Rename S2K to PBKDF, because that is by far the most common name - S2K

really is only used by OpenPGP, and largely it was named S2K here
because the OpenPGP S2K was implemented years before the ones in PKCS
#5. We have a typedef of PBKDF to S2K, and an inlined get_s2k that
calls get_pbkdf for source compatability.

There doesn't seem to be any reason to have a forward for the renamed
s2k.h header - to actually use a PBKDF, you'd have to either include
lookup.h and call get_s2k / get_pbkdf, or else include an
algorithm-specific header and use it directly. In either case,
including s2k.h is neither necessary nor sufficient.

11 files changed, 406 insertions, 0 deletions

diff --git a/src/pbkdf/info.txt b/src/pbkdf/info.txt
new file mode 100644
index 000000000..861b6f760
--- /dev/null
+++ b/src/pbkdf/info.txt
@@ -0,0 +1,3 @@
+<requires>
+sym_algo
+</requires>
diff --git a/src/pbkdf/pbkdf.h b/src/pbkdf/pbkdf.h
new file mode 100644
index 000000000..eaad1fca9
--- /dev/null
+++ b/src/pbkdf/pbkdf.h
@@ -0,0 +1,68 @@
+/*
+* PBKDF
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PBKDF_H__
+#define BOTAN_PBKDF_H__
+
+#include <botan/symkey.h>
+
+namespace Botan {
+
+/**
+* Base class for PBKDF (password based key derivation function)
+* implementations. Converts a password into a key using a salt
+* and iterated hashing to make brute force attacks harder.
+*/
+class BOTAN_DLL PBKDF
+   {
+   public:
+
+      /**
+      * @return new instance of this same algorithm
+      */
+      virtual PBKDF* clone() const = 0;
+
+      /**
+      * Get the algorithm name.
+      * @return name of this PBKDF algorithm
+      */
+      virtual std::string name() const = 0;
+
+      /**
+      * Clear this objects internal values.
+      */
+      virtual void clear() {}
+
+      /**
+      * Derive a key from a passphrase with this PBKDF object. It will use
+      * the salt value and number of iterations configured in this object.
+      * @param output_len the desired length of the key to produce
+      * @param passphrase the password to derive the key from
+      * @param salt the randomly chosen salt
+      * @param salt_len length of salt in bytes
+      * @param iterations the number of iterations to use (use 10K or more)
+      */
+      virtual OctetString derive_key(u32bit output_len,
+                                     const std::string& passphrase,
+                                     const byte salt[], u32bit salt_len,
+                                     u32bit iterations) const = 0;
+
+      PBKDF() {}
+      virtual ~PBKDF() {}
+   private:
+      PBKDF(const PBKDF&) {}
+      PBKDF& operator=(const PBKDF&) { return (*this); }
+   };
+
+/**
+* For compatability with 1.8
+*/
+typedef PBKDF S2K;
+
+}
+
+#endif
diff --git a/src/pbkdf/pbkdf1/info.txt b/src/pbkdf/pbkdf1/info.txt
new file mode 100644
index 000000000..e51b44886
--- /dev/null
+++ b/src/pbkdf/pbkdf1/info.txt
@@ -0,0 +1,5 @@
+define PBKDF1
+
+<requires>
+hash
+</requires>
diff --git a/src/pbkdf/pbkdf1/pbkdf1.cpp b/src/pbkdf/pbkdf1/pbkdf1.cpp
new file mode 100644
index 000000000..02d2c6cc0
--- /dev/null
+++ b/src/pbkdf/pbkdf1/pbkdf1.cpp
@@ -0,0 +1,40 @@
+/*
+* PBKDF1
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/pbkdf1.h>
+#include <botan/exceptn.h>
+
+namespace Botan {
+
+/*
+* Return a PKCS#5 PBKDF1 derived key
+*/
+OctetString PKCS5_PBKDF1::derive_key(u32bit key_len,
+                                     const std::string& passphrase,
+                                     const byte salt[], u32bit salt_size,
+                                     u32bit iterations) const
+   {
+   if(iterations == 0)
+      throw Invalid_Argument("PKCS5_PBKDF1: Invalid iteration count");
+
+   if(key_len > hash->OUTPUT_LENGTH)
+      throw Invalid_Argument("PKCS5_PBKDF1: Requested output length too long");
+
+   hash->update(passphrase);
+   hash->update(salt, salt_size);
+   SecureVector<byte> key = hash->final();
+
+   for(u32bit j = 1; j != iterations; ++j)
+      {
+      hash->update(key);
+      hash->final(key);
+      }
+
+   return OctetString(key, std::min(key_len, key.size()));
+   }
+
+}
diff --git a/src/pbkdf/pbkdf1/pbkdf1.h b/src/pbkdf/pbkdf1/pbkdf1.h
new file mode 100644
index 000000000..d10536f7e
--- /dev/null
+++ b/src/pbkdf/pbkdf1/pbkdf1.h
@@ -0,0 +1,59 @@
+/*
+* PBKDF1
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PBKDF1_H__
+#define BOTAN_PBKDF1_H__
+
+#include <botan/pbkdf.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* PKCS #5 v1 PBKDF, aka PBKDF1
+* Can only generate a key up to the size of the hash output.
