Botan 3.0.0
Crypto and TLS for C&
bcrypt_pbkdf.cpp
Go to the documentation of this file.
1/*
2* (C) 2018,2019 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/bcrypt_pbkdf.h>
8#include <botan/internal/loadstor.h>
9#include <botan/internal/blowfish.h>
10#include <botan/internal/timer.h>
11#include <botan/internal/fmt.h>
12#include <botan/hash.h>
13
14namespace Botan {
15
16Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) :
17 m_iterations(iterations)
18 {
19 BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");
20 }
21
22std::string Bcrypt_PBKDF::to_string() const
23 {
24 return fmt("Bcrypt-PBKDF({})", m_iterations);
25 }
26
27std::string Bcrypt_PBKDF_Family::name() const
28 {
29 return "Bcrypt-PBKDF";
30 }
31
32std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
33 std::chrono::milliseconds msec,
34 size_t /*max_memory*/,
35 std::chrono::milliseconds tune_time) const
36 {
37 Timer timer("Bcrypt_PBKDF");
38
39 const size_t blocks = (output_length + 32 - 1) / 32;
40
41 if(blocks == 0)
42 return default_params();
43
44 const size_t starting_iter = 2;
45
46 auto pwhash = this->from_iterations(starting_iter);
47
48 timer.run_until_elapsed(tune_time, [&]() {
49 uint8_t output[32] = { 0 };
50 pwhash->derive_key(output, sizeof(output),
51 "test", 4,
52 nullptr, 0);
53 });
54
55 if(timer.events() < blocks || timer.value() == 0)
56 return default_params();
57
58 const uint64_t measured_time = timer.value() / (timer.events() / blocks);
59
60 const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
61
62 const uint64_t desired_increase = target_nsec / measured_time;
63
64 if(desired_increase == 0)
65 return this->from_iterations(starting_iter);
66
67 return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
68 }
69
70std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
71 {
72 return this->from_iterations(32); // About 100 ms on fast machine
73 }
74
75std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
76 {
77 return std::make_unique<Bcrypt_PBKDF>(iter);
78 }
79
80std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const
81 {
82 return this->from_iterations(iter);
83 }
84
85namespace {
86
87void bcrypt_round(Blowfish& blowfish,
88 const secure_vector<uint8_t>& pass_hash,
89 const secure_vector<uint8_t>& salt_hash,
92 {
93 const size_t BCRYPT_PBKDF_OUTPUT = 32;
94
95 // "OxychromaticBlowfishSwatDynamite"
96 alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
97 0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
98 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
99 0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
100 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
101 };
102
103 const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
104 const size_t BCRYPT_PBKDF_ROUNDS = 64;
105
106 blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
107 salt_hash.data(), salt_hash.size(),
108 BCRYPT_PBKDF_WORKFACTOR, true);
109
110 copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
111 for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
112 blowfish.encrypt(tmp);
113
114 /*
115 Bcrypt PBKDF loads the Blowfish output as big endian for no reason
116 in particular. We can't just swap everything once at the end
117 because the (big-endian) values are fed into SHA-512 to generate
118 the salt for the next round
119 */
120 for(size_t i = 0; i != 32/4; ++i)
121 {
122 const uint32_t w = load_le<uint32_t>(tmp.data(), i);
123 store_be(w, &tmp[sizeof(uint32_t)*i]);
124 }
125
126 xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
127 }
128
129}
130
131void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
132 const char* password, size_t password_len,
133 const uint8_t salt[], size_t salt_len) const
134 {
135 // No output desired, so we are all done already...
136 if(output_len == 0)
137 return;
138
139 BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");
140
141 const size_t BCRYPT_BLOCK_SIZE = 32;
142 const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
143
144 auto sha512 = HashFunction::create_or_throw("SHA-512");
145 const auto pass_hash =
146 sha512->process(reinterpret_cast<const uint8_t*>(password), password_len);
147
148 secure_vector<uint8_t> salt_hash(sha512->output_length());
149
150 Blowfish blowfish;
151 secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
152 secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
153
154 for(size_t block = 0; block != blocks; ++block)
155 {
156 clear_mem(out.data(), out.size());
157
158 sha512->update(salt, salt_len);
159 sha512->update_be(static_cast<uint32_t>(block + 1));
160 sha512->final(salt_hash.data());
161
162 bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
163
164 for(size_t r = 1; r < m_iterations; ++r)
165 {
166 // Next salt is H(prev_output)
167 sha512->update(tmp);
168 sha512->final(salt_hash.data());
169
170 bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
171 }
172
173 for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
174 {
175 const size_t dest = i * blocks + block;
176 if(dest < output_len)
177 output[dest] = out[i];
178 }
179 }
180 }
181
182}
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:36
std::unique_ptr< PasswordHash > from_params(size_t i, size_t, size_t) const override
std::unique_ptr< PasswordHash > default_params() const override
std::unique_ptr< PasswordHash > tune(size_t output_length, std::chrono::milliseconds msec, size_t max_memory, std::chrono::milliseconds tune_msec) const override
std::string name() const override
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Bcrypt_PBKDF(size_t iterations)
std::string to_string() const override
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:83
void salted_set_key(const uint8_t key[], size_t key_length, const uint8_t salt[], size_t salt_length, const size_t workfactor, bool salt_first=false)
Definition: blowfish.cpp:384
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition: hash.cpp:320
uint64_t value() const
Definition: timer.h:84
uint64_t events() const
Definition: timer.h:113
void run_until_elapsed(std::chrono::milliseconds msec, F f)
Definition: timer.h:76
Definition: alg_id.cpp:12
constexpr uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:209
std::string fmt(std::string_view format, const T &... args)
Definition: fmt.h:60
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:126
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:255
constexpr void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:449
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64
constexpr void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115