aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-05-27 07:43:02 -0400
committerJack Lloyd <[email protected]>2017-05-27 07:43:02 -0400
commit360769bc65057ac44013f93a25ff9a06d971acae (patch)
tree691dfd44c0462093280a8df45081b0b990eb3803
parenta293c21ba83fb9c4d59237f8fa0fd5d852c27992 (diff)
Add (back) OpenPGP-S2K
It was removed somewhere along the line in 1.11, with the logic that it is a funky PGP-specific scheme and (quoting the commit that removed it) "not really useful outside of a full PGP implementation". This assumed that the PGP implementation would be in Botan itself, but PGP is implemented in https://github.com/evpo/EncryptPad/ (which is a PGP implementation using 1.10), and RNP (https://github.com/riboseinc/rnp) would like to use it also. This work was sponsored by Ribose Inc (@riboseinc).
-rw-r--r--src/lib/pbkdf/pbkdf.cpp12
-rw-r--r--src/lib/pbkdf/pgp_s2k/info.txt7
-rw-r--r--src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp90
-rw-r--r--src/lib/pbkdf/pgp_s2k/pgp_s2k.h67
-rw-r--r--src/tests/data/pbkdf/pgp_s2k.vec67
-rw-r--r--src/tests/test_pbkdf.cpp4
6 files changed, 245 insertions, 2 deletions
diff --git a/src/lib/pbkdf/pbkdf.cpp b/src/lib/pbkdf/pbkdf.cpp
index a60c93d5c..40610998b 100644
--- a/src/lib/pbkdf/pbkdf.cpp
+++ b/src/lib/pbkdf/pbkdf.cpp
@@ -16,6 +16,10 @@
#include <botan/pbkdf2.h>
#endif
+#if defined(BOTAN_HAS_PGP_S2K)
+#include <botan/pgp_s2k.h>
+#endif
+
namespace Botan {
std::unique_ptr<PBKDF> PBKDF::create(const std::string& algo_spec,
@@ -50,6 +54,14 @@ std::unique_ptr<PBKDF> PBKDF::create(const std::string& algo_spec,
}
#endif
+#if defined(BOTAN_HAS_PGP_S2K)
+ if(req.algo_name() == "OpenPGP-S2K" && req.arg_count() == 1)
+ {
+ if(auto hash = HashFunction::create(req.arg(0)))
+ return std::unique_ptr<PBKDF>(new OpenPGP_S2K(hash.release()));
+ }
+#endif
+
BOTAN_UNUSED(req);
BOTAN_UNUSED(provider);
diff --git a/src/lib/pbkdf/pgp_s2k/info.txt b/src/lib/pbkdf/pgp_s2k/info.txt
new file mode 100644
index 000000000..5aabc0919
--- /dev/null
+++ b/src/lib/pbkdf/pgp_s2k/info.txt
@@ -0,0 +1,7 @@
+<defines>
+PGP_S2K -> 20170527
+</defines>
+
+<requires>
+hash
+</requires>
diff --git a/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp b/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp
new file mode 100644
index 000000000..d8b5d770e
--- /dev/null
+++ b/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp
@@ -0,0 +1,90 @@
+/*
+* OpenPGP S2K
+* (C) 1999-2007,2017 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/pgp_s2k.h>
+
+namespace Botan {
+
+//static
+uint8_t OpenPGP_S2K::encode_count(size_t desired_iterations)
+ {
+ /*
+ Only 256 different iterations are actually representable in OpenPGP format ...