+* Unless needed for backwards compatability, use PKCS5_PBKDF2
+*/
+class BOTAN_DLL PKCS5_PBKDF1 : public PBKDF
+   {
+   public:
+      /**
+      * Create a PKCS #5 instance using the specified hash function.
+      * @param hash_in pointer to a hash function object to use
+      */
+      PKCS5_PBKDF1(HashFunction* hash_in) : hash(hash_in) {}
+
+      /**
+      * Copy constructor
+      * @param other the object to copy
+      */
+      PKCS5_PBKDF1(const PKCS5_PBKDF1& other) :
+         PBKDF(), hash(other.hash->clone()) {}
+
+      ~PKCS5_PBKDF1() { delete hash; }
+
+      std::string name() const
+         {
+         return "PBKDF1(" + hash->name() + ")";
+         }
+
+      PBKDF* clone() const
+         {
+         return new PKCS5_PBKDF1(hash->clone());
+         }
+
+      OctetString derive_key(u32bit output_len,
+                             const std::string& passphrase,
+                             const byte salt[], u32bit salt_len,
+                             u32bit iterations) const;
+   private:
+      HashFunction* hash;
+   };
+
+}
+
+#endif
diff --git a/src/pbkdf/pbkdf2/info.txt b/src/pbkdf/pbkdf2/info.txt
new file mode 100644
index 000000000..5462b2e1b
--- /dev/null
+++ b/src/pbkdf/pbkdf2/info.txt
@@ -0,0 +1,5 @@
+define PBKDF2
+
+<requires>
+mac
+</requires>
diff --git a/src/pbkdf/pbkdf2/pbkdf2.cpp b/src/pbkdf/pbkdf2/pbkdf2.cpp
new file mode 100644
index 000000000..e88a5749a
--- /dev/null
+++ b/src/pbkdf/pbkdf2/pbkdf2.cpp
@@ -0,0 +1,62 @@
+/*
+* PBKDF2
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/pbkdf2.h>
+#include <botan/get_byte.h>
+#include <botan/internal/xor_buf.h>
+
+namespace Botan {
+
+/*
+* Return a PKCS #5 PBKDF2 derived key
+*/
+OctetString PKCS5_PBKDF2::derive_key(u32bit key_len,
+                                     const std::string& passphrase,
+                                     const byte salt[], u32bit salt_size,
+                                     u32bit iterations) const
+   {
+   if(iterations == 0)
+      throw Invalid_Argument("PKCS#5 PBKDF2: Invalid iteration count");
+
+   if(passphrase.length() == 0)
+      throw Invalid_Argument("PKCS#5 PBKDF2: Empty passphrase is invalid");
+
+   mac->set_key(reinterpret_cast<const byte*>(passphrase.data()),
+                passphrase.length());
+
+   SecureVector<byte> key(key_len);
+
+   byte* T = key.begin();
+
+   u32bit counter = 1;
+   while(key_len)
+      {
+      u32bit T_size = std::min(mac->OUTPUT_LENGTH, key_len);
+      SecureVector<byte> U(mac->OUTPUT_LENGTH);
+
+      mac->update(salt, salt_size);
+      for(u32bit j = 0; j != 4; ++j)
+         mac->update(get_byte(j, counter));
+      mac->final(U);
+      xor_buf(T, U, T_size);
+
+      for(u32bit j = 1; j != iterations; ++j)
+         {
+         mac->update(U);
+         mac->final(U);
+         xor_buf(T, U, T_size);
+         }
+
+      key_len -= T_size;
+      T += T_size;
+      ++counter;
+      }
+
+   return key;
+   }
+
+}
diff --git a/src/pbkdf/pbkdf2/pbkdf2.h b/src/pbkdf/pbkdf2/pbkdf2.h
new file mode 100644
index 000000000..2b25a7b1d
--- /dev/null
+++ b/src/pbkdf/pbkdf2/pbkdf2.h
@@ -0,0 +1,53 @@
+/*
+* PBKDF2
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PBKDF2_H__
+#define BOTAN_PBKDF2_H__
+
+#include <botan/pbkdf.h>
+#include <botan/mac.h>
+
+namespace Botan {
+
+/**
+* PKCS #5 PBKDF2
+*/
+class BOTAN_DLL PKCS5_PBKDF2 : public PBKDF
+   {
+   public:
+      std::string name() const
+         {
+         return "PBKDF2(" + mac->name() + ")";
+         }
+
+      PBKDF* clone() const
+         {
+         return new PKCS5_PBKDF2(mac->clone());
