20695955577

Committed 04 Jan 2026 04:39PM UTC coverage: 90.421% (-0.004%) from 90.425%

Build # 20695955577

Build Type

Pull #5124

github

Committed by

web-flow

Commit Message

Merge bb7705222 into f283c5d29

Pull Request Pull Request #5124: Cooperative Cancellation in PasswordHash

Run Details

101705 of 112480 relevant lines covered (90.42%)

12785278.28 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.37

/src/lib/pbkdf/bcrypt_pbkdf/bcrypt_pbkdf.cpp

/*
* (C) 2018,2019 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/bcrypt_pbkdf.h>

#include <botan/hash.h>
#include <botan/internal/blowfish.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/mem_utils.h>
#include <botan/internal/time_utils.h>

namespace Botan {

Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) : m_iterations(iterations) {
   BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");
}

std::string Bcrypt_PBKDF::to_string() const {
   return fmt("Bcrypt-PBKDF({})", m_iterations);
}

std::string Bcrypt_PBKDF_Family::name() const {
   return "Bcrypt-PBKDF";
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,
                                                        std::chrono::milliseconds msec,
                                                        size_t /*max_memory*/,
                                                        std::chrono::milliseconds tune_time) const {
   const size_t blocks = (output_length + 32 - 1) / 32;

   if(blocks == 0) {
      return default_params();
   }

   const size_t starting_iter = 2;

   auto pwhash = this->from_iterations(starting_iter);

   auto tune_fn = [&]() {
      uint8_t output[32] = {0};
      pwhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);
   };

   const uint64_t measured_time = measure_cost(tune_time, tune_fn) / blocks;

   const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);

   const uint64_t desired_increase = target_nsec / measured_time;

   if(desired_increase == 0) {
      return this->from_iterations(starting_iter);
   }

   return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const {
   return this->from_iterations(32);  // About 100 ms on fast machine
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iterations) const {
   return std::make_unique<Bcrypt_PBKDF>(iterations);
}

std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iterations, size_t /*t*/, size_t /*p*/) const {
   return this->from_iterations(iterations);
}

namespace {

void bcrypt_round(Blowfish& blowfish,
                  const secure_vector<uint8_t>& pass_hash,
                  const secure_vector<uint8_t>& salt_hash,
                  secure_vector<uint8_t>& out,
                  secure_vector<uint8_t>& tmp,
                  const std::optional<std::stop_token>& stop_token) {
   const size_t BCRYPT_PBKDF_OUTPUT = 32;

   // "OxychromaticBlowfishSwatDynamite"
   alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {
      0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
      0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74, 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65};

   const size_t BCRYPT_PBKDF_WORKFACTOR = 6;
   const size_t BCRYPT_PBKDF_ROUNDS = 64;

   blowfish.salted_set_key(pass_hash.data(),
                           pass_hash.size(),
                           salt_hash.data(),
                           salt_hash.size(),
                           BCRYPT_PBKDF_WORKFACTOR,
                           true,
                           stop_token);

   copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);
   for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i) {
      blowfish.encrypt(tmp);
   }

   /*
   Bcrypt PBKDF loads the Blowfish output as big endian for no reason
   in particular. We can't just swap everything once at the end
   because the (big-endian) values are fed into SHA-512 to generate
   the salt for the next round
   */
   for(size_t i = 0; i != 32 / 4; ++i) {
      const uint32_t w = load_le<uint32_t>(tmp.data(), i);
      store_be(w, &tmp[sizeof(uint32_t) * i]);
   }

   xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);
}

}  // namespace

void Bcrypt_PBKDF::derive_key(uint8_t output[],
                              size_t output_len,
                              const char* password,
                              size_t password_len,
                              const uint8_t salt[],
                              size_t salt_len,
                              const std::optional<std::stop_token>& stop_token) const {
   // No output desired, so we are all done already...
   if(output_len == 0) {
      return;
   }

