Botan  2.8.0
Crypto and TLS for C++11
cryptobox.cpp
Go to the documentation of this file.
1 /*
2 * Cryptobox Message Routines
3 * (C) 2009 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/cryptobox.h>
9 #include <botan/cipher_mode.h>
10 #include <botan/mac.h>
11 #include <botan/rng.h>
12 #include <botan/pbkdf.h>
13 #include <botan/data_src.h>
14 #include <botan/pem.h>
15 #include <botan/loadstor.h>
16 #include <botan/mem_ops.h>
17 
18 namespace Botan {
19 
20 namespace CryptoBox {
21 
22 namespace {
23 
24 /*
25 First 24 bits of SHA-256("Botan Cryptobox"), followed by 8 0 bits
26 for later use as flags, etc if needed
27 */
28 const uint32_t CRYPTOBOX_VERSION_CODE = 0xEFC22400;
29 
30 const size_t VERSION_CODE_LEN = 4;
31 const size_t CIPHER_KEY_LEN = 32;
32 const size_t CIPHER_IV_LEN = 16;
33 const size_t MAC_KEY_LEN = 32;
34 const size_t MAC_OUTPUT_LEN = 20;
35 const size_t PBKDF_SALT_LEN = 10;
36 const size_t PBKDF_ITERATIONS = 8 * 1024;
37 
38 const size_t PBKDF_OUTPUT_LEN = CIPHER_KEY_LEN + MAC_KEY_LEN + CIPHER_IV_LEN;
39 const size_t CRYPTOBOX_HEADER_LEN = VERSION_CODE_LEN + PBKDF_SALT_LEN + MAC_OUTPUT_LEN;
40 
41 }
42 
43 std::string encrypt(const uint8_t input[], size_t input_len,
44  const std::string& passphrase,
46  {
47  /*
48  Output format is:
49  version # (4 bytes)
50  salt (10 bytes)
51  mac (20 bytes)
52  ciphertext
53  */
54  secure_vector<uint8_t> out_buf(CRYPTOBOX_HEADER_LEN + input_len);
55  for(size_t i = 0; i != VERSION_CODE_LEN; ++i)
56  out_buf[i] = get_byte(i, CRYPTOBOX_VERSION_CODE);
57  rng.randomize(&out_buf[VERSION_CODE_LEN], PBKDF_SALT_LEN);
58  // space left for MAC here
59  if(input_len > 0)
60  copy_mem(&out_buf[CRYPTOBOX_HEADER_LEN], input, input_len);
61 
62  // Generate the keys and IV
63 
64  std::unique_ptr<PBKDF> pbkdf(PBKDF::create_or_throw("PBKDF2(HMAC(SHA-512))"));
65 
66  OctetString master_key = pbkdf->derive_key(
67  CIPHER_KEY_LEN + MAC_KEY_LEN + CIPHER_IV_LEN,
68  passphrase,
69  &out_buf[VERSION_CODE_LEN],
70  PBKDF_SALT_LEN,
71  PBKDF_ITERATIONS);
72 
73  const uint8_t* mk = master_key.begin();
74  const uint8_t* cipher_key = mk;
75  const uint8_t* mac_key = mk + CIPHER_KEY_LEN;
76  const uint8_t* iv = mk + CIPHER_KEY_LEN + MAC_KEY_LEN;
77 
78  // Now encrypt and authenticate
79  std::unique_ptr<Cipher_Mode> ctr = Cipher_Mode::create_or_throw("Serpent/CTR-BE", ENCRYPTION);
80  ctr->set_key(cipher_key, CIPHER_KEY_LEN);
81  ctr->start(iv, CIPHER_IV_LEN);
82  ctr->finish(out_buf, CRYPTOBOX_HEADER_LEN);
83 
84  std::unique_ptr<MessageAuthenticationCode> hmac =
86  hmac->set_key(mac_key, MAC_KEY_LEN);
87  if(input_len > 0)
88  hmac->update(&out_buf[CRYPTOBOX_HEADER_LEN], input_len);
89 
90  // Can't write directly because of MAC truncation
91  secure_vector<uint8_t> mac = hmac->final();
92  copy_mem(&out_buf[VERSION_CODE_LEN + PBKDF_SALT_LEN], mac.data(), MAC_OUTPUT_LEN);
93 
94  return PEM_Code::encode(out_buf, "BOTAN CRYPTOBOX MESSAGE");
95  }
96 
98 decrypt_bin(const uint8_t input[], size_t input_len,
99  const std::string& passphrase)
100  {
101  DataSource_Memory input_src(input, input_len);
102  secure_vector<uint8_t> ciphertext =
104  "BOTAN CRYPTOBOX MESSAGE");
105 
106  if(ciphertext.size() < CRYPTOBOX_HEADER_LEN)
107  throw Decoding_Error("Invalid CryptoBox input");
108 
109  for(size_t i = 0; i != VERSION_CODE_LEN; ++i)
110  if(ciphertext[i] != get_byte(i, CRYPTOBOX_VERSION_CODE))
111  throw Decoding_Error("Bad CryptoBox version");
112 
113  const uint8_t* pbkdf_salt = &ciphertext[VERSION_CODE_LEN];
