Botan  2.11.0
Crypto and TLS for C++11
bcrypt_pbkdf.cpp
Go to the documentation of this file.
1 /*
2 * (C) 2018,2019 Jack Lloyd
3 *
4 * Botan is released under the Simplified BSD License (see license.txt)
5 */
6 
7 #include <botan/bcrypt_pbkdf.h>
8 #include <botan/blowfish.h>
9 #include <botan/hash.h>
10 #include <botan/internal/timer.h>
11 
12 namespace Botan {
13 
14 void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
15  const char* password, size_t password_len,
16  const uint8_t salt[], size_t salt_len) const
17  {
18  bcrypt_pbkdf(output, output_len,
19  password, password_len,
20  salt, salt_len,
21  m_iterations);
22  }
23 
24 std::string Bcrypt_PBKDF::to_string() const
25  {
26  return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")";
27  }
28 
29 std::string Bcrypt_PBKDF_Family::name() const
30  {
31  return "Bcrypt-PBKDF";
32  }
33 
34 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
35  std::chrono::milliseconds msec,
36  size_t /*max_memory*/) const
37  {
38  Timer timer("Bcrypt_PBKDF");
39  const auto tune_time = BOTAN_PBKDF_TUNING_TIME;
40 
41  const size_t blocks = (output_length + 32 - 1) / 32;
42 
43  if(blocks == 0)
44  return default_params();
45 
46  const size_t starting_iter = 2;
47 
48  timer.run_until_elapsed(tune_time, [&]() {
49  uint8_t output[32] = { 0 };
50  bcrypt_pbkdf(output, sizeof(output), "test", 4, nullptr, 0, starting_iter);
51  });
52 
53  if(timer.events() < blocks || timer.value() == 0)
54  return default_params();
55 
56  const uint64_t measured_time = timer.value() / (timer.events() / blocks);
57 
58  const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
59 
60  const uint64_t desired_increase = target_nsec / measured_time;
61 
62  if(desired_increase == 0)
63  return this->from_iterations(starting_iter);
64 
65  return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
66  }
67 
68 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
69  {
70  return this->from_iterations(32); // About 100 ms on fast machine
71  }
72 
73 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
74  {
75  return std::unique_ptr<PasswordHash>(new Bcrypt_PBKDF(iter));
76  }
77 
78 std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const
79  {
80  return this->from_iterations(iter);
81  }
82 
83 namespace {
84 
85 void bcrypt_round(Blowfish& blowfish,
86  const secure_vector<uint8_t>& pass_hash,
87  const secure_vector<uint8_t>& salt_hash,
90  {
91  const size_t BCRYPT_PBKDF_OUTPUT = 32;
92 
93  // "OxychromaticBlowfishSwatDynamite"
94  static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
95  0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
96  0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
97  0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
98  0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
99  };
100 
101  const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
102  const size_t BCRYPT_PBKDF_ROUNDS = 64;
103 
104  blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
105  salt_hash.data(), salt_hash.size(),
106  BCRYPT_PBKDF_WORKFACTOR, true);
107 
108  copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
109  for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
110  blowfish.encrypt(tmp);
111 
112  /*
113  Bcrypt PBKDF loads the Blowfish output as big endian for no reason
114  in particular. We can't just swap everything once at the end
115  because the (big-endian) values are fed into SHA-512 to generate
116  the salt for the next round
117  */
118  for(size_t i = 0; i != 32/4; ++i)
119  {
120  const uint32_t w = load_le<uint32_t>(tmp.data(), i);
121  store_be(w, &tmp[sizeof(uint32_t)*i]);
122  }
123 
124  xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
125  }
126 
127 }
128 
129 void bcrypt_pbkdf(uint8_t output[], size_t output_len,
130  const char* pass, size_t pass_len,
131  const uint8_t salt[], size_t salt_len,
132  size_t rounds)
133  {
134  BOTAN_ARG_CHECK(rounds >= 1, "Invalid rounds for Bcrypt PBKDF");
135 
136  // No output desired, so we are all done already...
137  if(output_len == 0)
138  return;
139 
140  BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");
141 
142  const size_t BCRYPT_BLOCK_SIZE = 32;
143  const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
144 
145  std::unique_ptr<HashFunction> sha512 = HashFunction::create_or_throw("SHA-512");
146  const secure_vector<uint8_t> pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(pass), pass_len);
147 
148  secure_vector<uint8_t> salt_hash(sha512->output_length());
149 
150  Blowfish blowfish;
151  secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
152  secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
153 
154  for(size_t block = 0; block != blocks; ++block)
155  {
156  clear_mem(out.data(), out.size());
157 
158  sha512->update(salt, salt_len);
159  sha512->update_be(static_cast<uint32_t>(block + 1));
160  sha512->final(salt_hash.data());
161 
162  bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
163 
164  for(size_t r = 1; r != rounds; ++r)
165  {
166  // Next salt is H(prev_output)
167  sha512->update(tmp);
168  sha512->final(salt_hash.data());
169 
170  bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
171  }
172 
173  for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
174  {
175  const size_t dest = i * blocks + block;
176  if(dest < output_len)
177  output[dest] = out[i];
178  }
179  }
180  }
181 
182 }
uint64_t events() const
Definition: timer.h:119
std::string name() const override
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:359
void bcrypt_pbkdf(uint8_t output[], size_t output_len, const char *pass, size_t pass_len, const uint8_t salt[], size_t salt_len, size_t rounds)
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:436
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:111
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
std::unique_ptr< PasswordHash > tune(size_t output_length, std::chrono::milliseconds msec, size_t max_memory) const override
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:202
size_t salt_len
Definition: x509_obj.cpp:26
void salted_set_key(const uint8_t key[], size_t key_length, const uint8_t salt[], size_t salt_length, const size_t workfactor, bool salt_first=false)
Definition: blowfish.cpp:375
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:122
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::unique_ptr< PasswordHash > default_params() const override
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:82
std::string to_string() const override
uint64_t value() const
Definition: timer.h:90
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
std::unique_ptr< PasswordHash > from_params(size_t i, size_t, size_t) const override
void run_until_elapsed(std::chrono::milliseconds msec, F f)
Definition: timer.h:82