12130573488

Committed 03 Dec 2024 12:33AM UTC coverage: 91.264% (+0.006%) from 91.258%

Build # 12130573488

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #4456 from randombit/jack/split-timer

Split up Timer logic

Run Details

93394 of 102334 relevant lines covered (91.26%)

11563440.65 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

81.37

/src/lib/pbkdf/scrypt/scrypt.cpp

/**
* (C) 2018 Jack Lloyd
* (C) 2018 Ribose Inc
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/scrypt.h>

#include <botan/exceptn.h>
#include <botan/pbkdf2.h>
#include <botan/internal/bit_ops.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/salsa20.h>
#include <botan/internal/time_utils.h>

namespace Botan {

namespace {

size_t scrypt_memory_usage(size_t N, size_t r, size_t p) {
   return 128 * r * (N + p);
}

}  // namespace

std::string Scrypt_Family::name() const {
   return "Scrypt";
}

std::unique_ptr<PasswordHash> Scrypt_Family::default_params() const {
   return std::make_unique<Scrypt>(32768, 8, 1);
}

std::unique_ptr<PasswordHash> Scrypt_Family::tune(size_t output_length,
                                                  std::chrono::milliseconds msec,
                                                  size_t max_memory_usage_mb,
                                                  std::chrono::milliseconds tune_time) const {
   BOTAN_UNUSED(output_length);

   /*
   * Some rough relations between scrypt parameters and runtime.
   * Denote here by stime(N,r,p) the msec it takes to run scrypt.
   *
   * Emperically for smaller sizes:
   * stime(N,8*r,p) / stime(N,r,p) is ~ 6-7
   * stime(N,r,8*p) / stime(N,r,8*p) is ~ 7
   * stime(2*N,r,p) / stime(N,r,p) is ~ 2
   *
   * Compute stime(8192,1,1) as baseline and extrapolate
   */

   // This is zero if max_memory_usage_mb == 0 (unbounded)
   const size_t max_memory_usage = max_memory_usage_mb * 1024 * 1024;

   // Starting parameters
   size_t N = 8 * 1024;
   size_t r = 1;
   size_t p = 1;

   auto pwdhash = this->from_params(N, r, p);

   const uint64_t measured_time = measure_cost(tune_time, [&]() {
      uint8_t output[32] = {0};
      pwdhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);
   });

   const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);

   uint64_t est_nsec = measured_time;

   // In below code we invoke scrypt_memory_usage with p == 0 as p contributes
   // (very slightly) to memory consumption, but N is the driving factor.
   // Including p leads to using an N half as large as what the user would expect.

   // First increase r by 8x if possible
   if(max_memory_usage == 0 || scrypt_memory_usage(N, r * 8, 0) <= max_memory_usage) {
      if(target_nsec / est_nsec >= 5) {
         r *= 8;
         est_nsec *= 5;
      }
   }

   // Now double N as many times as we can
   while(max_memory_usage == 0 || scrypt_memory_usage(N * 2, r, 0) <= max_memory_usage) {
      if(target_nsec / est_nsec >= 2) {
         N *= 2;
         est_nsec *= 2;
      } else {
         break;
      }
   }

   // If we have extra runtime budget, increment p
   if(target_nsec / est_nsec >= 2) {
      p *= std::min<size_t>(1024, static_cast<size_t>(target_nsec / est_nsec));
   }

   return std::make_unique<Scrypt>(N, r, p);
}

std::unique_ptr<PasswordHash> Scrypt_Family::from_params(size_t N, size_t r, size_t p) const {
   return std::make_unique<Scrypt>(N, r, p);
}

std::unique_ptr<PasswordHash> Scrypt_Family::from_iterations(size_t iter) const {
   const size_t r = 8;
   const size_t p = 1;

   size_t N = 8192;

   if(iter > 50000) {
      N = 16384;
   }
   if(iter > 100000) {
      N = 32768;
   }
   if(iter > 150000) {
      N = 65536;
   }

   return std::make_unique<Scrypt>(N, r, p);
}

Scrypt::Scrypt(size_t N, size_t r, size_t p) : m_N(N), m_r(r), m_p(p) {
   if(!is_power_of_2(N)) {
      throw Invalid_Argument("Scrypt N parameter must be a power of 2");
   }

