Botan  2.4.0
Crypto and TLS for C++11
pgp_s2k.cpp
Go to the documentation of this file.
1 /*
2 * OpenPGP S2K
3 * (C) 1999-2007,2017 Jack Lloyd
4 *
5 * Distributed under the terms of the Botan license
6 */
7 
8 #include <botan/pgp_s2k.h>
9 
10 namespace Botan {
11 
12 /*
13 PGP stores the iteration count as a single byte
14 Thus it can only actually take on one of 256 values, based on the
15 formula in RFC 4880 section 3.6.1.3
16 */
17 static const uint32_t OPENPGP_S2K_ITERS[256] = {
18  1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600,
19  1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432,
20  2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712,
21  3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888,
22  6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704,
23  9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312,
24  13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456,
25  20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672,
26  29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008,
27  45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440,
28  63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208,
29  98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976,
30  131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416,
31  196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952,
32  262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832,
33  393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904,
34  524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664,
35  786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808,
36  1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792,
37  1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544,
38  1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440,
39  2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944,
40  3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592,
41  4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600,
42  6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608,
43  8912896, 9437184, 9961472, 10485760, 11010048, 11534336,
44  12058624, 12582912, 13107200, 13631488, 14155776, 14680064,
45  15204352, 15728640, 16252928, 16777216, 17825792, 18874368,
46  19922944, 20971520, 22020096, 23068672, 24117248, 25165824,
47  26214400, 27262976, 28311552, 29360128, 30408704, 31457280,
48  32505856, 33554432, 35651584, 37748736, 39845888, 41943040,
49  44040192, 46137344, 48234496, 50331648, 52428800, 54525952,
50  56623104, 58720256, 60817408, 62914560, 65011712 };
51 
52 //static
53 uint8_t OpenPGP_S2K::encode_count(size_t desired_iterations)
54  {
55  /*
56  Only 256 different iterations are actually representable in OpenPGP format ...
57  */
58  for(size_t c = 0; c < 256; ++c)
59  {
60  const uint32_t decoded_iter = OPENPGP_S2K_ITERS[c];
61  if(decoded_iter >= desired_iterations)
62  return static_cast<uint8_t>(c);
63  }
64 
65  return 255;
66  }
67 
68 //static
69 size_t OpenPGP_S2K::decode_count(uint8_t iter)
70  {
71  return OPENPGP_S2K_ITERS[iter];
72  }
73 
74 size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len,
75  const std::string& passphrase,
76  const uint8_t salt[], size_t salt_len,
77  size_t iterations,
78  std::chrono::milliseconds msec) const
79  {
80  if(iterations == 0 && msec.count() > 0) // FIXME
81  throw Not_Implemented("OpenPGP_S2K does not implemented timed KDF");
82 
83  if(iterations > 1 && salt_len == 0)
84  throw Invalid_Argument("OpenPGP_S2K requires a salt in iterated mode");
85 
86  secure_vector<uint8_t> input_buf(salt_len + passphrase.size());
87  if(salt_len > 0)
88  {
89  copy_mem(&input_buf[0], salt, salt_len);
90  }
91  if(passphrase.empty() == false)
92  {
93  copy_mem(&input_buf[salt_len],
94  cast_char_ptr_to_uint8(passphrase.data()),
95  passphrase.size());
96  }
97 
98  secure_vector<uint8_t> hash_buf(m_hash->output_length());
99 
100  size_t pass = 0;
101  size_t generated = 0;
102 
103  while(generated != output_len)
104  {
105  const size_t output_this_pass =
106  std::min(hash_buf.size(), output_len - generated);
107 
108  // Preload some number of zero bytes (empty first iteration)
109  std::vector<uint8_t> zero_padding(pass);
110  m_hash->update(zero_padding);
111 
112  // The input is always fully processed even if iterations is very small
113  if(input_buf.empty() == false)
114  {
115  size_t left = std::max(iterations, input_buf.size());
116  while(left > 0)
117  {
118  const size_t input_to_take = std::min(left, input_buf.size());
119  m_hash->update(input_buf.data(), input_to_take);
120  left -= input_to_take;
121  }
122  }
123 
124  m_hash->final(hash_buf.data());
125  copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
126  generated += output_this_pass;
127  ++pass;
128  }
129 
130  return iterations;
131  }
132 
133 }
static size_t decode_count(uint8_t encoded_iter)
Definition: pgp_s2k.cpp:69
static uint8_t encode_count(size_t iterations)
Definition: pgp_s2k.cpp:53
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:120
size_t salt_len
Definition: x509_obj.cpp:25
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:97
Definition: alg_id.cpp:13
size_t pbkdf(uint8_t output_buf[], size_t output_len, const std::string &passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition: pgp_s2k.cpp:74
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88