+ */
+ for(size_t c = 0; c < 256; ++c)
+ {
+ size_t decoded_iter = OpenPGP_S2K::decode_count(c);
+ if(decoded_iter >= desired_iterations)
+ return c;
+ }
+ }
+
+//static
+size_t OpenPGP_S2K::decode_count(uint8_t iter)
+ {
+ // See RFC 4880 section 3.7.1.3
+ return (16 + (iter & 0x0F)) << ((iter >> 4) + 6);
+ }
+
+size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len,
+ const std::string& passphrase,
+ const uint8_t salt[], size_t salt_len,
+ size_t iterations,
+ std::chrono::milliseconds msec) const
+ {
+ if(iterations == 0 && msec.count() > 0) // FIXME
+ throw Not_Implemented("OpenPGP_S2K does not implemented timed KDF");
+
+ secure_vector<uint8_t> input_buf(salt_len + passphrase.size());
+ if(salt_len > 0)
+ {
+ copy_mem(&input_buf[0], salt, salt_len);
+ }
+ if(passphrase.empty() == false)
+ {
+ copy_mem(&input_buf[salt_len],
+ reinterpret_cast<const uint8_t*>(passphrase.data()),
+ passphrase.size());
+ }
+
+ /*
+ The input is always fully processed even if iterations is very small
+ */
+ const size_t to_hash = std::max(iterations, input_buf.size());
+
+ secure_vector<uint8_t> hash_buf(m_hash->output_length());
+
+ size_t pass = 0;
+ size_t generated = 0;
+
+ while(generated != output_len)
+ {
+ const size_t output_this_pass =
+ std::min(hash_buf.size(), output_len - generated);
+
+ // Preload some number of zero bytes (empty first iteration)
+ std::vector<uint8_t> zero_padding(pass);
+ m_hash->update(zero_padding);
+
+ size_t left = to_hash;
+ while(left > 0)
+ {
+ const size_t input_to_take = std::min(left, input_buf.size());
+ m_hash->update(input_buf.data(), input_to_take);
+ left -= input_to_take;
+ }
+
+ m_hash->final(hash_buf.data());
+ copy_mem(output_buf + generated, hash_buf.data(), output_this_pass);
+ generated += output_this_pass;
+ ++pass;
+ }
+
+ return iterations;
+ }
+
+}
diff --git a/src/lib/pbkdf/pgp_s2k/pgp_s2k.h b/src/lib/pbkdf/pgp_s2k/pgp_s2k.h
new file mode 100644
index 000000000..3d85ba306
--- /dev/null
+++ b/src/lib/pbkdf/pgp_s2k/pgp_s2k.h
@@ -0,0 +1,67 @@
+/*
+* OpenPGP PBKDF
+* (C) 1999-2007,2017 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_OPENPGP_S2K_H__
+#define BOTAN_OPENPGP_S2K_H__
+
+#include <botan/pbkdf.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* OpenPGP's S2K
+*
+* See RFC 4880 sections 3.7.1.1, 3.7.1.2, and 3.7.1.3
+* If the salt is empty and iterations == 1, "simple" S2K is used
+* If the salt is non-empty and iterations == 1, "salted" S2K is used
+* If the salt is non-empty and iterations > 1, "iterated" S2K is used
+*
+* If iterations == 0 and msec.count() > 0, "iterated" S2K is assumed,
+* and the number of iterations performed is returned.
+*
+* Note that unlike PBKDF2, OpenPGP S2K's "iterations" are defined as
+* the number of bytes hashed.
+*/
+class BOTAN_DLL OpenPGP_S2K final : public PBKDF
+ {
+ public:
+ /**
+ * @param hash_in the hash function to use
+ */
+ explicit OpenPGP_S2K(HashFunction* hash) : m_hash(hash) {}
+
+ std::string name() const override
+ {
+ return "OpenPGP-S2K(" + m_hash->name() + ")";
+ }
+
+ PBKDF* clone() const
+ {
+ return new OpenPGP_S2K(m_hash->clone());
+ }
+
+ size_t pbkdf(uint8_t output_buf[], size_t output_len,
+ const std::string& passphrase,
+ const uint8_t salt[], size_t salt_len,
+ size_t iterations,
+ std::chrono::milliseconds msec) const override;
+
+ /**
+ * RFC 4880 encodes the iteration count to a single-byte value
+ */
+ static uint8_t encode_count(size_t iterations);
+