114  const uint8_t* box_mac = &ciphertext[VERSION_CODE_LEN + PBKDF_SALT_LEN];
115 
116  std::unique_ptr<PBKDF> pbkdf(PBKDF::create_or_throw("PBKDF2(HMAC(SHA-512))"));
117 
118  OctetString master_key = pbkdf->derive_key(
119  PBKDF_OUTPUT_LEN,
120  passphrase,
121  pbkdf_salt,
122  PBKDF_SALT_LEN,
123  PBKDF_ITERATIONS);
124 
125  const uint8_t* mk = master_key.begin();
126  const uint8_t* cipher_key = mk;
127  const uint8_t* mac_key = mk + CIPHER_KEY_LEN;
128  const uint8_t* iv = mk + CIPHER_KEY_LEN + MAC_KEY_LEN;
129 
130  // Now authenticate and decrypt
131  std::unique_ptr<MessageAuthenticationCode> hmac =
133  hmac->set_key(mac_key, MAC_KEY_LEN);
134 
135  if(ciphertext.size() > CRYPTOBOX_HEADER_LEN)
136  {
137  hmac->update(&ciphertext[CRYPTOBOX_HEADER_LEN],
138  ciphertext.size() - CRYPTOBOX_HEADER_LEN);
139  }
140  secure_vector<uint8_t> computed_mac = hmac->final();
141 
142  if(!constant_time_compare(computed_mac.data(), box_mac, MAC_OUTPUT_LEN))
143  throw Decoding_Error("CryptoBox integrity failure");
144 
145  std::unique_ptr<Cipher_Mode> ctr(Cipher_Mode::create_or_throw("Serpent/CTR-BE", DECRYPTION));
146  ctr->set_key(cipher_key, CIPHER_KEY_LEN);
147  ctr->start(iv, CIPHER_IV_LEN);
148  ctr->finish(ciphertext, CRYPTOBOX_HEADER_LEN);
149 
150  ciphertext.erase(ciphertext.begin(), ciphertext.begin() + CRYPTOBOX_HEADER_LEN);
151  return ciphertext;
152  }
153 
154 secure_vector<uint8_t> decrypt_bin(const std::string& input,
155  const std::string& passphrase)
156  {
157  return decrypt_bin(cast_char_ptr_to_uint8(input.data()),
158  input.size(),
159  passphrase);
160  }
161 
162 std::string decrypt(const uint8_t input[], size_t input_len,
163  const std::string& passphrase)
164  {
165  const secure_vector<uint8_t> bin = decrypt_bin(input, input_len, passphrase);
166 
167  return std::string(cast_uint8_ptr_to_char(&bin[0]),
168  bin.size());
169  }
170 
171 std::string decrypt(const std::string& input,
172  const std::string& passphrase)
173  {
174  return decrypt(cast_char_ptr_to_uint8(input.data()),
175  input.size(), passphrase);
176  }
177 
178 }
179 
180 }
virtual void randomize(uint8_t output[], size_t length)=0
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:131
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:51
secure_vector< uint8_t > decrypt_bin(const uint8_t input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:98
secure_vector< uint8_t > decode_check_label(DataSource &source, const std::string &label_want)
Definition: pem.cpp:54
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::string decrypt(const uint8_t input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:162
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:108
Definition: alg_id.cpp:13
static std::unique_ptr< PBKDF > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: pbkdf.cpp:74
const uint8_t * begin() const
Definition: symkey.h:36
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition: mem_ops.h:136
static std::unique_ptr< Cipher_Mode > create_or_throw(const std::string &algo, Cipher_Dir direction, const std::string &provider="")
Definition: cipher_mode.cpp:44
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: mac.cpp:141
uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:39
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
std::string encrypt(const uint8_t input[], size_t input_len, const std::string &passphrase, RandomNumberGenerator &rng)
Definition: cryptobox.cpp:43