   if(p == 0 || p > 1024) {
      throw Invalid_Argument("Invalid or unsupported scrypt p");
   }
   if(r == 0 || r > 256) {
      throw Invalid_Argument("Invalid or unsupported scrypt r");
   }
   if(N < 1 || N > 4194304) {
      throw Invalid_Argument("Invalid or unsupported scrypt N");
   }
}

std::string Scrypt::to_string() const {
   return fmt("Scrypt({},{},{})", m_N, m_r, m_p);
}

size_t Scrypt::total_memory_usage() const {
   const size_t N = memory_param();
   const size_t p = parallelism();
   const size_t r = iterations();

   return scrypt_memory_usage(N, r, p);
}

namespace {

void scryptBlockMix(size_t r, uint8_t* B, uint8_t* Y) {
   uint32_t B32[16];
   secure_vector<uint8_t> X(64);
   copy_mem(X.data(), &B[(2 * r - 1) * 64], 64);

   for(size_t i = 0; i != 2 * r; i++) {
      xor_buf(X.data(), &B[64 * i], 64);
      load_le<uint32_t>(B32, X.data(), 16);
      Salsa20::salsa_core(X.data(), B32, 8);
      copy_mem(&Y[64 * i], X.data(), 64);
   }

   for(size_t i = 0; i < r; ++i) {
      copy_mem(&B[i * 64], &Y[(i * 2) * 64], 64);
   }

   for(size_t i = 0; i < r; ++i) {
      copy_mem(&B[(i + r) * 64], &Y[(i * 2 + 1) * 64], 64);
   }
}

void scryptROMmix(size_t r, size_t N, uint8_t* B, secure_vector<uint8_t>& V) {
   const size_t S = 128 * r;

   for(size_t i = 0; i != N; ++i) {
      copy_mem(&V[S * i], B, S);
      scryptBlockMix(r, B, &V[N * S]);
   }

   for(size_t i = 0; i != N; ++i) {
      // compiler doesn't know here that N is power of 2
      const size_t j = load_le<uint32_t>(&B[(2 * r - 1) * 64], 0) & (N - 1);
      xor_buf(B, &V[j * S], S);
      scryptBlockMix(r, B, &V[N * S]);
   }
}

}  // namespace

void Scrypt::derive_key(uint8_t output[],
                        size_t output_len,
                        const char* password,
                        size_t password_len,
                        const uint8_t salt[],
                        size_t salt_len) const {
   const size_t N = memory_param();
   const size_t p = parallelism();
   const size_t r = iterations();

   const size_t S = 128 * r;
   secure_vector<uint8_t> B(p * S);
   // temp space
   secure_vector<uint8_t> V((N + 1) * S);

   auto hmac_sha256 = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");

   try {
      hmac_sha256->set_key(cast_char_ptr_to_uint8(password), password_len);
   } catch(Invalid_Key_Length&) {
      throw Invalid_Argument("Scrypt cannot accept passphrases of the provided length");
   }

   pbkdf2(*hmac_sha256, B.data(), B.size(), salt, salt_len, 1);

   // these can be parallel
   for(size_t i = 0; i != p; ++i) {
      scryptROMmix(r, N, &B[128 * r * i], V);
   }

