Replace all crypto libraries with Botan #6209
Conversation
droidmonkey
added
high priority 🚨
pr: refactoring
droidmonkey
force-pushed
the
refactor/botan
branch
2 times, most recently
from
3929675 to
ba4b4ea
Compare
|
I've been using this for a few days with KDBX4+AES-256+AES-KDF, no issues yet. SSH Agent can also handle unencrypted ED25519 and RSA keys correctly in daily use and my personal test database that decrypts and loads a bunch of different keys seems to work as well. All non-GUI tests have passed on both x86_64 and AArch64 without any issues. |
|
This also works for ChaCha20+Argon2id and encrypted Ed25519 SSH keys. Fabulous work! Looks like botan is not installed on CI machines yet? |
|
Does this affect key derivation time? My understanding is that Botan currently do not provide simd(sse, avx/2/512) acceleration for argon2 while libargon2 does. |
|
As best I can tell SSE2/AVX2 does not actually help Argon2 performance that much, probably because most of the cost in in memory access. Comparing 64M libargon2 163 ms Botan 134 ms This is on an i7-6700K running Linux. Possibly I'm comparing the wrong libargon2? These numbers are with https://github.com/P-H-C/phc-winner-argon2 |
This was the previous implementation of Argon2 that we were using and Botan has replaced in this PR. At the end of the day I would hope that Argon2 cannot be optimized, otherwise it would be a terrible time-hard KDF. The whole point of Argon2 is to be slow everywhere and incur cost in CPU and Memory. |
|
I guess the point is that you want your own Argon2 implementation to be as fast as possible so as to be able to perform as many rounds as possible, because an attacker most certainly will use the most optimised version out there. I really wouldn't use KeePass2's C# implementation for exactly that reason, which is orders of magnitude slower than what we have. Though I doubt that the difference between Botan and libargon2 is really significant, but I didn't benchmark it. |
|
Right, I meant hardware optimization in my comment above. |
|
It will be possible to some extent, but it shouldn't give you a 10x boost. |
droidmonkey
force-pushed
the
refactor/botan
branch
from
ba4b4ea to
f99c44c
Compare
|
@phoerious ready for re-review. Left some comments unresolved for your acceptance. |
|
I can't unindent them, at least not locally, every time I hit format they re-indent. Do we need to update our format file? |
droidmonkey
force-pushed
the
refactor/botan
branch
2 times, most recently
from
ecce5bc to
b0b006b
Compare
Selected the [Botan crypto library](https://github.com/randombit/botan) due to its feature list, maintainer support, availability across all deployment platforms, and ease of use. Also evaluated Crypto++ as a viable candidate, but the additional features of Botan (PKCS#11, TPM, etc) won out. The random number generator received a backend upgrade. Botan prefers hardware-based RNG's and will provide one if available. This is transparent to KeePassXC and a significant improvement over gcrypt. Replaced Argon2 library with built-in Botan implementation that supports i, d, and id. This requires Botan 2.11.0 or higher. Also simplified the parameter test across KDF's. Aligned SymmetricCipher parameters with available modes. All encrypt and decrypt operations are done in-place instead of returning new objects. This allows use of secure vectors in the future with no additional overhead. Took this opportunity to decouple KeeShare from SSH Agent. Removed leftover code from OpenSSHKey and consolidated the SSH Agent code into the same directory. Removed bcrypt and blowfish inserts since they are provided by Botan. Additionally simplified KeeShare settings interface by removing raw certificate byte data from the user interface. KeeShare will be further refactored in a future PR. NOTE: This PR breaks backwards compatibility with KeeShare certificates due to different RSA key storage with Botan. As a result, new "own" certificates will need to be generated and trust re-established. Removed YKChallengeResponseKeyCLI in favor of just using the original implementation with signal/slots. Removed TestRandom stub since it was just faking random numbers and not actually using the backend. TestRandomGenerator now uses the actual RNG. Greatly simplified Secret Service plugin's use of crypto functions with Botan.
droidmonkey
force-pushed
the
refactor/botan
branch
from
b0b006b to
ec08e35
Compare
|
We are now a Botan family! |
Selected the Botan crypto library due to feature list, maintainer support, availabilty across all deployment platforms, and ease of use. Also evaluated Crypto++ as a viable candidate, but the additional features of Botan (PKCS#11, TPM, etc) won out.
The random number generator received a backend upgrade. Botan prefers hardware-based RNG's and will provide one if available. This is transparent to KeePassXC and a significant improvement over gcrypt.
Replaced Argon2 library with built-in Botan implementation that supports i, d, and id. This requires Botan 2.11.0 or higher. Also simplified the parameter test across KDF's.
Aligned SymmetricCipher parameters with available modes. All encrypt and decrypt operations are done in-place instead of returning new objects. This allows use of secure vectors in the future with no additional overhead.
Took this opportunity to decouple KeeShare from SSH Agent. Removed leftover code from OpenSSHKey and consolidated the SSH Agent code into the same directory. Removed bcrypt and blowfish inserts since they are provided by Botan.
Additionally simplified KeeShare settings interface by removing raw certificate byte data from the user interface. KeeShare will be further refactored in a future PR.
NOTE: This PR breaks backwards compatibility with KeeShare certificates due to different RSA key storage with Botan. As a result, new "own" certificates will need to be generated and trust re-established.
Removed YKChallengeResponseKeyCLI in favor of just using the original implementation with signal/slots.
Removed TestRandom stub since it was just faking random numbers and not actually using the backend. TestRandomGenerator now uses the actual RNG.
Greatly simplified Secret Service plugin's use of crypto functions with Botan.
This refactor directly supports the move the MSVC on Windows. It also supports the inclusion of PKCS#11 hardware tokens for database credentials and use of TPM for in-memory encryption.
Special thanks to @randombit for his work on Botan!
Testing strategy
Tested on all platforms. Xenial and Bionic require use of PPA to bring Botan 2.11 or higher. This version requirement is mainly driven by the Argon2 support.
Type of change