/src/botan/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp

Source (jump to first uncovered line)
/*
* OpenPGP S2K
* (C) 1999-2007,2017 Jack Lloyd
* (C) 2018 Ribose Inc
*
* Distributed under the terms of the Botan license
*/

#include <botan/pgp_s2k.h>
#include <botan/exceptn.h>
#include <botan/internal/timer.h>
#include <algorithm>

namespace Botan {

/*
PGP stores the iteration count as a single byte
Thus it can only actually take on one of 256 values, based on the
formula in RFC 4880 section 3.6.1.3
*/
static const uint32_t OPENPGP_S2K_ITERS[256] = {
   1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600,
   1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432,
   2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712,
   3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888,
   6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704,
   9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312,
   13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456,
   20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672,
   29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008,
   45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440,
   63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208,
   98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976,
   131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416,
   196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952,
   262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832,
   393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904,
   524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664,
   786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808,
   1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792,
   1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544,
   1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440,
   2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944,
   3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592,
   4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600,
   6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608,
   8912896, 9437184, 9961472, 10485760, 11010048, 11534336,
   12058624, 12582912, 13107200, 13631488, 14155776, 14680064,
   15204352, 15728640, 16252928, 16777216, 17825792, 18874368,
   19922944, 20971520, 22020096, 23068672, 24117248, 25165824,
   26214400, 27262976, 28311552, 29360128, 30408704, 31457280,
   32505856, 33554432, 35651584, 37748736, 39845888, 41943040,
   44040192, 46137344, 48234496, 50331648, 52428800, 54525952,
   56623104, 58720256, 60817408, 62914560, 65011712 };

uint8_t RFC4880_encode_count(size_t desired_iterations)
   {
   if(desired_iterations <= OPENPGP_S2K_ITERS[0])
      return 0;

   if(desired_iterations >= OPENPGP_S2K_ITERS[255])
      return 255;

   auto i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);

   return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
   }

size_t RFC4880_decode_count(uint8_t iter)
   {
   return OPENPGP_S2K_ITERS[iter];
   }

namespace {

void pgp_s2k(HashFunction& hash,
             uint8_t output_buf[], size_t output_len,
             const char* password, const size_t password_size,
             const uint8_t salt[], size_t salt_len,
             size_t iterations)
   {
   if(iterations > 1 && salt_len == 0)
      throw Invalid_Argument("OpenPGP S2K requires a salt in iterated mode");

   secure_vector<uint8_t> input_buf(salt_len + password_size);
   if(salt_len > 0)
      {
      copy_mem(&input_buf[0], salt, salt_len);
      }
   if(password_size > 0)
      {
      copy_mem(&input_buf[salt_len],
               cast_char_ptr_to_uint8(password),
               password_size);
      }

   secure_vector<uint8_t> hash_buf(hash.output_length());

   size_t pass = 0;
   size_t generated = 0;

   while(generated != output_len)
      {
      const size_t output_this_pass =
         std::min(hash_buf.size(), output_len - generated);

      // Preload some number of zero bytes (empty first iteration)
      std::vector<uint8_t> zero_padding(pass);
      hash.update(zero_padding);

      // The input is always fully processed even if iterations is very small
      if(input_buf.empty() == false)
         {
         size_t left = std::max(iterations, input_buf.size());
         while(left > 0)
            {
            const size_t input_to_take = std::min(left, input_buf.size());
            hash.update(input_buf.data(), input_to_take);
            left -= input_to_take;
            }
         }

      hash.final(hash_buf.data());
      copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
      generated += output_this_pass;
      ++pass;
      }
   }

}

size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len,
                          const std::string& password,
                          const uint8_t salt[], size_t salt_len,
                          size_t iterations,
                          std::chrono::milliseconds msec) const
   {
   std::unique_ptr<PasswordHash> pwdhash;

   if(iterations == 0)
      {
      RFC4880_S2K_Family s2k_params(m_hash->clone());
      iterations = s2k_params.tune(output_len, msec, 0)->iterations();
      }

   pgp_s2k(*m_hash, output_buf, output_len,
           password.c_str(), password.size(),
           salt, salt_len,
           iterations);

   return iterations;
   }

std::string RFC4880_S2K_Family::name() const
   {
   return "OpenPGP-S2K(" + m_hash->name() + ")";
   }

std::unique_ptr<PasswordHash> RFC4880_S2K_Family::tune(size_t output_len, std::chrono::milliseconds msec, size_t) const
   {
   const auto tune_time = BOTAN_PBKDF_TUNING_TIME;

   const size_t buf_size = 1024;
   std::vector<uint8_t> buffer(buf_size);

