Botan  2.12.1
Crypto and TLS for C++11
bcrypt_pbkdf.cpp
Go to the documentation of this file.
1 /*
2 * (C) 2018,2019 Jack Lloyd
3 *
4 * Botan is released under the Simplified BSD License (see license.txt)
5 */
6 
7 #include <botan/bcrypt_pbkdf.h>
8 #include <botan/loadstor.h>
9 #include <botan/blowfish.h>
10 #include <botan/hash.h>
11 #include <botan/internal/timer.h>
12 
13 namespace Botan {
14 
15 void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
16  const char* password, size_t password_len,
17  const uint8_t salt[], size_t salt_len) const
18  {
19  bcrypt_pbkdf(output, output_len,
20  password, password_len,
21  salt, salt_len,
22  m_iterations);
23  }
24 
25 std::string Bcrypt_PBKDF::to_string() const
26  {
27  return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")";
28  }
29 
30 std::string Bcrypt_PBKDF_Family::name() const
31  {
32  return "Bcrypt-PBKDF";
33  }
34 
35 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
36  std::chrono::milliseconds msec,
37  size_t /*max_memory*/) const
38  {
39  Timer timer("Bcrypt_PBKDF");
40  const auto tune_time = BOTAN_PBKDF_TUNING_TIME;
41 
42  const size_t blocks = (output_length + 32 - 1) / 32;
43 
44  if(blocks == 0)
45  return default_params();
46 
47  const size_t starting_iter = 2;
48 
49  timer.run_until_elapsed(tune_time, [&]() {
50  uint8_t output[32] = { 0 };
51  bcrypt_pbkdf(output, sizeof(output), "test", 4, nullptr, 0, starting_iter);
52  });
53 
54  if(timer.events() < blocks || timer.value() == 0)
55  return default_params();
56 
57  const uint64_t measured_time = timer.value() / (timer.events() / blocks);
58 
59  const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
60 
61  const uint64_t desired_increase = target_nsec / measured_time;
62 
63  if(desired_increase == 0)
64  return this->from_iterations(starting_iter);
65 
66  return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
67  }
68 
69 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
70  {
71  return this->from_iterations(32); // About 100 ms on fast machine
72  }
73 
74 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
75  {
76  return std::unique_ptr<PasswordHash>(new Bcrypt_PBKDF(iter));
77  }
78 
79 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const
80  {
81  return this->from_iterations(iter);
82  }
83 
84 namespace {
85 
86 void bcrypt_round(Blowfish& blowfish,
87  const secure_vector<uint8_t>& pass_hash,
88  const secure_vector<uint8_t>& salt_hash,
91  {
92  const size_t BCRYPT_PBKDF_OUTPUT = 32;
93 
94  // "OxychromaticBlowfishSwatDynamite"
95  static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
96  0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
97  0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
98  0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
99  0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
100  };
101 
102  const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
103  const size_t BCRYPT_PBKDF_ROUNDS = 64;
104 
105  blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
106  salt_hash.data(), salt_hash.size(),
107  BCRYPT_PBKDF_WORKFACTOR, true);
108 
109  copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
110  for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
111  blowfish.encrypt(tmp);
112 
113  /*
114  Bcrypt PBKDF loads the Blowfish output as big endian for no reason
115  in particular. We can't just swap everything once at the end
116  because the (big-endian) values are fed into SHA-512 to generate
117  the salt for the next round
118  */
119  for(size_t i = 0; i != 32/4; ++i)
120  {
121  const uint32_t w = load_le<uint32_t>(tmp.data(), i);
122  store_be(w, &tmp[sizeof(uint32_t)*i]);
123  }
124 
125  xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
126  }
127 
128 }
129 
130 void bcrypt_pbkdf(uint8_t output[], size_t output_len,
131  const char* pass, size_t pass_len,
132  const uint8_t salt[], size_t salt_len,
133  size_t rounds)
134  {
135  BOTAN_ARG_CHECK(rounds >= 1, "Invalid rounds for Bcrypt PBKDF");
136 
137  // No output desired, so we are all done already...
138  if(output_len == 0)
139  return;
140 
141  BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");
142 
143  const size_t BCRYPT_BLOCK_SIZE = 32;
144  const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
145 
146  std::unique_ptr<HashFunction> sha512 = HashFunction::create_or_throw("SHA-512");
147  const secure_vector<uint8_t> pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(pass), pass_len);
148 
149  secure_vector<uint8_t> salt_hash(sha512->output_length());
150 
151  Blowfish blowfish;
152  secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
153  secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
154 
155  for(size_t block = 0; block != blocks; ++block)
156  {
157  clear_mem(out.data(), out.size());
158 
159  sha512->update(salt, salt_len);
160  sha512->update_be(static_cast<uint32_t>(block + 1));
161  sha512->final(salt_hash.data());
162 
163  bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
164 
165  for(size_t r = 1; r != rounds; ++r)
166  {
167  // Next salt is H(prev_output)
168  sha512->update(tmp);
169  sha512->final(salt_hash.data());
170 
171  bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
172  }
173 
174  for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
175  {
176  const size_t dest = i * blocks + block;
177  if(dest < output_len)
178  output[dest] = out[i];
179  }
180  }
181  }
182 
183 }
uint64_t events() const
Definition: timer.h:119
std::string name() const override
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:344
void bcrypt_pbkdf(uint8_t output[], size_t output_len, const char *pass, size_t pass_len, const uint8_t salt[], size_t salt_len, size_t rounds)
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:438
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:111
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:198
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
std::unique_ptr< PasswordHash > tune(size_t output_length, std::chrono::milliseconds msec, size_t max_memory) const override
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:207
size_t salt_len
Definition: x509_obj.cpp:25
void salted_set_key(const uint8_t key[], size_t key_length, const uint8_t salt[], size_t salt_length, const size_t workfactor, bool salt_first=false)
Definition: blowfish.cpp:375
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:122
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::unique_ptr< PasswordHash > default_params() const override
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:82
std::string to_string() const override
uint64_t value() const
Definition: timer.h:90
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
std::unique_ptr< PasswordHash > from_params(size_t i, size_t, size_t) const override
void run_until_elapsed(std::chrono::milliseconds msec, F f)
Definition: timer.h:82