Botan  1.10.9
cryptobox.cpp
Go to the documentation of this file.
1 /*
2 * Cryptobox Message Routines
3 * (C) 2009 Jack Lloyd
4 *
5 * Distributed under the terms of the Botan license
6 */
7 
8 #include <botan/cryptobox.h>
9 #include <botan/filters.h>
10 #include <botan/pipe.h>
11 #include <botan/lookup.h>
12 #include <botan/sha2_64.h>
13 #include <botan/hmac.h>
14 #include <botan/pbkdf2.h>
15 #include <botan/pem.h>
16 #include <botan/get_byte.h>
17 #include <botan/mem_ops.h>
18 
19 namespace Botan {
20 
21 namespace CryptoBox {
22 
23 namespace {
24 
25 /*
26 First 24 bits of SHA-256("Botan Cryptobox"), followed by 8 0 bits
27 for later use as flags, etc if needed
28 */
29 const u32bit CRYPTOBOX_VERSION_CODE = 0xEFC22400;
30 
31 const size_t VERSION_CODE_LEN = 4;
32 const size_t CIPHER_KEY_LEN = 32;
33 const size_t CIPHER_IV_LEN = 16;
34 const size_t MAC_KEY_LEN = 32;
35 const size_t MAC_OUTPUT_LEN = 20;
36 const size_t PBKDF_SALT_LEN = 10;
37 const size_t PBKDF_ITERATIONS = 8 * 1024;
38 
39 const size_t PBKDF_OUTPUT_LEN = CIPHER_KEY_LEN + CIPHER_IV_LEN + MAC_KEY_LEN;
40 
41 }
42 
43 std::string encrypt(const byte input[], size_t input_len,
44  const std::string& passphrase,
46  {
47  SecureVector<byte> pbkdf_salt(PBKDF_SALT_LEN);
48  rng.randomize(&pbkdf_salt[0], pbkdf_salt.size());
49 
50  PKCS5_PBKDF2 pbkdf(new HMAC(new SHA_512));
51 
52  OctetString master_key = pbkdf.derive_key(
53  PBKDF_OUTPUT_LEN,
54  passphrase,
55  &pbkdf_salt[0],
56  pbkdf_salt.size(),
57  PBKDF_ITERATIONS);
58 
59  const byte* mk = master_key.begin();
60 
61  SymmetricKey cipher_key(&mk[0], CIPHER_KEY_LEN);
62  SymmetricKey mac_key(&mk[CIPHER_KEY_LEN], MAC_KEY_LEN);
63  InitializationVector iv(&mk[CIPHER_KEY_LEN + MAC_KEY_LEN], CIPHER_IV_LEN);
64 
65  Pipe pipe(get_cipher("Serpent/CTR-BE", cipher_key, iv, ENCRYPTION),
66  new Fork(
67  0,
68  new MAC_Filter(new HMAC(new SHA_512),
69  mac_key, MAC_OUTPUT_LEN)));
70 
71  pipe.process_msg(input, input_len);
72 
73  /*
74  Output format is:
75  version # (4 bytes)
76  salt (10 bytes)
77  mac (20 bytes)
78  ciphertext
79  */
80  const size_t ciphertext_len = pipe.remaining(0);
81 
82  SecureVector<byte> out_buf(VERSION_CODE_LEN +
83  PBKDF_SALT_LEN +
84  MAC_OUTPUT_LEN +
85  ciphertext_len);
86 
87  for(size_t i = 0; i != VERSION_CODE_LEN; ++i)
88  out_buf[i] = get_byte(i, CRYPTOBOX_VERSION_CODE);
89 
90  copy_mem(&out_buf[VERSION_CODE_LEN], &pbkdf_salt[0], PBKDF_SALT_LEN);
91 
92  pipe.read(&out_buf[VERSION_CODE_LEN + PBKDF_SALT_LEN], MAC_OUTPUT_LEN, 1);
93  pipe.read(&out_buf[VERSION_CODE_LEN + PBKDF_SALT_LEN + MAC_OUTPUT_LEN],
94  ciphertext_len, 0);
95 
96  return PEM_Code::encode(out_buf, "BOTAN CRYPTOBOX MESSAGE");
97  }
98 
99 std::string decrypt(const byte input[], size_t input_len,
100  const std::string& passphrase)
101  {
102  DataSource_Memory input_src(input, input_len);
103  SecureVector<byte> ciphertext =
105  "BOTAN CRYPTOBOX MESSAGE");
106 
107  if(ciphertext.size() < (VERSION_CODE_LEN + PBKDF_SALT_LEN + MAC_OUTPUT_LEN))
108  throw Decoding_Error("Invalid CryptoBox input");
109 