   pbkdf2(*hmac_sha256, output, output_len, B.data(), B.size(), 1);
}

}  // namespace Botan

1	/**
2	* (C) 2018 Jack Lloyd
3	* (C) 2018 Ribose Inc
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*/
7
8	#include <botan/scrypt.h>
9
10	#include <botan/exceptn.h>
11	#include <botan/pbkdf2.h>
12	#include <botan/internal/bit_ops.h>
13	#include <botan/internal/fmt.h>
14	#include <botan/internal/loadstor.h>
15	#include <botan/internal/salsa20.h>
16	#include <botan/internal/time_utils.h>
17
18	namespace Botan {
19
20	namespace {
21
22	size_t scrypt_memory_usage(size_t N, size_t r, size_t p) {	24✔
23	return 128 * r * (N + p);	24✔
24	}
25
26	} // namespace
27
28	std::string Scrypt_Family::name() const {	1✔
29	return "Scrypt";	1✔
30	}
31
32	std::unique_ptr<PasswordHash> Scrypt_Family::default_params() const {	2✔
33	return std::make_unique<Scrypt>(32768, 8, 1);	2✔
34	}
35
36	std::unique_ptr<PasswordHash> Scrypt_Family::tune(size_t output_length,	241✔
37	std::chrono::milliseconds msec,
38	size_t max_memory_usage_mb,
39	std::chrono::milliseconds tune_time) const {
40	BOTAN_UNUSED(output_length);	241✔
41
42	/*
43	* Some rough relations between scrypt parameters and runtime.
44	* Denote here by stime(N,r,p) the msec it takes to run scrypt.
45	*
46	* Emperically for smaller sizes:
47	* stime(N,8*r,p) / stime(N,r,p) is ~ 6-7
48	* stime(N,r,8p) / stime(N,r,8p) is ~ 7
49	* stime(2*N,r,p) / stime(N,r,p) is ~ 2
50	*
51	* Compute stime(8192,1,1) as baseline and extrapolate
52	*/
53
54	// This is zero if max_memory_usage_mb == 0 (unbounded)
55	const size_t max_memory_usage = max_memory_usage_mb * 1024 * 1024;	241✔
56
57	// Starting parameters
58	size_t N = 8 * 1024;	241✔
59	size_t r = 1;	241✔
60	size_t p = 1;	241✔
61
62	auto pwdhash = this->from_params(N, r, p);	241✔
63
64	const uint64_t measured_time = measure_cost(tune_time, [&]() {	241✔
65	uint8_t output[32] = {0};	241✔
66	pwdhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);	241✔
67	});
68
69	const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);	241✔
70
71	uint64_t est_nsec = measured_time;	241✔
72
73	// In below code we invoke scrypt_memory_usage with p == 0 as p contributes
74	// (very slightly) to memory consumption, but N is the driving factor.
75	// Including p leads to using an N half as large as what the user would expect.
76
77	// First increase r by 8x if possible
78	if(max_memory_usage == 0 \|\| scrypt_memory_usage(N, r * 8, 0) <= max_memory_usage) {	241✔
79	if(target_nsec / est_nsec >= 5) {	241✔
80	r *= 8;	6✔
81	est_nsec *= 5;	6✔
82	}
83	}
84
85	// Now double N as many times as we can
86	while(max_memory_usage == 0 \|\| scrypt_memory_usage(N * 2, r, 0) <= max_memory_usage) {	245✔
87	if(target_nsec / est_nsec >= 2) {	245✔
88	N *= 2;	4✔
89	est_nsec *= 2;	4✔
90	} else {
91	break;
92	}
93	}
94
95	// If we have extra runtime budget, increment p
96	if(target_nsec / est_nsec >= 2) {	241✔
97	p *= std::min<size_t>(1024, static_cast<size_t>(target_nsec / est_nsec));	×
98	}
99
100	return std::make_unique<Scrypt>(N, r, p);	241✔
101	}	241✔
102
103	std::unique_ptr<PasswordHash> Scrypt_Family::from_params(size_t N, size_t r, size_t p) const {	509✔
104	return std::make_unique<Scrypt>(N, r, p);	509✔
105	}
106
107	std::unique_ptr<PasswordHash> Scrypt_Family::from_iterations(size_t iter) const {	×
108	const size_t r = 8;	×
109	const size_t p = 1;	×
110
111	size_t N = 8192;	×
112
113	if(iter > 50000) {	×
114	N = 16384;	×
115	}
116	if(iter > 100000) {	×
117	N = 32768;	×
118	}
119	if(iter > 150000) {	×
120	N = 65536;	×