   BOTAN_ARG_CHECK(output_len <= 10 * 1024 * 1024, "Too much output for Bcrypt PBKDF");

   const size_t BCRYPT_BLOCK_SIZE = 32;
   const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;

   auto sha512 = HashFunction::create_or_throw("SHA-512");
   const auto pass_hash = sha512->process(as_span_of_bytes(password, password_len));

   secure_vector<uint8_t> salt_hash(sha512->output_length());

   Blowfish blowfish;
   secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
   secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);

   for(size_t block = 0; block != blocks; ++block) {
      clear_mem(out.data(), out.size());

      sha512->update(salt, salt_len);
      sha512->update_be(static_cast<uint32_t>(block + 1));
      sha512->final(salt_hash.data());

      bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp, stop_token);

      for(size_t r = 1; r < m_iterations; ++r) {
         // Next salt is H(prev_output)
         sha512->update(tmp);
         sha512->final(salt_hash.data());

         bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp, stop_token);
      }

      for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i) {
         const size_t dest = i * blocks + block;
         if(dest < output_len) {
            output[dest] = out[i];
         }
      }
   }
}

}  // namespace Botan

1	/*
2	* (C) 2018,2019 Jack Lloyd
3	*
4	* Botan is released under the Simplified BSD License (see license.txt)
5	*/
6
7	#include <botan/bcrypt_pbkdf.h>
8
9	#include <botan/hash.h>
10	#include <botan/internal/blowfish.h>
11	#include <botan/internal/fmt.h>
12	#include <botan/internal/loadstor.h>
13	#include <botan/internal/mem_utils.h>
14	#include <botan/internal/time_utils.h>
15
16	namespace Botan {
17
18	Bcrypt_PBKDF::Bcrypt_PBKDF(size_t iterations) : m_iterations(iterations) {	42✔
19	BOTAN_ARG_CHECK(m_iterations > 0, "Invalid Bcrypt-PBKDF iterations");	42✔
20	}	42✔
21
22	std::string Bcrypt_PBKDF::to_string() const {	×
23	return fmt("Bcrypt-PBKDF({})", m_iterations);	×
24	}
25
26	std::string Bcrypt_PBKDF_Family::name() const {	2✔
27	return "Bcrypt-PBKDF";	2✔
28	}
29
30	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::tune(size_t output_length,	2✔
31	std::chrono::milliseconds msec,
32	size_t /max_memory/,
33	std::chrono::milliseconds tune_time) const {
34	const size_t blocks = (output_length + 32 - 1) / 32;	2✔
35
36	if(blocks == 0) {	2✔
37	return default_params();	×
38	}
39
40	const size_t starting_iter = 2;	2✔
41
42	auto pwhash = this->from_iterations(starting_iter);	2✔
43
44	auto tune_fn = [&]() {	12✔
45	uint8_t output[32] = {0};	10✔
46	pwhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);	10✔
47	};	10✔
48
49	const uint64_t measured_time = measure_cost(tune_time, tune_fn) / blocks;	2✔
50
51	const uint64_t target_nsec = msec.count() * static_cast<uint64_t>(1000000);	2✔
52
53	const uint64_t desired_increase = target_nsec / measured_time;	2✔
54
55	if(desired_increase == 0) {	2✔
56	return this->from_iterations(starting_iter);	1✔
57	}
58
59	return this->from_iterations(static_cast<size_t>(desired_increase * starting_iter));	1✔
60	}	2✔
61
62	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::default_params() const {	1✔
63	return this->from_iterations(32); // About 100 ms on fast machine	1✔
64	}
65
66	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_iterations(size_t iterations) const {	42✔
67	return std::make_unique<Bcrypt_PBKDF>(iterations);	42✔
68	}
69
70	std::unique_ptr<PasswordHash> Bcrypt_PBKDF_Family::from_params(size_t iterations, size_t /t/, size_t /p/) const {	1✔