110  for(size_t i = 0; i != VERSION_CODE_LEN; ++i)
111  if(ciphertext[i] != get_byte(i, CRYPTOBOX_VERSION_CODE))
112  throw Decoding_Error("Bad CryptoBox version");
113 
114  const byte* pbkdf_salt = &ciphertext[VERSION_CODE_LEN];
115 
116  PKCS5_PBKDF2 pbkdf(new HMAC(new SHA_512));
117 
118  OctetString master_key = pbkdf.derive_key(
119  PBKDF_OUTPUT_LEN,
120  passphrase,
121  pbkdf_salt,
122  PBKDF_SALT_LEN,
123  PBKDF_ITERATIONS);
124 
125  const byte* mk = master_key.begin();
126 
127  SymmetricKey cipher_key(&mk[0], CIPHER_KEY_LEN);
128  SymmetricKey mac_key(&mk[CIPHER_KEY_LEN], MAC_KEY_LEN);
129  InitializationVector iv(&mk[CIPHER_KEY_LEN + MAC_KEY_LEN], CIPHER_IV_LEN);
130 
131  Pipe pipe(new Fork(
132  get_cipher("Serpent/CTR-BE", cipher_key, iv, DECRYPTION),
133  new MAC_Filter(new HMAC(new SHA_512),
134  mac_key, MAC_OUTPUT_LEN)));
135 
136  const size_t ciphertext_offset =
137  VERSION_CODE_LEN + PBKDF_SALT_LEN + MAC_OUTPUT_LEN;
138 
139  pipe.process_msg(&ciphertext[ciphertext_offset],
140  ciphertext.size() - ciphertext_offset);
141 
142  byte computed_mac[MAC_OUTPUT_LEN];
143  pipe.read(computed_mac, MAC_OUTPUT_LEN, 1);
144 
145  if(!same_mem(computed_mac,
146  &ciphertext[VERSION_CODE_LEN + PBKDF_SALT_LEN],
147  MAC_OUTPUT_LEN))
148  throw Decoding_Error("CryptoBox integrity failure");
149 
150  return pipe.read_all_as_string(0);
151  }
152 
153 std::string decrypt(const std::string& input,
154  const std::string& passphrase)
155  {
156  return decrypt(reinterpret_cast<const byte*>(&input[0]),
157  input.size(),
158  passphrase);
159  }
160 
161 }
162 
163 }
virtual void randomize(byte output[], size_t length)=0
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:57
size_t read(byte output[], size_t length)
Definition: pipe_rw.cpp:89
std::string read_all_as_string(message_id=DEFAULT_MESSAGE)
Definition: pipe_rw.cpp:117
OctetString derive_key(size_t output_len, const std::string &passphrase, const byte salt[], size_t salt_len, size_t iterations) const
Definition: pbkdf2.cpp:17
byte get_byte(size_t byte_num, T input)
Definition: get_byte.h:21
std::string decrypt(const byte input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:99
size_t remaining(message_id msg=DEFAULT_MESSAGE) const
Definition: pipe_rw.cpp:138
unsigned char byte
Definition: types.h:22
RandomNumberGenerator * rng
Definition: global_rng.cpp:165
const byte * begin() const
Definition: symkey.h:35
size_t size() const
Definition: secmem.h:29
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:22
std::string encrypt(const byte input[], size_t input_len, const std::string &passphrase, RandomNumberGenerator &rng)
Definition: cryptobox.cpp:43
std::string encode(const byte der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:19
Keyed_Filter * get_cipher(const std::string &algo_spec, Cipher_Dir direction)
Definition: lookup.cpp:124
SecureVector< byte > decode_check_label(DataSource &source, const std::string &label_want)
Definition: pem.cpp:42
void process_msg(const byte in[], size_t length)
Definition: pipe.cpp:116
unsigned int u32bit
Definition: types.h:32