121	}
122
123	return std::make_unique<Scrypt>(N, r, p);	×
124	}
125
126	Scrypt::Scrypt(size_t N, size_t r, size_t p) : m_N(N), m_r(r), m_p(p) {	752✔
127	if(!is_power_of_2(N)) {	752✔
128	throw Invalid_Argument("Scrypt N parameter must be a power of 2");	×
129	}
130
131	if(p == 0 \|\| p > 1024) {	752✔
132	throw Invalid_Argument("Invalid or unsupported scrypt p");	×
133	}
134	if(r == 0 \|\| r > 256) {	752✔
135	throw Invalid_Argument("Invalid or unsupported scrypt r");	×
136	}
137	if(N < 1 \|\| N > 4194304) {	752✔
138	throw Invalid_Argument("Invalid or unsupported scrypt N");	×
139	}
140	}	752✔
141
142	std::string Scrypt::to_string() const {	4✔
143	return fmt("Scrypt({},{},{})", m_N, m_r, m_p);	4✔
144	}
145
146	size_t Scrypt::total_memory_usage() const {	20✔
147	const size_t N = memory_param();	20✔
148	const size_t p = parallelism();	20✔
149	const size_t r = iterations();	20✔
150
151	return scrypt_memory_usage(N, r, p);	20✔
152	}
153
154	namespace {
155
156	void scryptBlockMix(size_t r, uint8_t* B, uint8_t* Y) {	17,171,928✔
157	uint32_t B32[16];	17,171,928✔
158	secure_vector<uint8_t> X(64);	17,171,928✔
159	copy_mem(X.data(), &B[(2 * r - 1) * 64], 64);	17,171,928✔
160
161	for(size_t i = 0; i != 2 * r; i++) {	128,652,968✔
162	xor_buf(X.data(), &B[64 * i], 64);	111,481,040✔
163	load_le<uint32_t>(B32, X.data(), 16);	111,481,040✔
164	Salsa20::salsa_core(X.data(), B32, 8);	111,481,040✔
165	copy_mem(&Y[64 * i], X.data(), 64);	111,481,040✔
166	}
167
168	for(size_t i = 0; i < r; ++i) {	72,912,448✔
169	copy_mem(&B[i * 64], &Y[(i * 2) * 64], 64);	55,740,520✔
170	}
171
172	for(size_t i = 0; i < r; ++i) {	72,912,448✔
173	copy_mem(&B[(i + r) * 64], &Y[(i * 2 + 1) * 64], 64);	55,740,520✔
174	}
175	}	17,171,928✔
176
177	void scryptROMmix(size_t r, size_t N, uint8_t* B, secure_vector<uint8_t>& V) {	1,115✔
178	const size_t S = 128 * r;	1,115✔
179
180	for(size_t i = 0; i != N; ++i) {	8,587,079✔
181	copy_mem(&V[S * i], B, S);	8,585,964✔
182	scryptBlockMix(r, B, &V[N * S]);	8,585,964✔
183	}
184
185	for(size_t i = 0; i != N; ++i) {	8,587,079✔
186	// compiler doesn't know here that N is power of 2
187	const size_t j = load_le<uint32_t>(&B[(2 * r - 1) * 64], 0) & (N - 1);	8,585,964✔
188	xor_buf(B, &V[j * S], S);	8,585,964✔
189	scryptBlockMix(r, B, &V[N * S]);	8,585,964✔
190	}
191	}	1,115✔
192
193	} // namespace
194
195	void Scrypt::derive_key(uint8_t output[],	752✔
196	size_t output_len,
197	const char* password,
198	size_t password_len,
199	const uint8_t salt[],
200	size_t salt_len) const {
201	const size_t N = memory_param();	752✔
202	const size_t p = parallelism();	752✔
203	const size_t r = iterations();	752✔
204
205	const size_t S = 128 * r;	752✔
206	secure_vector<uint8_t> B(p * S);	752✔
207	// temp space
208	secure_vector<uint8_t> V((N + 1) * S);	752✔
209
210	auto hmac_sha256 = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");	752✔
211
212	try {	752✔
213	hmac_sha256->set_key(cast_char_ptr_to_uint8(password), password_len);	752✔
214	} catch(Invalid_Key_Length&) {	×
215	throw Invalid_Argument("Scrypt cannot accept passphrases of the provided length");	×
216	}	×
217
218	pbkdf2(*hmac_sha256, B.data(), B.size(), salt, salt_len, 1);	752✔
219
220	// these can be parallel
221	for(size_t i = 0; i != p; ++i) {	1,867✔
222	scryptROMmix(r, N, &B[128 * r * i], V);	1,115✔
223	}
224
225	pbkdf2(*hmac_sha256, output, output_len, B.data(), B.size(), 1);	752✔
226	}	2,256✔
227
228	} // namespace Botan

randombit / botan / 12130573488

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous