179	0	}
180
181		}

Coverage Report

Created: 2021-11-25 09:31