1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
/*
* (C) 2018,2019 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include <botan/bcrypt_pbkdf.h>
#include <botan/blowfish.h>
#include <botan/hash.h>
#include <botan/internal/timer.h>
namespace Botan {
void Bcrypt_PBKDF::derive_key(uint8_t output[], size_t output_len,
const char* password, size_t password_len,
const uint8_t salt[], size_t salt_len) const
{
bcrypt_pbkdf(output, output_len,
password, password_len,
salt, salt_len,
m_iterations);
}
std::string Bcrypt_PBKDF::to_string() const
{
return "Bcrypt-PBKDF(" + std::to_string(m_iterations) + ")";
}
std::string Bcrypt_PBKDF_Family::name() const
{
return "Bcrypt-PBKDF";
}
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
std::chrono::milliseconds msec,
size_t /*max_memory*/) const
{
Timer timer("Bcrypt_PBKDF");
const auto tune_time = BOTAN_PBKDF_TUNING_TIME;
const size_t blocks = (output_length + 32 - 1) / 32;
if(blocks == 0)
return default_params();
const size_t starting_iter = 2;
timer.run_until_elapsed(tune_time, [&]() {
uint8_t output[32] = { 0 };
bcrypt_pbkdf(output, sizeof(output), "test", 4, nullptr, 0, starting_iter);
});
if(timer.events() < blocks || timer.value() == 0)
return default_params();
const uint64_t measured_time = timer.value() / (timer.events() / blocks);
const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);
const size_t desired_increase = target_nsec / measured_time;
if(desired_increase == 0)
return this->from_iterations(starting_iter);
return this->from_iterations(desired_increase * starting_iter);
}
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const
{
return this->from_iterations(32); // About 100 ms on fast machine
}
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const
{
return std::unique_ptr<PasswordHash>(new Bcrypt_PBKDF(iter));
}
std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const
{
return this->from_iterations(iter);
}
namespace {
void bcrypt_round(Blowfish& blowfish,
const secure_vector<uint8_t>& pass_hash,
const secure_vector<uint8_t>& salt_hash,
secure_vector<uint8_t>& out,
secure_vector<uint8_t>& tmp)
{
const size_t BCRYPT_PBKDF_OUTPUT = 32;
// "OxychromaticBlowfishSwatDynamite"
static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D,
0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74,
0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65
};
const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
const size_t BCRYPT_PBKDF_ROUNDS = 64;
blowfish.salted_set_key(pass_hash.data(), pass_hash.size(),
salt_hash.data(), salt_hash.size(),
BCRYPT_PBKDF_WORKFACTOR, true);
copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
blowfish.encrypt(tmp);
/*
Bcrypt PBKDF loads the Blowfish output as big endian for no reason
in particular. We can't just swap everything once at the end
because the (big-endian) values are fed into SHA-512 to generate
the salt for the next round
*/
for(size_t i = 0; i != 32/4; ++i)
{
const uint32_t w = load_le<uint32_t>(tmp.data(), i);
store_be(w, &tmp[sizeof(uint32_t)*i]);
}
xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
}
}
void bcrypt_pbkdf(uint8_t output[], size_t output_len,
const char* pass, size_t pass_len,
const uint8_t salt[], size_t salt_len,
size_t rounds)
{
BOTAN_ARG_CHECK(rounds >= 1, "Invalid rounds for Bcrypt PBKDF");
// No output desired, so we are all done already...
if(output_len == 0)
return;
BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");
const size_t BCRYPT_BLOCK_SIZE = 32;
const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
std::unique_ptr<HashFunction> sha512 = HashFunction::create_or_throw("SHA-512");
const secure_vector<uint8_t> pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(pass), pass_len);
secure_vector<uint8_t> salt_hash(sha512->output_length());
Blowfish blowfish;
secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
for(size_t block = 0; block != blocks; ++block)
{
clear_mem(out.data(), out.size());
sha512->update(salt, salt_len);
sha512->update_be(static_cast<uint32_t>(block + 1));
sha512->final(salt_hash.data());
bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
for(size_t r = 1; r != rounds; ++r)
{
// Next salt is H(prev_output)
sha512->update(tmp);
sha512->final(salt_hash.data());
bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
}
for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
{
const size_t dest = i * blocks + block;
if(dest < output_len)
output[dest] = out[i];
}
}
}
}
|