Botan  2.7.0
Crypto and TLS for C++11
pgp_s2k.cpp
Go to the documentation of this file.
1 /*
2 * OpenPGP S2K
3 * (C) 1999-2007,2017 Jack Lloyd
4 *
5 * Distributed under the terms of the Botan license
6 */
7 
8 #include <botan/pgp_s2k.h>
9 #include <botan/exceptn.h>
10 
11 namespace Botan {
12 
13 /*
14 PGP stores the iteration count as a single byte
15 Thus it can only actually take on one of 256 values, based on the
16 formula in RFC 4880 section 3.6.1.3
17 */
18 static const uint32_t OPENPGP_S2K_ITERS[256] = {
19  1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600,
20  1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432,
21  2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712,
22  3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888,
23  6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704,
24  9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312,
25  13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456,
26  20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672,
27  29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008,
28  45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440,
29  63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208,
30  98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976,
31  131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416,
32  196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952,
33  262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832,
34  393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904,
35  524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664,
36  786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808,
37  1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792,
38  1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544,
39  1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440,
40  2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944,
41  3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592,
42  4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600,
43  6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608,
44  8912896, 9437184, 9961472, 10485760, 11010048, 11534336,
45  12058624, 12582912, 13107200, 13631488, 14155776, 14680064,
46  15204352, 15728640, 16252928, 16777216, 17825792, 18874368,
47  19922944, 20971520, 22020096, 23068672, 24117248, 25165824,
48  26214400, 27262976, 28311552, 29360128, 30408704, 31457280,
49  32505856, 33554432, 35651584, 37748736, 39845888, 41943040,
50  44040192, 46137344, 48234496, 50331648, 52428800, 54525952,
51  56623104, 58720256, 60817408, 62914560, 65011712 };
52 
53 //static
54 uint8_t OpenPGP_S2K::encode_count(size_t desired_iterations)
55  {
56  /*
57  Only 256 different iterations are actually representable in OpenPGP format ...
58  */
59  for(size_t c = 0; c < 256; ++c)
60  {
61  const uint32_t decoded_iter = OPENPGP_S2K_ITERS[c];
62  if(decoded_iter >= desired_iterations)
63  return static_cast<uint8_t>(c);
64  }
65 
66  return 255;
67  }
68 
69 //static
70 size_t OpenPGP_S2K::decode_count(uint8_t iter)
71  {
72  return OPENPGP_S2K_ITERS[iter];
73  }
74 
75 size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len,
76  const std::string& passphrase,
77  const uint8_t salt[], size_t salt_len,
78  size_t iterations,
79  std::chrono::milliseconds msec) const
80  {
81  if(iterations == 0 && msec.count() > 0) // FIXME
82  throw Not_Implemented("OpenPGP_S2K does not implemented timed KDF");
83 
84  if(iterations > 1 && salt_len == 0)
85  throw Invalid_Argument("OpenPGP_S2K requires a salt in iterated mode");
86 
87  secure_vector<uint8_t> input_buf(salt_len + passphrase.size());
88  if(salt_len > 0)
89  {
90  copy_mem(&input_buf[0], salt, salt_len);
91  }
92  if(passphrase.empty() == false)
93  {
94  copy_mem(&input_buf[salt_len],
95  cast_char_ptr_to_uint8(passphrase.data()),
96  passphrase.size());
97  }
98 
99  secure_vector<uint8_t> hash_buf(m_hash->output_length());
100 
101  size_t pass = 0;
102  size_t generated = 0;
103 
104  while(generated != output_len)
105  {
106  const size_t output_this_pass =
107  std::min(hash_buf.size(), output_len - generated);
108 
109  // Preload some number of zero bytes (empty first iteration)
110  std::vector<uint8_t> zero_padding(pass);
111  m_hash->update(zero_padding);
112 
113  // The input is always fully processed even if iterations is very small
114  if(input_buf.empty() == false)
115  {
116  size_t left = std::max(iterations, input_buf.size());
117  while(left > 0)
118  {
119  const size_t input_to_take = std::min(left, input_buf.size());
120  m_hash->update(input_buf.data(), input_to_take);
121  left -= input_to_take;
122  }
123  }
124 
125  m_hash->final(hash_buf.data());
126  copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
127  generated += output_this_pass;
128  ++pass;
129  }
130 
131  return iterations;
132  }
133 
134 }
static size_t decode_count(uint8_t encoded_iter)
Definition: pgp_s2k.cpp:70
static uint8_t encode_count(size_t iterations)
Definition: pgp_s2k.cpp:54
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:131
size_t salt_len
Definition: x509_obj.cpp:26
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:108
Definition: alg_id.cpp:13
size_t pbkdf(uint8_t output_buf[], size_t output_len, const std::string &passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition: pgp_s2k.cpp:75
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88