+         }
+
+      OctetString derive_key(u32bit output_len,
+                             const std::string& passphrase,
+                             const byte salt[], u32bit salt_len,
+                             u32bit iterations) const;
+
+      /**
+      * Create a PKCS #5 instance using the specified message auth code
+      * @param mac the MAC to use
+      */
+      PKCS5_PBKDF2(MessageAuthenticationCode* m) : mac(m) {}
+
+      /**
+      * Destructor
+      */
+      ~PKCS5_PBKDF2() { delete mac; }
+   private:
+      MessageAuthenticationCode* mac;
+   };
+
+}
+
+#endif
diff --git a/src/pbkdf/pgps2k/info.txt b/src/pbkdf/pgps2k/info.txt
new file mode 100644
index 000000000..8be9c79f8
--- /dev/null
+++ b/src/pbkdf/pgps2k/info.txt
@@ -0,0 +1,5 @@
+define PGPS2K
+
+<requires>
+hash
+</requires>
diff --git a/src/pbkdf/pgps2k/pgp_s2k.cpp b/src/pbkdf/pgps2k/pgp_s2k.cpp
new file mode 100644
index 000000000..db18adaf1
--- /dev/null
+++ b/src/pbkdf/pgps2k/pgp_s2k.cpp
@@ -0,0 +1,57 @@
+/*
+* OpenPGP S2K
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/pgp_s2k.h>
+
+namespace Botan {
+
+/*
+* Derive a key using the OpenPGP S2K algorithm
+*/
+OctetString OpenPGP_S2K::derive_key(u32bit key_len,
+                                    const std::string& passphrase,
+                                    const byte salt_buf[], u32bit salt_size,
+                                    u32bit iterations) const
+   {
+   SecureVector<byte> key(key_len), hash_buf;
+
+   u32bit pass = 0, generated = 0,
+          total_size = passphrase.size() + salt_size;
+   u32bit to_hash = std::max(iterations, total_size);
+
+   hash->clear();
+   while(key_len > generated)
+      {
+      for(u32bit j = 0; j != pass; ++j)
+         hash->update(0);
+
+      u32bit left = to_hash;
+      while(left >= total_size)
+         {
+         hash->update(salt_buf, salt_size);
+         hash->update(passphrase);
+         left -= total_size;
+         }
+      if(left <= salt_size)
+         hash->update(salt_buf, left);
+      else
+         {
+         hash->update(salt_buf, salt_size);
+         left -= salt_size;
+         hash->update(reinterpret_cast<const byte*>(passphrase.data()), left);
+         }
+
+      hash_buf = hash->final();
+      key.copy(generated, hash_buf, hash->OUTPUT_LENGTH);
+      generated += hash->OUTPUT_LENGTH;
+      ++pass;
+      }
+
+   return key;
+   }
+
+}
diff --git a/src/pbkdf/pgps2k/pgp_s2k.h b/src/pbkdf/pgps2k/pgp_s2k.h
new file mode 100644
index 000000000..9fb09af5a
--- /dev/null
+++ b/src/pbkdf/pgps2k/pgp_s2k.h
@@ -0,0 +1,49 @@
+/*
+* OpenPGP PBKDF
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_OPENPGP_S2K_H__
+#define BOTAN_OPENPGP_S2K_H__
+
+#include <botan/pbkdf.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* OpenPGP's S2K
+*/
+class BOTAN_DLL OpenPGP_S2K : public PBKDF
+   {
+   public:
+      /**
+      * @param hash_in the hash function to use
+      */
+      OpenPGP_S2K(HashFunction* hash_in) : hash(hash_in) {}
+
+      ~OpenPGP_S2K() { delete hash; }
+
+      std::string name() const
+         {
+         return "OpenPGP-S2K(" + hash->name() + ")";
+         }
+
+      PBKDF* clone() const
+         {
+         return new OpenPGP_S2K(hash->clone());
+         }
+
+      OctetString derive_key(u32bit output_len,
+                             const std::string& passphrase,
+                             const byte salt[], u32bit salt_len,
+                             u32bit iterations) const;
+   private:
+      HashFunction* hash;
+   };
+
+}
+
+#endif