5079590438

Committed 25 May 2023 12:28PM UTC coverage: 92.228% (+0.5%) from 91.723%

Build # 5079590438

Build Type

Pull #3502

github

Pull Request Pull Request #3502: Apply clang-format to the codebase

Run Details

75589 of 81959 relevant lines covered (92.23%)

12139530.51 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.96

/src/lib/pbkdf/bcrypt_pbkdf/bcrypt_pbkdf.cpp

/*
* (C) 2018,2019 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/bcrypt_pbkdf.h>

#include <botan/hash.h>
#include <botan/internal/blowfish.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/timer.h>

namespace Botan {

Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) : m_iterations(iterations) {
   BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");
}

std::string Bcrypt_PBKDF::to_string() const { return fmt("Bcrypt-PBKDF({})", m_iterations); }

std::string Bcrypt_PBKDF_Family::name() const { return "Bcrypt-PBKDF"; }

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
                                                        std::chrono::milliseconds msec,
                                                        size_t /*max_memory*/,
                                                        std::chrono::milliseconds tune_time) const {
   Timer timer("Bcrypt_PBKDF");

   const size_t blocks = (output_length + 32 - 1) / 32;

   if(blocks == 0)
      return default_params();

   const size_t starting_iter = 2;

   auto pwhash = this->from_iterations(starting_iter);

   timer.run_until_elapsed(tune_time, [&]() {
      uint8_t output[32] = {0};
      pwhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);
   });

   if(timer.events() < blocks || timer.value() == 0)
      return default_params();

   const uint64_t measured_time = timer.value() / (timer.events() / blocks);

   const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);

   const uint64_t desired_increase = target_nsec / measured_time;

   if(desired_increase == 0)
      return this->from_iterations(starting_iter);

   return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const {
   return this->from_iterations(32);  // About 100 ms on fast machine
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const {
   return std::make_unique<Bcrypt_PBKDF>(iter);
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /*t*/, size_t /*p*/) const {
   return this->from_iterations(iter);
}

namespace {

void bcrypt_round(Blowfish& blowfish,
                  const secure_vector<uint8_t>& pass_hash,
                  const secure_vector<uint8_t>& salt_hash,
                  secure_vector<uint8_t>& out,
                  secure_vector<uint8_t>& tmp) {
   const size_t BCRYPT_PBKDF_OUTPUT = 32;

   // "OxychromaticBlowfishSwatDynamite"
   alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
      0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
      0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74, 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65};

   const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
   const size_t BCRYPT_PBKDF_ROUNDS = 64;

   blowfish.salted_set_key(
      pass_hash.data(), pass_hash.size(), salt_hash.data(), salt_hash.size(), BCRYPT_PBKDF_WORKFACTOR, true);

   copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
   for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)
      blowfish.encrypt(tmp);

   /*
   Bcrypt PBKDF loads the Blowfish output as big endian for no reason
   in particular. We can't just swap everything once at the end
   because the (big-endian) values are fed into SHA-512 to generate
   the salt for the next round
   */
   for(size_t i = 0; i != 32 / 4; ++i) {
      const uint32_t w = load_le<uint32_t>(tmp.data(), i);
      store_be(w, &tmp[sizeof(uint32_t) * i]);
   }

   xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
}

}

void Bcrypt_PBKDF::derive_key(uint8_t output[],
                              size_t output_len,
                              const char* password,
                              size_t password_len,
                              const uint8_t salt[],
                              size_t salt_len) const {
   // No output desired, so we are all done already...
   if(output_len == 0)
      return;

   BOTAN_ARG_CHECK(output_len <= 10 * 1024 * 1024, "Too much output for Bcrypt PBKDF");

   const size_t BCRYPT_BLOCK_SIZE = 32;
   const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;

   auto sha512 = HashFunction::create_or_throw("SHA-512");
   const auto pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(password), password_len);

   secure_vector<uint8_t> salt_hash(sha512->output_length());

   Blowfish blowfish;
   secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
   secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);

   for(size_t block = 0; block != blocks; ++block) {
      clear_mem(out.data(), out.size());

      sha512->update(salt, salt_len);
      sha512->update_be(static_cast<uint32_t>(block + 1));
      sha512->final(salt_hash.data());

      bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);

      for(size_t r = 1; r < m_iterations; ++r) {
         // Next salt is H(prev_output)
         sha512->update(tmp);
         sha512->final(salt_hash.data());

         bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
      }

      for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i) {
         const size_t dest = i * blocks + block;
         if(dest < output_len)
            output[dest] = out[i];
      }
   }
}