   Timer timer("RFC4880_S2K", buf_size);
   timer.run_until_elapsed(tune_time, [&]() {
      m_hash->update(buffer);
      });

   const double hash_bytes_per_second = timer.bytes_per_second();
   const uint64_t desired_nsec = msec.count() * 1000000;

   const size_t hash_size = m_hash->output_length();
   const size_t blocks_required = (output_len <= hash_size ? 1 : (output_len + hash_size - 1) / hash_size);

   const double bytes_to_be_hashed = (hash_bytes_per_second * (desired_nsec / 1000000000.0)) / blocks_required;
   const size_t iterations = RFC4880_round_iterations(static_cast<size_t>(bytes_to_be_hashed));

   return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iterations));
   }

std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_params(size_t iter, size_t, size_t) const
   {
   return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter));
   }

std::unique_ptr<PasswordHash> RFC4880_S2K_Family::default_params() const
   {
   return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), 50331648));
   }

std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_iterations(size_t iter) const
   {
   return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter));
   }

RFC4880_S2K::RFC4880_S2K(HashFunction* hash, size_t iterations) :
   m_hash(hash),
   m_iterations(iterations)
   {
   }

std::string RFC4880_S2K::to_string() const
   {
   return "OpenPGP-S2K(" + m_hash->name() + "," + std::to_string(m_iterations) + ")";
   }

void RFC4880_S2K::derive_key(uint8_t out[], size_t out_len,
                             const char* password, const size_t password_len,
                             const uint8_t salt[], size_t salt_len) const
   {
   pgp_s2k(*m_hash, out, out_len,
           password, password_len,
           salt, salt_len,
           m_iterations);
   }

