Botan 3.9.0
Crypto and TLS for C&
pgp_s2k.cpp
Go to the documentation of this file.
1/*
2* OpenPGP S2K
3* (C) 1999-2007,2017 Jack Lloyd
4* (C) 2018 Ribose Inc
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/pgp_s2k.h>
10
11#include <botan/exceptn.h>
12#include <botan/mem_ops.h>
13#include <botan/internal/fmt.h>
14#include <botan/internal/mem_utils.h>
15#include <botan/internal/time_utils.h>
16#include <algorithm>
17
18namespace Botan {
19
20namespace {
21
22void pgp_s2k(HashFunction& hash,
23 uint8_t output_buf[],
24 size_t output_len,
25 const char* password,
26 const size_t password_size,
27 const uint8_t salt[],
28 size_t salt_len,
29 size_t iterations) {
30 if(iterations > 1 && salt_len == 0) {
31 throw Invalid_Argument("OpenPGP S2K requires a salt in iterated mode");
32 }
33
34 secure_vector<uint8_t> input_buf(salt_len + password_size);
35 if(salt_len > 0) {
36 copy_mem(input_buf.data(), salt, salt_len);
37 }
38 if(password_size > 0) {
39 copy_mem(std::span(input_buf).subspan(salt_len), as_span_of_bytes(password, password_size));
40 }
41
42 secure_vector<uint8_t> hash_buf(hash.output_length());
43
44 size_t pass = 0;
45 size_t generated = 0;
46
47 while(generated != output_len) {
48 const size_t output_this_pass = std::min(hash_buf.size(), output_len - generated);
49
50 // Preload some number of zero bytes (empty first iteration)
51 std::vector<uint8_t> zero_padding(pass);
52 hash.update(zero_padding);
53
54 // The input is always fully processed even if iterations is very small
55 if(!input_buf.empty()) {
56 size_t left = std::max(iterations, input_buf.size());
57 while(left > 0) {
58 const size_t input_to_take = std::min(left, input_buf.size());
59 hash.update(input_buf.data(), input_to_take);
60 left -= input_to_take;
61 }
62 }
63
64 hash.final(hash_buf.data());
65 copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
66 generated += output_this_pass;
67 ++pass;
68 }
69}
70
71} // namespace
72
73size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[],
74 size_t output_len,
75 std::string_view password,
76 const uint8_t salt[],
77 size_t salt_len,
78 size_t iterations,
79 std::chrono::milliseconds msec) const {
80 std::unique_ptr<PasswordHash> pwdhash;
81
82 if(iterations == 0) {
83 RFC4880_S2K_Family s2k_params(m_hash->new_object());
84 iterations = s2k_params.tune(output_len, msec, 0, std::chrono::milliseconds(10))->iterations();
85 }
86
87 pgp_s2k(*m_hash, output_buf, output_len, password.data(), password.size(), salt, salt_len, iterations);
88
89 return iterations;
90}
91
92std::string RFC4880_S2K_Family::name() const {
93 return fmt("OpenPGP-S2K({})", m_hash->name());
94}
95
96std::unique_ptr<PasswordHash> RFC4880_S2K_Family::tune(size_t output_len,
97 std::chrono::milliseconds msec,
98 size_t /*max_memory_usage_mb*/,
99 std::chrono::milliseconds tune_time) const {
100 constexpr size_t buf_size = 1024;
101 std::vector<uint8_t> buffer(buf_size);
102
103 const uint64_t measured_nsec = measure_cost(tune_time, [&]() { m_hash->update(buffer); });
104
105 const double hash_bytes_per_second = (buf_size * 1000000000.0) / measured_nsec;
106 const uint64_t desired_nsec = msec.count() * 1000000;
107
108 const size_t hash_size = m_hash->output_length();
109 const size_t blocks_required = (output_len <= hash_size ? 1 : (output_len + hash_size - 1) / hash_size);
110
111 const double bytes_to_be_hashed = (hash_bytes_per_second * (desired_nsec / 1000000000.0)) / blocks_required;
112 const size_t iterations = RFC4880_round_iterations(static_cast<size_t>(bytes_to_be_hashed));
113
114 return std::make_unique<RFC4880_S2K>(m_hash->new_object(), iterations);
115}
116
117std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_params(size_t iterations,
118 size_t /*unused*/,
119 size_t /*unused*/) const {
120 return std::make_unique<RFC4880_S2K>(m_hash->new_object(), iterations);
121}
122
123std::unique_ptr<PasswordHash> RFC4880_S2K_Family::default_params() const {
124 return std::make_unique<RFC4880_S2K>(m_hash->new_object(), 50331648);
125}
126
127std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_iterations(size_t iterations) const {
128 return std::make_unique<RFC4880_S2K>(m_hash->new_object(), iterations);
129}
130
131RFC4880_S2K::RFC4880_S2K(std::unique_ptr<HashFunction> hash, size_t iterations) :
132 m_hash(std::move(hash)), m_iterations(iterations) {}
133
134std::string RFC4880_S2K::to_string() const {
135 return fmt("OpenPGP-S2K({},{})", m_hash->name(), m_iterations);
136}
137
138void RFC4880_S2K::derive_key(uint8_t out[],
139 size_t out_len,
140 const char* password,
141 const size_t password_len,
142 const uint8_t salt[],
143 size_t salt_len) const {
144 pgp_s2k(*m_hash, out, out_len, password, password_len, salt, salt_len, m_iterations);
145}
146
147} // namespace Botan
size_t pbkdf(uint8_t output_buf[], size_t output_len, std::string_view passphrase, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) const override
Definition pgp_s2k.cpp:73
void hash(std::span< uint8_t > out, std::string_view password, std::span< const uint8_t > salt) const
Definition pwdhash.h:84
std::unique_ptr< PasswordHash > from_iterations(size_t iterations) const override
Definition pgp_s2k.cpp:127
std::unique_ptr< PasswordHash > default_params() const override
Definition pgp_s2k.cpp:123
std::unique_ptr< PasswordHash > from_params(size_t iterations, size_t, size_t) const override
Definition pgp_s2k.cpp:117
std::unique_ptr< PasswordHash > tune(size_t output_len, std::chrono::milliseconds msec, size_t max_mem, std::chrono::milliseconds tune_msec) const override
Definition pgp_s2k.cpp:96
std::string name() const override
Definition pgp_s2k.cpp:92
std::string to_string() const override
Definition pgp_s2k.cpp:134
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition pgp_s2k.cpp:138
size_t iterations() const override
Definition pgp_s2k.h:90
RFC4880_S2K(std::unique_ptr< HashFunction > hash, size_t iterations)
Definition pgp_s2k.cpp:131
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:28
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
uint64_t measure_cost(std::chrono::milliseconds trial_msec, F func)
Definition time_utils.h:21
size_t RFC4880_round_iterations(size_t iterations)
Definition rfc4880.h:32