Sodium::Pwhash create keys based on time cost.
Add #craete_key and #craete_kdf.
This commit is contained in:
		
							parent
							
								
									5196ee992e
								
							
						
					
					
						commit
						c3a9fe178a
					
				
					 2 changed files with 124 additions and 17 deletions
				
			
		|  | @ -98,6 +98,23 @@ describe Sodium::Pwhash do | |||
|     kdf = pwhash.derive_kdf salt, "foo", 32 | ||||
|   end | ||||
| 
 | ||||
|   it "creates a key and sets parameters by time" do | ||||
|     pwhash = pw_min | ||||
|     tcost = 0.2 | ||||
|     pwhash.tcost = tcost | ||||
|     salt = pwhash.random_salt | ||||
|     key, pwcreate = pwhash.create_key salt, "foo", 32 | ||||
| 
 | ||||
|     pwcreate.memlimit.should be > pwhash.memlimit | ||||
|     pwcreate.opslimit.should be > pwhash.opslimit | ||||
| 
 | ||||
|     ts = Time.measure do | ||||
|       key.should eq pwcreate.derive_key(salt, "foo", 32) | ||||
|     end | ||||
|     # ts should be within +|- 10%.  allow up to 20% | ||||
|     (ts.to_f - tcost).abs.should be < (tcost * 0.2) | ||||
|   end | ||||
| 
 | ||||
|   it "PyNaCl key vectors" do | ||||
|     test_vectors "modular_crypt_argon2i_hashes.json", Sodium::Pwhash::Mode::Argon2i13 | ||||
|     test_vectors "modular_crypt_argon2id_hashes.json", Sodium::Pwhash::Mode::Argon2id13 | ||||
|  |  | |||
|  | @ -31,7 +31,7 @@ module Sodium | |||
|       Argon2id13 = 2 | ||||
| 
 | ||||
|       # The currently recommended algorithm, which can change from one version of libsodium to another. | ||||
|       def default | ||||
|       def self.default | ||||
|         Mode.new LibSodium.crypto_pwhash_alg_default | ||||
|       end | ||||
|     end | ||||
|  | @ -40,10 +40,21 @@ module Sodium | |||
|     # Specified in bytes. | ||||
|     property memlimit = MEMLIMIT_INTERACTIVE | ||||
| 
 | ||||
|     # Only used by create_key. | ||||
|     # Specified in seconds. | ||||
|     property tcost = 0.1 | ||||
|     # Only used by create_key. | ||||
|     property memlimit_min = MEMLIMIT_MIN | ||||
|     # Only used by create_key. | ||||
|     # Specified in bytes. | ||||
|     # defaults to 256M. | ||||
|     # TODO: defaults to 1/4 RAM (not swap). | ||||
|     property memlimit_max : UInt64 = 256_u64 * 1024 * 1024 | ||||
| 
 | ||||
|     # Used by and must be set before calling #derive_key | ||||
|     property mode : Mode? | ||||
| 
 | ||||
|     # Apply the most recent password hashing algorithm agains a password. | ||||
|     # Apply the most recent password hashing algorithm against a password. | ||||
|     # Returns a opaque String which includes: | ||||
|     # * the result of a memory-hard, CPU-intensive hash function applied to the password | ||||
|     # * the automatically generated salt used for the previous computation | ||||
|  | @ -69,6 +80,7 @@ module Sodium | |||
|       self | ||||
|     end | ||||
| 
 | ||||
|     # Check if a password verification string str matches the parameters opslimit and memlimit, and the current default algorithm. | ||||
|     def needs_rehash?(str) : Bool | ||||
|       # BUG: verify str length | ||||
|       case LibSodium.crypto_pwhash_str_needs_rehash(str, @opslimit, @memlimit) | ||||
|  | @ -81,30 +93,108 @@ module Sodium | |||
|       end | ||||
|     end | ||||
| 
 | ||||
|     # Returns a consistent key based on [salt, pass, key_bytes, mode, ops_limit, mem_limit] in a SecureBuffer | ||||
|     # | ||||
|     # Must set a mode before calling. | ||||
|     #    def set_params(secs, *, min_mem = MEMLIMIT_MIN, max_mem = 256*1024*1024) | ||||
|     #    end | ||||
| 
 | ||||
|     def derive_key(salt, pass, key_bytes) | ||||
|       derive_key salt.to_slice, pass.to_slice, key_bytes | ||||
|     end | ||||
| 
 | ||||
|     def derive_key(salt : Bytes, pass : Bytes, key_bytes) : SecureBuffer | ||||
|     # Returns a consistent key based on [salt, pass, key_bytes, mode, ops_limit, mem_limit] in a SecureBuffer | ||||
|     # | ||||
|     # Must set a mode before calling. | ||||
|     def derive_key(salt : Bytes | String, pass : Bytes | String, key_bytes) : SecureBuffer | ||||
|       raise "salt expected #{SALT_SIZE} bytes, got #{salt.bytesize} " if salt.bytesize != SALT_SIZE | ||||
|       m = mode || raise ArgumentError.new("mode not set") | ||||
| 
 | ||||
|       if m = mode | ||||
|         key = SecureBuffer.new key_bytes | ||||
|         if LibSodium.crypto_pwhash(key.to_slice, key.bytesize, pass, pass.bytesize, salt, @opslimit, @memlimit, m) != 0 | ||||
|           raise Sodium::Error.new("crypto_pwhash_str") | ||||
|         end | ||||
|         key | ||||