}

Coverage Report

Created: 2020-09-16 07:52

Line	Count	Source (jump to first uncovered line)
1		/*
2		* OpenPGP S2K
3		* (C) 1999-2007,2017 Jack Lloyd
4		* (C) 2018 Ribose Inc
5		*
6		* Distributed under the terms of the Botan license
7		*/
8
9		#include <botan/pgp_s2k.h>
10		#include <botan/exceptn.h>
11		#include <botan/internal/timer.h>
12		#include <algorithm>
13
14		namespace Botan {
15
16		/*
17		PGP stores the iteration count as a single byte
18		Thus it can only actually take on one of 256 values, based on the
19		formula in RFC 4880 section 3.6.1.3
20		*/
21		static const uint32_t OPENPGP_S2K_ITERS[256] = {
22		1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600,
23		1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432,
24		2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712,
25		3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888,
26		6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704,
27		9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312,
28		13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456,
29		20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672,
30		29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008,
31		45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440,
32		63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208,
33		98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976,
34		131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416,
35		196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952,
36		262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832,
37		393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904,
38		524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664,
39		786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808,
40		1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792,
41		1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544,
42		1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440,
43		2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944,
44		3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592,
45		4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600,
46		6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608,
47		8912896, 9437184, 9961472, 10485760, 11010048, 11534336,
48		12058624, 12582912, 13107200, 13631488, 14155776, 14680064,
49		15204352, 15728640, 16252928, 16777216, 17825792, 18874368,
50		19922944, 20971520, 22020096, 23068672, 24117248, 25165824,
51		26214400, 27262976, 28311552, 29360128, 30408704, 31457280,
52		32505856, 33554432, 35651584, 37748736, 39845888, 41943040,
53		44040192, 46137344, 48234496, 50331648, 52428800, 54525952,
54		56623104, 58720256, 60817408, 62914560, 65011712 };
55
56		uint8_t RFC4880_encode_count(size_t desired_iterations)
57	0	{
58	0	if(desired_iterations <= OPENPGP_S2K_ITERS[0])
59	0	return 0;
60	0
61	0	if(desired_iterations >= OPENPGP_S2K_ITERS[255])
62	0	return 255;
63	0
64	0	auto i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);
65	0
66	0	return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
67	0	}
68
69		size_t RFC4880_decode_count(uint8_t iter)
70	0	{
71	0	return OPENPGP_S2K_ITERS[iter];
72	0	}
73
74		namespace {
75
76		void pgp_s2k(HashFunction& hash,
77		uint8_t output_buf[], size_t output_len,
78		const char* password, const size_t password_size,
79		const uint8_t salt[], size_t salt_len,
80		size_t iterations)
81	0	{
82	0	if(iterations > 1 && salt_len == 0)
83	0	throw Invalid_Argument("OpenPGP S2K requires a salt in iterated mode");
84	0
85	0	secure_vector<uint8_t> input_buf(salt_len + password_size);
86	0	if(salt_len > 0)
87	0	{
88	0	copy_mem(&input_buf[0], salt, salt_len);
89	0	}
90	0	if(password_size > 0)
91	0	{
92	0	copy_mem(&input_buf[salt_len],
93	0	cast_char_ptr_to_uint8(password),
94	0	password_size);
95	0	}
96	0
97	0	secure_vector<uint8_t> hash_buf(hash.output_length());
98	0
99	0	size_t pass = 0;
100	0	size_t generated = 0;
101	0
102	0	while(generated != output_len)
103	0	{
104	0	const size_t output_this_pass =
105	0	std::min(hash_buf.size(), output_len - generated);
106	0
107		// Preload some number of zero bytes (empty first iteration)
108	0	std::vector<uint8_t> zero_padding(pass);
109	0	hash.update(zero_padding);
110	0
111		// The input is always fully processed even if iterations is very small
112	0	if(input_buf.empty() == false)
113	0	{
114	0	size_t left = std::max(iterations, input_buf.size());
115	0	while(left > 0)
116	0	{
117	0	const size_t input_to_take = std::min(left, input_buf.size());
118	0	hash.update(input_buf.data(), input_to_take);
119	0	left -= input_to_take;
120	0	}
121	0	}
122	0
123	0	hash.final(hash_buf.data());
124	0	copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
125	0	generated += output_this_pass;
126	0	++pass;
127	0	}
128	0	}
129
130		}
131
132		size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len,
133		const std::string& password,
134		const uint8_t salt[], size_t salt_len,
135		size_t iterations,
136		std::chrono::milliseconds msec) const
137	0	{
138	0	std::unique_ptr<PasswordHash> pwdhash;
139	0
140	0	if(iterations == 0)
141	0	{
142	0	RFC4880_S2K_Family s2k_params(m_hash->clone());
143	0	iterations = s2k_params.tune(output_len, msec, 0)->iterations();
144	0	}
145	0
146	0	pgp_s2k(*m_hash, output_buf, output_len,
147	0	password.c_str(), password.size(),
148	0	salt, salt_len,
149	0	iterations);
150	0
151	0	return iterations;
152	0	}
153
154		std::string RFC4880_S2K_Family::name() const
155	0	{
156	0	return "OpenPGP-S2K(" + m_hash->name() + ")";
157	0	}
158
159		std::unique_ptr<PasswordHash> RFC4880_S2K_Family::tune(size_t output_len, std::chrono::milliseconds msec, size_t) const
160	0	{
161	0	const auto tune_time = BOTAN_PBKDF_TUNING_TIME;
162	0
163	0	const size_t buf_size = 1024;
164	0	std::vector<uint8_t> buffer(buf_size);
165	0
166	0	Timer timer("RFC4880_S2K", buf_size);
167	0	timer.run_until_elapsed(tune_time, [&]() {
168	0	m_hash->update(buffer);
169	0	});
170	0
171	0	const double hash_bytes_per_second = timer.bytes_per_second();
172	0	const uint64_t desired_nsec = msec.count() * 1000000;
173	0
174	0	const size_t hash_size = m_hash->output_length();
175	0	const size_t blocks_required = (output_len <= hash_size ? 1 : (output_len + hash_size - 1) / hash_size);
176	0
177	0	const double bytes_to_be_hashed = (hash_bytes_per_second * (desired_nsec / 1000000000.0)) / blocks_required;
178	0	const size_t iterations = RFC4880_round_iterations(static_cast<size_t>(bytes_to_be_hashed));
179	0
180	0	return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iterations));
181	0	}
182
183		std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_params(size_t iter, size_t, size_t) const
184	0	{
185	0	return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter));
186	0	}
187
188		std::unique_ptr<PasswordHash> RFC4880_S2K_Family::default_params() const
189	0	{
190	0	return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), 50331648));
191	0	}
192
193		std::unique_ptr<PasswordHash> RFC4880_S2K_Family::from_iterations(size_t iter) const
194	0	{
195	0	return std::unique_ptr<PasswordHash>(new RFC4880_S2K(m_hash->clone(), iter));
196	0	}
197
198		RFC4880_S2K::RFC4880_S2K(HashFunction* hash, size_t iterations) :
199		m_hash(hash),
200		m_iterations(iterations)
201	0	{
202	0	}
203
204		std::string RFC4880_S2K::to_string() const
205	0	{
206	0	return "OpenPGP-S2K(" + m_hash->name() + "," + std::to_string(m_iterations) + ")";
207	0	}
208
209		void RFC4880_S2K::derive_key(uint8_t out[], size_t out_len,
210		const char* password, const size_t password_len,
211		const uint8_t salt[], size_t salt_len) const
212	0	{
213	0	pgp_s2k(*m_hash, out, out_len,
214	0	password, password_len,
215	0	salt, salt_len,
216	0	m_iterations);
217	0	}
218
219		}