Botan  2.8.0
Crypto and TLS for C++11
pgp_s2k.cpp
Go to the documentation of this file.
1 /*
2 * OpenPGP S2K
3 * (C) 1999-2007,2017 Jack Lloyd
4 * (C) 2018 Ribose Inc
5 *
6 * Distributed under the terms of the Botan license
7 */
8 
9 #include <botan/pgp_s2k.h>
10 #include <botan/exceptn.h>
11 #include <botan/internal/timer.h>
12 
13 namespace Botan {
14 
15 uint8_t RFC4880_encode_count(size_t desired_iterations)
16  {
17  /*
18  Only 256 different iterations are actually representable in OpenPGP format ...
19  */
20  for(size_t c = 0; c < 256; ++c)
21  {
22  // TODO could binary search
23  const size_t decoded_iter = RFC4880_decode_count(static_cast<uint8_t>(c));
24  if(decoded_iter >= desired_iterations)
25  return static_cast<uint8_t>(c);
26  }
27 
28  return 255;
29  }
30 
31 size_t RFC4880_decode_count(uint8_t iter)
32  {
33  /*
34  PGP stores the iteration count as a single byte
35  Thus it can only actually take on one of 256 values, based on the
36  formula in RFC 4880 section 3.6.1.3
37  */
38  static const uint32_t OPENPGP_S2K_ITERS[256] = {
39  1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600,
40  1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432,
41  2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712,
42  3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888,
43  6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704,
44  9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312,
45  13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456,
46  20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672,
47  29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008,
48  45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440,
49  63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208,
50  98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976,
51  131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416,
52  196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952,
53  262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832,
54  393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904,
55  524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664,
56  786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808,
57  1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792,
58  1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544,
59  1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440,
60  2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944,
61  3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592,
62  4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600,
63  6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608,
64  8912896, 9437184, 9961472, 10485760, 11010048, 11534336,
65  12058624, 12582912, 13107200, 13631488, 14155776, 14680064,
66  15204352, 15728640, 16252928, 16777216, 17825792, 18874368,
67  19922944, 20971520, 22020096, 23068672, 24117248, 25165824,
68  26214400, 27262976, 28311552, 29360128, 30408704, 31457280,
69  32505856, 33554432, 35651584, 37748736, 39845888, 41943040,
70  44040192, 46137344, 48234496, 50331648, 52428800, 54525952,
71  56623104, 58720256, 60817408, 62914560, 65011712 };
72 
73  return OPENPGP_S2K_ITERS[iter];
74  }
75 
76 namespace {
77 
78 void pgp_s2k(HashFunction& hash,
79  uint8_t output_buf[], size_t output_len,
80  const char* password, const size_t password_size,
81  const uint8_t salt[], size_t salt_len,
82  size_t iterations)
83  {
84  if(iterations > 1 && salt_len == 0)
85  throw Invalid_Argument("OpenPGP S2K requires a salt in iterated mode");
86 
87  secure_vector<uint8_t> input_buf(salt_len + password_size);
88  if(salt_len > 0)
89  {
90  copy_mem(&input_buf[0], salt, salt_len);
91  }
92  if(password_size > 0)
93  {
94  copy_mem(&input_buf[salt_len],
95  cast_char_ptr_to_uint8(password),
96  password_size);
97  }
98 
99  secure_vector<uint8_t> hash_buf(hash.output_length());
100 
101  size_t pass = 0;
102  size_t generated = 0;
103 
104  while(generated != output_len)
105  {
106  const size_t output_this_pass =
107  std::min(hash_buf.size(), output_len - generated);
108 
109  // Preload some number of zero bytes (empty first iteration)
110  std::vector<uint8_t> zero_padding(pass);
111  hash.update(zero_padding);
112 
113  // The input is always fully processed even if iterations is very small
114  if(input_buf.empty() == false)
115  {
116  size_t left = std::max(iterations, input_buf.size());
117  while(left > 0)
118  {
119  const size_t input_to_take = std::min(left, input_buf.size());
120  hash.update(input_buf.data(), input_to_take);
121  left -= input_to_take;
122  }
123  }
124 
125  hash.final(hash_buf.data());
126  copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
127  generated += output_this_pass;
128  ++pass;
129  }
130  }
131 
132 }
133 
134 size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len,
135  const std::string& password,
136  const uint8_t salt[], size_t salt_len,
137  size_t iterations,
138  std::chrono::milliseconds msec) const
139  {
140  std::unique_ptr<PasswordHash> pwdhash;
141 
142  if(iterations == 0)
143  {
144  RFC4880_S2K_Family s2k_params(m_hash->clone());
145  iterations = s2k_params.tune(output_len, msec, 0)->iterations();
146  }
147 
148  pgp_s2k(*m_hash, output_buf, output_len,
149  password.c_str(), password.size(),
150  salt, salt_len,
151  iterations);
152 
153  return iterations;
154  }
155 
156 std::string RFC4880_S2K_Family::name() const
157  {
158  return "OpenPGP-S2K(" + m_hash->name() + ")";
159  }
160 
161 std::unique_ptr<PasswordHash> RFC4880_S2K_Family::tune(size_t output_len, std::chrono::milliseconds msec, size_t) const
162  {
163  const std::chrono::milliseconds tune_time = std::chrono::milliseconds(30);
164 
165  const size_t buf_size = 1024;
166  Botan::secure_vector<uint8_t> buffer(buf_size);
167 
168  Timer timer("RFC4880_S2K", buf_size);
169  timer.run_until_elapsed(tune_time, [&]() {
170  m_hash->update(buffer);
171  });
172 
173  // bug in Timer::bytes_per_second?