+ static size_t decode_count(uint8_t encoded_iter);
+
+ private:
+ std::unique_ptr<HashFunction> m_hash;
+ };
+
+}
+
+#endif
diff --git a/src/tests/data/pbkdf/pgp_s2k.vec b/src/tests/data/pbkdf/pgp_s2k.vec
new file mode 100644
index 000000000..21bac5343
--- /dev/null
+++ b/src/tests/data/pbkdf/pgp_s2k.vec
@@ -0,0 +1,67 @@
+[OpenPGP-S2K(SHA-160)]
+# Generated using Golang x/crypto/openpgp/s2k
+
+Salt =
+Iterations = 1
+Passphrase = hello
+Output = AAF4C61D
+
+Salt = 01020304
+Iterations = 1
+Passphrase = hello
+Output = 10295AC1
+
+Salt = 01020304
+Iterations = 1
+Passphrase = bar
+Output = BD8AAC6B9EA9CAE04EAE6A91C6133B58B5D9A61C14F355516ED9370456
+
+Salt = 04030201
+Iterations = 31
+Passphrase = bar
+Output = 2AF5A99B54F093789FD657F19BD245AF7604D0F6AE06F66602A46A08AE
+
+Salt = 2AE6E5831A717917
+Iterations = 65536
+Passphrase = ilikepie
+Output = A32F874A4CF95DFAD8359302B395455C
+
+Salt = 0102030405060708
+Iterations = 1
+Passphrase = passphrase
+Output = eec8929a31187dd3a9a7ce5a97d96a67706382bbef70fe3b2a3aeeaf176bce252c117970a51fd8b770a69f8ecb199505395bd7b0c0760d6a38ac82900b23fe3b
+
+Salt = 0102030405060708
+Iterations = 65536
+Passphrase = passphrase
+Output = 24ce08a4a31de2208acdc15347def7a63492d38a0c08f80533a746279d91cb25e1b6b740b09e20a4884ca1944d506eb200753761066e8d4b24957c2593388457
+
+Salt = 0102030405060708
+Iterations = 10000000
+Passphrase = passphrase
+Output = 09efbd3599e2453c6cf1749a7ed169514a12d1a721549468c6d0ef6737fa3e27ab6d100f9839694fc70c484a42b00ef87463d07e2aafb92033843a4bd5f37971
+
+[OpenPGP-S2K(SHA-384)]
+# Generated using Golang x/crypto/openpgp/s2k
+
+Salt = 0102030405060708
+Iterations = 1
+Passphrase = passphrase
+Output = ea024c2de8af9a3edfbac9422f7b17e17c3165147b43f4edd58b55af9a412d07e0631f431a7e0028fbb145d9d5e059a888f1a7526cd338b1b6082a8681b446fa
+
+Salt = 0102030405060708
+Iterations = 18
+Passphrase = passphrase
+Output = ea024c2de8af9a3edfbac9422f7b17e17c3165147b43f4edd58b55af9a412d07e0631f431a7e0028fbb145d9d5e059a888f1a7526cd338b1b6082a8681b446fa
+
+Salt = 0102030405060708
+Iterations = 19
+Passphrase = passphrase
+Output = 491aa377a1a9526d53b118587a03f85f5dc64568f3aabaad66aafc923397fb74d7017a6a4812bff2d9beddcbc6a0dbd3b96a3f9a69b637d68670acd48d4dfa4e
+
+Salt = 0102030405060708
+Iterations = 1000000
+Passphrase = passphrase
+Output = af4986488f4e53ac4f7991a0bb8de15441ba1070481fe63b126ff3de2e1072f568dd3d6c5887d008925d27649494ae6f4860e141d5eeabe4f93745ca9cb8e08c
+
+
diff --git a/src/tests/test_pbkdf.cpp b/src/tests/test_pbkdf.cpp
index bd2fd8f89..32144bd9b 100644
--- a/src/tests/test_pbkdf.cpp
+++ b/src/tests/test_pbkdf.cpp
@@ -18,15 +18,15 @@ namespace {
class PBKDF_KAT_Tests : public Text_Based_Test
{
public:
- PBKDF_KAT_Tests() : Text_Based_Test("pbkdf", "OutputLen,Iterations,Salt,Passphrase,Output") {}
+ PBKDF_KAT_Tests() : Text_Based_Test("pbkdf", "Iterations,Salt,Passphrase,Output", "OutputLen") {}
Test::Result run_one_test(const std::string& pbkdf_name, const VarMap& vars) override
{
- const size_t outlen = get_req_sz(vars, "OutputLen");
const size_t iterations = get_req_sz(vars, "Iterations");
const std::vector<uint8_t> salt = get_req_bin(vars, "Salt");
const std::string passphrase = get_req_str(vars, "Passphrase");
const std::vector<uint8_t> expected = get_req_bin(vars, "Output");
+ const size_t outlen = get_opt_sz(vars, "OutputLen", expected.size());
Test::Result result(pbkdf_name);
std::unique_ptr<Botan::PBKDF> pbkdf(Botan::PBKDF::create(pbkdf_name));