Botan 3.7.1
Crypto and TLS for C&
bcrypt_pbkdf.cpp
Go to the documentation of this file.
1/*
2* (C) 2018,2019 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/bcrypt_pbkdf.h>
8
9#include <botan/hash.h>
10#include <botan/internal/blowfish.h>
11#include <botan/internal/fmt.h>
12#include <botan/internal/loadstor.h>
13#include <botan/internal/time_utils.h>
14
15namespace Botan {
16
17Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) : m_iterations(iterations) {
18 BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");
19}
20
21std::string Bcrypt_PBKDF::to_string() const {
22 return fmt("Bcrypt-PBKDF({})", m_iterations);
23}
24
25std::string Bcrypt_PBKDF_Family::name() const {
26 return "Bcrypt-PBKDF";
27}
28
29std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
30 std::chrono::milliseconds msec,
31 size_t /*max_memory*/,
32 std::chrono::milliseconds tune_time) const {
33 const size_t blocks = (output_length + 32 - 1) / 32;
34
35 if(blocks == 0) {
36 return default_params();
37 }
38
39 const size_t starting_iter = 2;
40
41 auto pwhash = this->from_iterations(starting_iter);
42
43 auto tune_fn = [&]() {
44 uint8_t output[32] = {0};
45 pwhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);
46 };
47
48 const uint64_t measured_time = measure_cost(tune_time, tune_fn) / blocks;
49
50 const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
51
52 const uint64_t desired_increase = target_nsec / measured_time;
53
54 if(desired_increase == 0) {
55 return this->from_iterations(starting_iter);
56 }
57
58 return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
59}
60
61std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const {
62 return this->from_iterations(32); // About 100 ms on fast machine
63}
64
65std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const {
66 return std::make_unique<Bcrypt_PBKDF>(iter);
67}
68
69std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const {
70 return this->from_iterations(iter);
71}
72
73namespace {
74
75void bcrypt_round(Blowfish& blowfish,
76 const secure_vector<uint8_t>& pass_hash,
77 const secure_vector<uint8_t>& salt_hash,
78 secure_vector<uint8_t>& out,
79 secure_vector<uint8_t>& tmp) {
80 const size_t BCRYPT_PBKDF_OUTPUT = 32;
81
82 // "OxychromaticBlowfishSwatDynamite"
83 alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
84 0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
85 0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74, 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65};
86
87 const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
88 const size_t BCRYPT_PBKDF_ROUNDS = 64;
89
90 blowfish.salted_set_key(
91 pass_hash.data(), pass_hash.size(), salt_hash.data(), salt_hash.size(), BCRYPT_PBKDF_WORKFACTOR, true);
92
93 copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
94 for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i) {
95 blowfish.encrypt(tmp);
96 }
97
98 /*
99 Bcrypt PBKDF loads the Blowfish output as big endian for no reason
100 in particular. We can't just swap everything once at the end
101 because the (big-endian) values are fed into SHA-512 to generate
102 the salt for the next round
103 */
104 for(size_t i = 0; i != 32 / 4; ++i) {
105 const uint32_t w = load_le<uint32_t>(tmp.data(), i);
106 store_be(w, &tmp[sizeof(uint32_t) * i]);
107 }
108
109 xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
110}
111
112} // namespace
113
114void Bcrypt_PBKDF::derive_key(uint8_t output[],
115 size_t output_len,
116 const char* password,
117 size_t password_len,
118 const uint8_t salt[],
119 size_t salt_len) const {
120 // No output desired, so we are all done already...
121 if(output_len == 0) {
122 return;
123 }
124
125 BOTAN_ARG_CHECK(output_len <= 10 * 1024 * 1024, "Too much output for Bcrypt PBKDF");
126
127 const size_t BCRYPT_BLOCK_SIZE = 32;
128 const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
129
130 auto sha512 = HashFunction::create_or_throw("SHA-512");
131 const auto pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(password), password_len);
132
133 secure_vector<uint8_t> salt_hash(sha512->output_length());
134
135 Blowfish blowfish;
136 secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
137 secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
138
139 for(size_t block = 0; block != blocks; ++block) {
140 clear_mem(out.data(), out.size());
141
142 sha512->update(salt, salt_len);
143 sha512->update_be(static_cast<uint32_t>(block + 1));
144 sha512->final(salt_hash.data());
145
146 bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
147
148 for(size_t r = 1; r < m_iterations; ++r) {
149 // Next salt is H(prev_output)
150 sha512->update(tmp);
151 sha512->final(salt_hash.data());
152
153 bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
154 }
155
156 for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i) {
157 const size_t dest = i * blocks + block;
158 if(dest < output_len) {
159 output[dest] = out[i];
160 }
161 }
162 }
163}
164
165} // namespace Botan
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
Botan::Bcrypt_PBKDF_Family::from_params
std::unique_ptr< PasswordHash > from_params(size_t i, size_t, size_t) const override
Definition bcrypt_pbkdf.cpp:69
Botan::Bcrypt_PBKDF_Family::default_params
std::unique_ptr< PasswordHash > default_params() const override
Definition bcrypt_pbkdf.cpp:61
Botan::Bcrypt_PBKDF_Family::tune
std::unique_ptr< PasswordHash > tune(size_t output_length, std::chrono::milliseconds msec, size_t max_memory, std::chrono::milliseconds tune_msec) const override
Definition bcrypt_pbkdf.cpp:29
Botan::Bcrypt_PBKDF_Family::name
std::string name() const override
Definition bcrypt_pbkdf.cpp:25
Botan::Bcrypt_PBKDF_Family::from_iterations
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
Definition bcrypt_pbkdf.cpp:65
Botan::Bcrypt_PBKDF::derive_key
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition bcrypt_pbkdf.cpp:114
Botan::Bcrypt_PBKDF::Bcrypt_PBKDF
Bcrypt_PBKDF(size_t iterations)
Definition bcrypt_pbkdf.cpp:17
Botan::Bcrypt_PBKDF::to_string
std::string to_string() const override
Definition bcrypt_pbkdf.cpp:21
Botan::BlockCipher::encrypt
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:75
Botan::Blowfish::salted_set_key
void salted_set_key(const uint8_t key[], size_t key_length, const uint8_t salt[], size_t salt_length, size_t workfactor, bool salt_first=false)
Definition blowfish.cpp:326
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:521
Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::measure_cost
uint64_t measure_cost(std::chrono::milliseconds trial_msec, F func)
Definition time_utils.h:21
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:773
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:121
Generated by doxygen 1.12.0