174  const double hash_bytes_per_second = buf_size * timer.bytes_per_second();
175  const uint64_t desired_nsec = msec.count() * 1000000;
176 
177  const size_t hash_size = m_hash->output_length();
178  const size_t blocks_required = (output_len <= hash_size ? 1 : (output_len + hash_size - 1) / hash_size);
179 
180  const double bytes_to_be_hashed = (hash_bytes_per_second * (desired_nsec / 1000000000.0)) / blocks_required;
181  const size_t iterations = RFC4880_round_iterations(static_cast<size_t>(bytes_to_be_hashed));
182 
183  return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iterations));
184  }
185 
186 std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_params(size_t iter, size_t, size_t) const
187  {
188  return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter));
189  }
190 
191 std::unique_ptr<PasswordHash> RFC4880_S2K_Family::default_params() const
192  {
193  return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), 50331648));
194  }
195 
196 std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_iterations(size_t iter) const
197  {
198  return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter));
199  }
200 
202  m_hash(hash),
203  m_iterations(iterations)
204  {
205  }
206 
207 std::string RFC4880_S2K::to_string() const
208  {
209  return "OpenPGP-S2K(" + m_hash->name() + "," + std::to_string(m_iterations) + ")";
210  }
211 
212 void RFC4880_S2K::derive_key(uint8_t out[], size_t out_len,
213  const char* password, const size_t password_len,
214  const uint8_t salt[], size_t salt_len) const
215  {
216  pgp_s2k(*m_hash, out, out_len,
217  password, password_len,
218  salt, salt_len,
219  m_iterations);
220  }
221 
222 }
std::unique_ptr< PasswordHash > default_params() const override
Definition: pgp_s2k.cpp:191
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
Definition: pgp_s2k.cpp:196
std::unique_ptr< PasswordHash > tune(size_t output_len, std::chrono::milliseconds msec, size_t max_mem) const override
Definition: pgp_s2k.cpp:161
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:131
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
size_t RFC4880_decode_count(uint8_t iter)
Definition: pgp_s2k.cpp:31
double bytes_per_second() const
Definition: timer.h:150
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition: pgp_s2k.cpp:212
size_t salt_len
Definition: x509_obj.cpp:26
RFC4880_S2K(HashFunction *hash, size_t iterations)
Definition: pgp_s2k.cpp:201
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:108
Definition: alg_id.cpp:13
size_t RFC4880_round_iterations(size_t iterations)
Definition: pgp_s2k.h:32
size_t pbkdf(uint8_t output_buf[], size_t output_len, const std::string &passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition: pgp_s2k.cpp:134
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
std::string name() const override
Definition: pgp_s2k.cpp:156
std::unique_ptr< PasswordHash > from_params(size_t iter, size_t, size_t) const override
Definition: pgp_s2k.cpp:186
MechanismType hash
std::string to_string() const override
Definition: pgp_s2k.cpp:207
void run_until_elapsed(std::chrono::milliseconds msec, F f)
Definition: timer.h:93
uint8_t RFC4880_encode_count(size_t desired_iterations)
Definition: pgp_s2k.cpp:15