71	return this->from_iterations(iterations);	1✔
72	}
73
74	namespace {
75
76	void bcrypt_round(Blowfish& blowfish,	546✔
77	const secure_vector<uint8_t>& pass_hash,
78	const secure_vector<uint8_t>& salt_hash,
79	secure_vector<uint8_t>& out,
80	secure_vector<uint8_t>& tmp,
81	const std::optional<std::stop_token>& stop_token) {
82	const size_t BCRYPT_PBKDF_OUTPUT = 32;	546✔
83
84	// "OxychromaticBlowfishSwatDynamite"
85	alignas(64) static const uint8_t BCRYPT_PBKDF_MAGIC[BCRYPT_PBKDF_OUTPUT] = {	546✔
86	0x4F, 0x78, 0x79, 0x63, 0x68, 0x72, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x42, 0x6C, 0x6F, 0x77,
87	0x66, 0x69, 0x73, 0x68, 0x53, 0x77, 0x61, 0x74, 0x44, 0x79, 0x6E, 0x61, 0x6D, 0x69, 0x74, 0x65};
88
89	const size_t BCRYPT_PBKDF_WORKFACTOR = 6;	546✔
90	const size_t BCRYPT_PBKDF_ROUNDS = 64;	546✔
91
92	blowfish.salted_set_key(pass_hash.data(),	546✔
93	pass_hash.size(),
94	salt_hash.data(),
95	salt_hash.size(),
96	BCRYPT_PBKDF_WORKFACTOR,
97	true,
98	stop_token);
99
100	copy_mem(tmp.data(), BCRYPT_PBKDF_MAGIC, BCRYPT_PBKDF_OUTPUT);	545✔
101	for(size_t i = 0; i != BCRYPT_PBKDF_ROUNDS; ++i) {	35,425✔
102	blowfish.encrypt(tmp);	69,760✔
103	}
104
105	/*
106	Bcrypt PBKDF loads the Blowfish output as big endian for no reason
107	in particular. We can't just swap everything once at the end
108	because the (big-endian) values are fed into SHA-512 to generate
109	the salt for the next round
110	*/
111	for(size_t i = 0; i != 32 / 4; ++i) {	4,905✔
112	const uint32_t w = load_le<uint32_t>(tmp.data(), i);	4,360✔
113	store_be(w, &tmp[sizeof(uint32_t) * i]);	4,360✔
114	}
115
116	xor_buf(out.data(), tmp.data(), BCRYPT_PBKDF_OUTPUT);	545✔
117	}	545✔
118
119	} // namespace
120
121	void Bcrypt_PBKDF::derive_key(uint8_t output[],	50✔
122	size_t output_len,
123	const char* password,
124	size_t password_len,
125	const uint8_t salt[],
126	size_t salt_len,
127	const std::optional<std::stop_token>& stop_token) const {
128	// No output desired, so we are all done already...
129	if(output_len == 0) {	50✔
130	return;	×
131	}
132
133	BOTAN_ARG_CHECK(output_len <= 10 * 1024 * 1024, "Too much output for Bcrypt PBKDF");	50✔
134
135	const size_t BCRYPT_BLOCK_SIZE = 32;	50✔
136	const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;	50✔
137
138	auto sha512 = HashFunction::create_or_throw("SHA-512");	50✔
139	const auto pass_hash = sha512->process(as_span_of_bytes(password, password_len));	50✔
140
141	secure_vector<uint8_t> salt_hash(sha512->output_length());	51✔
142
143	Blowfish blowfish;	50✔
144	secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);	50✔
145	secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);	51✔
146
147	for(size_t block = 0; block != blocks; ++block) {	116✔
148	clear_mem(out.data(), out.size());	67✔
149
150	sha512->update(salt, salt_len);	67✔
151	sha512->update_be(static_cast<uint32_t>(block + 1));	67✔
152	sha512->final(salt_hash.data());	67✔
153
154	bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp, stop_token);	67✔
155
156	for(size_t r = 1; r < m_iterations; ++r) {	545✔
157	// Next salt is H(prev_output)
158	sha512->update(tmp);	479✔
159	sha512->final(salt_hash.data());	479✔
160
161	bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp, stop_token);	479✔
162	}
163
164	for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i) {	2,178✔
165	const size_t dest = i * blocks + block;	2,112✔
166	if(dest < output_len) {	2,112✔
167	output[dest] = out[i];	1,834✔
168	}
169	}
170	}
171	}	249✔
172
173	} // namespace Botan

randombit / botan / 20695955577

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous