/src/botan/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OpenPGP S2K |
3 | | * (C) 1999-2007,2017 Jack Lloyd |
4 | | * (C) 2018 Ribose Inc |
5 | | * |
6 | | * Distributed under the terms of the Botan license |
7 | | */ |
8 | | |
9 | | #include <botan/pgp_s2k.h> |
10 | | #include <botan/exceptn.h> |
11 | | #include <botan/internal/timer.h> |
12 | | #include <algorithm> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | /* |
17 | | PGP stores the iteration count as a single byte |
18 | | Thus it can only actually take on one of 256 values, based on the |
19 | | formula in RFC 4880 section 3.6.1.3 |
20 | | */ |
21 | | static const uint32_t OPENPGP_S2K_ITERS[256] = { |
22 | | 1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, |
23 | | 1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432, |
24 | | 2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712, |
25 | | 3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888, |
26 | | 6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704, |
27 | | 9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312, |
28 | | 13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456, |
29 | | 20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672, |
30 | | 29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008, |
31 | | 45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440, |
32 | | 63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208, |
33 | | 98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976, |
34 | | 131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416, |
35 | | 196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952, |
36 | | 262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832, |
37 | | 393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904, |
38 | | 524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664, |
39 | | 786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808, |
40 | | 1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792, |
41 | | 1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544, |
42 | | 1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440, |
43 | | 2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944, |
44 | | 3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592, |
45 | | 4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600, |
46 | | 6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608, |
47 | | 8912896, 9437184, 9961472, 10485760, 11010048, 11534336, |
48 | | 12058624, 12582912, 13107200, 13631488, 14155776, 14680064, |
49 | | 15204352, 15728640, 16252928, 16777216, 17825792, 18874368, |
50 | | 19922944, 20971520, 22020096, 23068672, 24117248, 25165824, |
51 | | 26214400, 27262976, 28311552, 29360128, 30408704, 31457280, |
52 | | 32505856, 33554432, 35651584, 37748736, 39845888, 41943040, |
53 | | 44040192, 46137344, 48234496, 50331648, 52428800, 54525952, |
54 | | 56623104, 58720256, 60817408, 62914560, 65011712 }; |
55 | | |
56 | | uint8_t RFC4880_encode_count(size_t desired_iterations) |
57 | 0 | { |
58 | 0 | if(desired_iterations <= OPENPGP_S2K_ITERS[0]) |
59 | 0 | return 0; |
60 | 0 | |
61 | 0 | if(desired_iterations >= OPENPGP_S2K_ITERS[255]) |
62 | 0 | return 255; |
63 | 0 | |
64 | 0 | auto i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations); |
65 | 0 |
|
66 | 0 | return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS); |
67 | 0 | } |
68 | | |
69 | | size_t RFC4880_decode_count(uint8_t iter) |
70 | 0 | { |
71 | 0 | return OPENPGP_S2K_ITERS[iter]; |
72 | 0 | } |
73 | | |
74 | | namespace { |
75 | | |
76 | | void pgp_s2k(HashFunction& hash, |
77 | | uint8_t output_buf[], size_t output_len, |
78 | | const char* password, const size_t password_size, |
79 | | const uint8_t salt[], size_t salt_len, |
80 | | size_t iterations) |
81 | 0 | { |
82 | 0 | if(iterations > 1 && salt_len == 0) |
83 | 0 | throw Invalid_Argument("OpenPGP S2K requires a salt in iterated mode"); |
84 | 0 | |
85 | 0 | secure_vector<uint8_t> input_buf(salt_len + password_size); |
86 | 0 | if(salt_len > 0) |
87 | 0 | { |
88 | 0 | copy_mem(&input_buf[0], salt, salt_len); |
89 | 0 | } |
90 | 0 | if(password_size > 0) |
91 | 0 | { |
92 | 0 | copy_mem(&input_buf[salt_len], |
93 | 0 | cast_char_ptr_to_uint8(password), |
94 | 0 | password_size); |
95 | 0 | } |
96 | 0 |
|
97 | 0 | secure_vector<uint8_t> hash_buf(hash.output_length()); |
98 | 0 |
|
99 | 0 | size_t pass = 0; |
100 | 0 | size_t generated = 0; |
101 | 0 |
|
102 | 0 | while(generated != output_len) |
103 | 0 | { |
104 | 0 | const size_t output_this_pass = |
105 | 0 | std::min(hash_buf.size(), output_len - generated); |
106 | 0 |
|
107 | | // Preload some number of zero bytes (empty first iteration) |
108 | 0 | std::vector<uint8_t> zero_padding(pass); |
109 | 0 | hash.update(zero_padding); |
110 | 0 |
|
111 | | // The input is always fully processed even if iterations is very small |
112 | 0 | if(input_buf.empty() == false) |
113 | 0 | { |
114 | 0 | size_t left = std::max(iterations, input_buf.size()); |
115 | 0 | while(left > 0) |
116 | 0 | { |
117 | 0 | const size_t input_to_take = std::min(left, input_buf.size()); |
118 | 0 | hash.update(input_buf.data(), input_to_take); |
119 | 0 | left -= input_to_take; |
120 | 0 | } |
121 | 0 | } |
122 | 0 |
|
123 | 0 | hash.final(hash_buf.data()); |
124 | 0 | copy_mem(output_buf + generated, hash_buf.data(), output_this_pass); |
125 | 0 | generated += output_this_pass; |
126 | 0 | ++pass; |
127 | 0 | } |
128 | 0 | } |
129 | | |
130 | | } |
131 | | |
132 | | size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len, |
133 | | const std::string& password, |
134 | | const uint8_t salt[], size_t salt_len, |
135 | | size_t iterations, |
136 | | std::chrono::milliseconds msec) const |
137 | 0 | { |
138 | 0 | std::unique_ptr<PasswordHash> pwdhash; |
139 | 0 |
|
140 | 0 | if(iterations == 0) |
141 | 0 | { |
142 | 0 | RFC4880_S2K_Family s2k_params(m_hash->clone()); |
143 | 0 | iterations = s2k_params.tune(output_len, msec, 0)->iterations(); |
144 | 0 | } |
145 | 0 |
|
146 | 0 | pgp_s2k(*m_hash, output_buf, output_len, |
147 | 0 | password.c_str(), password.size(), |
148 | 0 | salt, salt_len, |
149 | 0 | iterations); |
150 | 0 |
|
151 | 0 | return iterations; |
152 | 0 | } |
153 | | |
154 | | std::string RFC4880_S2K_Family::name() const |
155 | 0 | { |
156 | 0 | return "OpenPGP-S2K(" + m_hash->name() + ")"; |
157 | 0 | } |
158 | | |
159 | | std::unique_ptr<PasswordHash> RFC4880_S2K_Family::tune(size_t output_len, std::chrono::milliseconds msec, size_t) const |
160 | 0 | { |
161 | 0 | const auto tune_time = BOTAN_PBKDF_TUNING_TIME; |
162 | 0 |
|
163 | 0 | const size_t buf_size = 1024; |
164 | 0 | std::vector<uint8_t> buffer(buf_size); |
165 | 0 |
|
166 | 0 | Timer timer("RFC4880_S2K", buf_size); |
167 | 0 | timer.run_until_elapsed(tune_time, [&]() { |
168 | 0 | m_hash->update(buffer); |
169 | 0 | }); |
170 | 0 |
|
171 | 0 | const double hash_bytes_per_second = timer.bytes_per_second(); |
172 | 0 | const uint64_t desired_nsec = msec.count() * 1000000; |
173 | 0 |
|
174 | 0 | const size_t hash_size = m_hash->output_length(); |
175 | 0 | const size_t blocks_required = (output_len <= hash_size ? 1 : (output_len + hash_size - 1) / hash_size); |
176 | 0 |
|
177 | 0 | const double bytes_to_be_hashed = (hash_bytes_per_second * (desired_nsec / 1000000000.0)) / blocks_required; |
178 | 0 | const size_t iterations = RFC4880_round_iterations(static_cast<size_t>(bytes_to_be_hashed)); |
179 | 0 |
|
180 | 0 | return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iterations)); |
181 | 0 | } |
182 | | |
183 | | std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_params(size_t iter, size_t, size_t) const |
184 | 0 | { |
185 | 0 | return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter)); |
186 | 0 | } |
187 | | |
188 | | std::unique_ptr<PasswordHash> RFC4880_S2K_Family::default_params() const |
189 | 0 | { |
190 | 0 | return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), 50331648)); |
191 | 0 | } |
192 | | |
193 | | std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_iterations(size_t iter) const |
194 | 0 | { |
195 | 0 | return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter)); |
196 | 0 | } |
197 | | |
198 | | RFC4880_S2K::RFC4880_S2K(HashFunction* hash, size_t iterations) : |
199 | | m_hash(hash), |
200 | | m_iterations(iterations) |
201 | 0 | { |
202 | 0 | } |
203 | | |
204 | | std::string RFC4880_S2K::to_string() const |
205 | 0 | { |
206 | 0 | return "OpenPGP-S2K(" + m_hash->name() + "," + std::to_string(m_iterations) + ")"; |
207 | 0 | } |
208 | | |
209 | | void RFC4880_S2K::derive_key(uint8_t out[], size_t out_len, |
210 | | const char* password, const size_t password_len, |
211 | | const uint8_t salt[], size_t salt_len) const |
212 | 0 | { |
213 | 0 | pgp_s2k(*m_hash, out, out_len, |
214 | 0 | password, password_len, |
215 | 0 | salt, salt_len, |
216 | 0 | m_iterations); |
217 | 0 | } |
218 | | |
219 | | } |