|       else | ||||
|         raise ArgumentError.new("mode not set") | ||||
|       key = SecureBuffer.new key_bytes | ||||
|       derive_key key, m, salt, pass | ||||
|       key.readonly | ||||
|     end | ||||
| 
 | ||||
|     private def derive_key(key : SecureBuffer, m : Mode, salt : Bytes | String, pass : Bytes | String) : Nil | ||||
|       if LibSodium.crypto_pwhash(key.to_slice, key.bytesize, pass.to_slice, pass.bytesize, salt.to_slice, @opslimit, @memlimit, m) != 0 | ||||
|         raise Sodium::Error.new("crypto_pwhash") | ||||
|       end | ||||
|     end | ||||
| 
 | ||||
|     # Derives a key using derive_key and returns KDF.new(key) | ||||
|     def derive_kdf(salt, pass, key_bytes) : Kdf | ||||
|       key = derive_key salt, pass, key_bytes | ||||
|     private def time_derive_key(key, m, salt, pass) | ||||
|       # TODO: switch to CPU time | ||||
|       ts = Time.measure do | ||||
|         derive_key key, m, salt, pass | ||||
|       end | ||||
|       ts | ||||
|     end | ||||
| 
 | ||||
|     # Returns a consistent key based on [salt, pass, key_bytes, mode] in a SecureBuffer **and** a new `Pwhash` with new params. | ||||
|     # Params on the new `Pwhash` are set to run in approximately `tcost` seconds. | ||||
|     # Make sure you store `mode`, `opslimit` and `memlimit` for later use with #derive_key. | ||||
|     # `Mode` has #to_s and #from_s for use with configuration files or databases. | ||||
|     def create_key(salt : Bytes | String, pass : Bytes | String, key_bytes) : {SecureBuffer, self} | ||||
|       pw = dup | ||||
|       key = pw.create_key! salt, pass, key_bytes | ||||
|       {key, pw} | ||||
|     end | ||||
| 
 | ||||
|     # :nodoc: | ||||
|     def create_key!(salt : Bytes | String, pass : Bytes | String, key_bytes) : SecureBuffer | ||||
|       m = self.mode ||= Mode.default | ||||
| 
 | ||||
|       @opslimit = OPSLIMIT_MIN | ||||
|       @memlimit = MEMLIMIT_MIN | ||||
| 
 | ||||
|       key = SecureBuffer.new key_bytes | ||||
| 
 | ||||
|       nsamples = 10 | ||||
|       samples = nsamples.times.map do | ||||
|         ts = time_derive_key key, m, salt, pass | ||||
|       end.to_a | ||||
|       mean = samples.sum / nsamples | ||||
|       return key.readonly if mean.to_f >= @tcost | ||||
| 
 | ||||
|       # initial sample to avoid overshooting on busy systems | ||||
|       # round to nearest pow2 / 3 | ||||
|       mult = Math.pw2ceil ((@tcost / 3.0 / mean.to_f).ceil.to_i) | ||||
|       @memlimit = (@memlimit * mult).clamp(@memlimit_min, @memlimit_max) | ||||
| 
 | ||||
|       last_memlimit = @memlimit | ||||
|       while @memlimit != @memlimit_max | ||||
|         ts = time_derive_key key, m, salt, pass | ||||
|         # tcost exceeded by memlimit_min | ||||
|         return key.readonly if ts.to_f >= @tcost * 0.9 | ||||
|         # / 3 to keep rounds > 1 mitigating attacks against argon with a low number of rounds | ||||
|         break if ts.to_f >= (@tcost / 3.0) * 0.9 | ||||
|         last_memlimit = @memlimit | ||||
|         # increments of 1K for compatibility with other libraries. | ||||
|         @memlimit = (((@memlimit / 1024).to_f * Math.max(1.1, (@tcost / ts.to_f / 3.0))).ceil.to_u64 * 1024).clamp(@memlimit_min, @memlimit_max) | ||||
|         # stopped making progress | ||||
|         break if @memlimit == last_memlimit | ||||
|       end | ||||
| 
 | ||||
|       last_opslimit = @opslimit | ||||
|       loop do | ||||
|         ts = time_derive_key key, m, salt, pass | ||||
|         # 90% is close enough | ||||
|         break if ts.to_f >= @tcost * 0.90 | ||||
|         last_opslimit = @opslimit | ||||
|         @opslimit = (@opslimit.to_f * Math.max(1.1, (@tcost / ts.to_f))).ceil.to_u64 | ||||
|         # stopped making progress | ||||
|         break if @opslimit == last_opslimit | ||||
|       end | ||||
| 
 | ||||
|       key.readonly | ||||
|     end | ||||
| 
 | ||||
|     # Creates a key using create_key and returns `{ KDF.new(key), Pwhash }` | ||||
|     # See #create_key for more details. | ||||
|     def create_kdf(salt, pass, key_bytes) : {Kdf, self} | ||||
|       key, pwhash = create_key salt.to_slice, pass.to_slice, key_bytes | ||||
|       {Kdf.new(key), pwhash} | ||||
|     end | ||||
| 
 | ||||
|     # Derives a key using derive_key and returns `KDF.new(key)` | ||||
|     def derive_kdf(salt, pass, key_bytes) | ||||
|       key = derive_key salt.to_slice, pass.to_slice, key_bytes | ||||
|       Kdf.new key | ||||
|     end | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue
	
	 Didactic Drunk
						Didactic Drunk