}

1	/*
2	* (C) 2018,2019 Jack Lloyd
3	*
4	* Botan is released under the Simplified BSD License (see license.txt)
5	*/
6
7	#include <botan/bcrypt_pbkdf.h>
8
9	#include <botan/hash.h>
10	#include <botan/internal/blowfish.h>
11	#include <botan/internal/fmt.h>
12	#include <botan/internal/loadstor.h>
13	#include <botan/internal/timer.h>
14
15	namespace Botan {
16
17	Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) : m_iterations(iterations) {	40✔
18	BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");	40✔
19	}	40✔
20
21	std::string Bcrypt_PBKDF::to_string() const { return fmt("Bcrypt-PBKDF({})", m_iterations); }	×
22
23	std::string Bcrypt_PBKDF_Family::name() const { return "Bcrypt-PBKDF"; }	2✔
24
25	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,	1✔
26	std::chrono::milliseconds msec,
27	size_t /max_memory/,
28	std::chrono::milliseconds tune_time) const {
29	Timer timer("Bcrypt_PBKDF");	1✔
30
31	const size_t blocks = (output_length + 32 - 1) / 32;	1✔
32
33	if(blocks == 0)	1✔
34	return default_params();	×
35
36	const size_t starting_iter = 2;	1✔
37
38	auto pwhash = this->from_iterations(starting_iter);	1✔
39
40	timer.run_until_elapsed(tune_time, [&]() {	1✔
41	uint8_t output[32] = {0};	1✔
42	pwhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);	1✔
43	});
44
45	if(timer.events() < blocks \|\| timer.value() == 0)	1✔
46	return default_params();	×
47
48	const uint64_t measured_time = timer.value() / (timer.events() / blocks);	1✔
49
50	const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);	1✔
51
52	const uint64_t desired_increase = target_nsec / measured_time;	1✔
53
54	if(desired_increase == 0)	1✔
55	return this->from_iterations(starting_iter);	1✔
56
57	return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));	×
58	}	1✔
59
60	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const {	1✔
61	return this->from_iterations(32); // About 100 ms on fast machine	1✔
62	}
63
64	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iter) const {	40✔
65	return std::make_unique<Bcrypt_PBKDF>(iter);	40✔
66	}
67
68	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iter, size_t /t/, size_t /p/) const {	1✔
69	return this->from_iterations(iter);	1✔
70	}
71
72	namespace {
73
74	void bcrypt_round(Blowfish& blowfish,	443✔
75	const secure_vector<uint8_t>& pass_hash,
76	const secure_vector<uint8_t>& salt_hash,
77	secure_vector<uint8_t>& out,
78	secure_vector<uint8_t>& tmp) {
79	const size_t BCRYPT_PBKDF_OUTPUT = 32;	443✔
80
81	// "OxychromaticBlowfishSwatDynamite"
82	alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {	443✔
83	0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
84	0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74, 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65};
85
86	const size_t BCRYPT_PBKDF_WORKFACTOR = 6;	443✔
87	const size_t BCRYPT_PBKDF_ROUNDS = 64;	443✔
88
89	blowfish.salted_set_key(	443✔
90	pass_hash.data(), pass_hash.size(), salt_hash.data(), salt_hash.size(), BCRYPT_PBKDF_WORKFACTOR, true);
91
92	copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);	443✔
93	for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i)	28,795✔
94	blowfish.encrypt(tmp);	56,704✔
95
96	/*
97	Bcrypt PBKDF loads the Blowfish output as big endian for no reason
98	in particular. We can't just swap everything once at the end
99	because the (big-endian) values are fed into SHA-512 to generate
100	the salt for the next round
101	*/
102	for(size_t i = 0; i != 32 / 4; ++i) {	3,987✔
103	const uint32_t w = load_le<uint32_t>(tmp.data(), i);	3,544✔
104	store_be(w, &tmp[sizeof(uint32_t) * i]);	3,544✔
105	}
106
107	xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);	443✔
108	}	443✔
109
110	}
111
112	void Bcrypt_PBKDF::derive_key(uint8_t output[],	40✔
113	size_t output_len,
114	const char* password,
115	size_t password_len,
116	const uint8_t salt[],
117	size_t salt_len) const {
118	// No output desired, so we are all done already...
119	if(output_len == 0)	40✔
120	return;	×
121
122	BOTAN_ARG_CHECK(output_len <= 10 * 1024 * 1024, "Too much output for Bcrypt PBKDF");	40✔
123
124	const size_t BCRYPT_BLOCK_SIZE = 32;	40✔
125	const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;	40✔
126
127	auto sha512 = HashFunction::create_or_throw("SHA-512");	40✔
128	const auto pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(password), password_len);	40✔
129
130	secure_vector<uint8_t> salt_hash(sha512->output_length());	40✔
131
132	Blowfish blowfish;	40✔
133	secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);	40✔
134	secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);	40✔
135
136	for(size_t block = 0; block != blocks; ++block) {	97✔
137	clear_mem(out.data(), out.size());	57✔
138
139	sha512->update(salt, salt_len);	57✔
140	sha512->update_be(static_cast<uint32_t>(block + 1));	57✔
141	sha512->final(salt_hash.data());	57✔
142
143	bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);	57✔
144
145	for(size_t r = 1; r < m_iterations; ++r) {	443✔
146	// Next salt is H(prev_output)
147	sha512->update(tmp);	386✔
148	sha512->final(salt_hash.data());	386✔
149
150	bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);	386✔
151	}
152
153	for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i) {	1,881✔
154	const size_t dest = i * blocks + block;	1,824✔
155	if(dest < output_len)	1,824✔
156	output[dest] = out[i];	1,546✔
157	}
158	}
159	}	200✔
160
161	}

randombit / botan / 5079590438

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous