doxygen/pgp__s2k_8cpp_source.html

/*

* OpenPGP S2K

* (C) 1999-2007,2017 Jack Lloyd

* (C) 2018 Ribose Inc

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/pgp_s2k.h>


#include <botan/exceptn.h>

#include <botan/mem_ops.h>

#include <botan/internal/fmt.h>

#include <botan/internal/mem_utils.h>

#include <botan/internal/time_utils.h>

#include <algorithm>


namespace Botan {


namespace {


void pgp_s2k(HashFunction& hash,

             uint8_t output_buf[],

             size_t output_len,

             const char* password,

             const size_t password_size,

             const uint8_t salt[],

             size_t salt_len,

             size_t iterations) {

   if(iterations > 1 && salt_len == 0) {

      throw Invalid_Argument("OpenPGP S2K requires a salt in iterated mode");

   }


   secure_vector<uint8_t> input_buf(salt_len + password_size);

   if(salt_len > 0) {

      copy_mem(input_buf.data(), salt, salt_len);

   }

   if(password_size > 0) {

      copy_mem(std::span(input_buf).subspan(salt_len), as_span_of_bytes(password, password_size));

   }


   secure_vector<uint8_t> hash_buf(hash.output_length());


   size_t pass = 0;

   size_t generated = 0;


   while(generated != output_len) {

      const size_t output_this_pass = std::min(hash_buf.size(), output_len - generated);


      // Preload some number of zero bytes (empty first iteration)

      std::vector<uint8_t> zero_padding(pass);

      hash.update(zero_padding);


      // The input is always fully processed even if iterations is very small

      if(!input_buf.empty()) {

         size_t left = std::max(iterations, input_buf.size());

         while(left > 0) {

            const size_t input_to_take = std::min(left, input_buf.size());

            hash.update(input_buf.data(), input_to_take);

            left -= input_to_take;

         }

      }


      hash.final(hash_buf.data());

      copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);

      generated += output_this_pass;

      ++pass;

   }

}


}  // namespace


size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[],

                          size_t output_len,

                          std::string_view password,

                          const uint8_t salt[],

                          size_t salt_len,

                          size_t iterations,

                          std::chrono::milliseconds msec) const {

   std::unique_ptr<PasswordHash> pwdhash;


   if(iterations == 0) {

      RFC4880_S2K_Family s2k_params(m_hash->new_object());

      iterations = s2k_params.tune(output_len, msec, 0, std::chrono::milliseconds(10))->iterations();

   }


   pgp_s2k(*m_hash, output_buf, output_len, password.data(), password.size(), salt, salt_len, iterations);


   return iterations;

}


std::string RFC4880_S2K_Family::name() const {

   return fmt("OpenPGP-S2K({})", m_hash->name());

}


std::unique_ptr<PasswordHash> RFC4880_S2K_Family::tune(size_t output_len,

                                                       std::chrono::milliseconds msec,

                                                       size_t /*max_memory_usage_mb*/,

                                                       std::chrono::milliseconds tune_time) const {

   constexpr size_t buf_size = 1024;

   std::vector<uint8_t> buffer(buf_size);


   const uint64_t measured_nsec = measure_cost(tune_time, [&]() { m_hash->update(buffer); });


   const double hash_bytes_per_second = (buf_size * 1000000000.0) / measured_nsec;

   const uint64_t desired_nsec = msec.count() * 1000000;


   const size_t hash_size = m_hash->output_length();

   const size_t blocks_required = (output_len <= hash_size ? 1 : (output_len + hash_size - 1) / hash_size);


   const double bytes_to_be_hashed = (hash_bytes_per_second * (desired_nsec / 1000000000.0)) / blocks_required;

   const size_t iterations = RFC4880_round_iterations(static_cast<size_t>(bytes_to_be_hashed));


   return std::make_unique<RFC4880_S2K>(m_hash->new_object(), iterations);

}


std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_params(size_t iterations,

                                                              size_t /*unused*/,

                                                              size_t /*unused*/) const {

   return std::make_unique<RFC4880_S2K>(m_hash->new_object(), iterations);

}


std::unique_ptr<PasswordHash> RFC4880_S2K_Family::default_params() const {

   return std::make_unique<RFC4880_S2K>(m_hash->new_object(), 50331648);

}


std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_iterations(size_t iterations) const {

   return std::make_unique<RFC4880_S2K>(m_hash->new_object(), iterations);

}


RFC4880_S2K::RFC4880_S2K(std::unique_ptr<HashFunction> hash, size_t iterations) :

      m_hash(std::move(hash)), m_iterations(iterations) {}


std::string RFC4880_S2K::to_string() const {

   return fmt("OpenPGP-S2K({},{})", m_hash->name(), m_iterations);

}


void RFC4880_S2K::derive_key(uint8_t out[],

                             size_t out_len,

                             const char* password,

                             const size_t password_len,

                             const uint8_t salt[],

                             size_t salt_len) const {

   pgp_s2k(*m_hash, out, out_len, password, password_len, salt, salt_len, m_iterations);

}


}  // namespace Botan

Botan::HashFunction
Definition hash.h:21

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::OpenPGP_S2K::pbkdf
size_t pbkdf(uint8_t output_buf[], size_t output_len, std::string_view passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition pgp_s2k.cpp:73

Botan::PasswordHash::hash
void hash(std::span< uint8_t > out, std::string_view password, std::span< const uint8_t > salt) const
Definition pwdhash.h:84

Botan::RFC4880_S2K_Family
Definition pgp_s2k.h:104

Botan::RFC4880_S2K_Family::from_iterations
std::unique_ptr< PasswordHash > from_iterations(size_t iterations) const override
Definition pgp_s2k.cpp:127

Botan::RFC4880_S2K_Family::default_params
std::unique_ptr< PasswordHash > default_params() const override
Definition pgp_s2k.cpp:123

Botan::RFC4880_S2K_Family::from_params
std::unique_ptr< PasswordHash > from_params(size_t iterations, size_t, size_t) const override
Definition pgp_s2k.cpp:117

Botan::RFC4880_S2K_Family::tune
std::unique_ptr< PasswordHash > tune(size_t output_len, std::chrono::milliseconds msec, size_t max_mem, std::chrono::milliseconds tune_msec) const override
Definition pgp_s2k.cpp:96

Botan::RFC4880_S2K_Family::name
std::string name() const override
Definition pgp_s2k.cpp:92

Botan::RFC4880_S2K::to_string
std::string to_string() const override
Definition pgp_s2k.cpp:134

Botan::RFC4880_S2K::derive_key
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition pgp_s2k.cpp:138

Botan::RFC4880_S2K::iterations
size_t iterations() const override
Definition pgp_s2k.h:90

Botan::RFC4880_S2K::RFC4880_S2K
RFC4880_S2K(std::unique_ptr< HashFunction > hash, size_t iterations)
Definition pgp_s2k.cpp:131

Botan
Definition alg_id.cpp:13

Botan::as_span_of_bytes
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:28

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69

Botan::measure_cost
uint64_t measure_cost(std::chrono::milliseconds trial_msec, F func)
Definition time_utils.h:21

Botan::RFC4880_round_iterations
size_t RFC4880_round_iterations(size_t iterations)
Definition rfc4880.h:32