diff options
author | Jack Lloyd <[email protected]> | 2017-05-27 08:46:15 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-05-27 08:46:15 -0400 |
commit | ce5253938fd5df031db1ee1cb7443c685fd8746e (patch) | |
tree | 8a2ffdb067d589d30678e931c101f461c085431c /src | |
parent | 360769bc65057ac44013f93a25ff9a06d971acae (diff) |
Document that timed calibration is not available for PGP-S2K
Made a try at implementing it but its a huge pain due to the
combination of the iteration count being the byte count and that
we have to end on exactly an encodable iteration count.
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp | 55 | ||||
-rw-r--r-- | src/lib/pbkdf/pgp_s2k/pgp_s2k.h | 7 |
2 files changed, 51 insertions, 11 deletions
diff --git a/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp b/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp index d8b5d770e..7677c4e96 100644 --- a/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp +++ b/src/lib/pbkdf/pgp_s2k/pgp_s2k.cpp @@ -9,6 +9,46 @@ namespace Botan { +/* +PGP stores the iteration count as a single byte +Thus it can only actually take on one of 256 values, based on the +formula in RFC 4880 section 3.6.1.3 +*/ +static const uint32_t OPENPGP_S2K_ITERS[256] = { + 1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, + 1664, 1728, 1792, 1856, 1920, 1984, 2048, 2176, 2304, 2432, + 2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712, + 3840, 3968, 4096, 4352, 4608, 4864, 5120, 5376, 5632, 5888, + 6144, 6400, 6656, 6912, 7168, 7424, 7680, 7936, 8192, 8704, + 9216, 9728, 10240, 10752, 11264, 11776, 12288, 12800, 13312, + 13824, 14336, 14848, 15360, 15872, 16384, 17408, 18432, 19456, + 20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672, + 29696, 30720, 31744, 32768, 34816, 36864, 38912, 40960, 43008, + 45056, 47104, 49152, 51200, 53248, 55296, 57344, 59392, 61440, + 63488, 65536, 69632, 73728, 77824, 81920, 86016, 90112, 94208, + 98304, 102400, 106496, 110592, 114688, 118784, 122880, 126976, + 131072, 139264, 147456, 155648, 163840, 172032, 180224, 188416, + 196608, 204800, 212992, 221184, 229376, 237568, 245760, 253952, + 262144, 278528, 294912, 311296, 327680, 344064, 360448, 376832, + 393216, 409600, 425984, 442368, 458752, 475136, 491520, 507904, + 524288, 557056, 589824, 622592, 655360, 688128, 720896, 753664, + 786432, 819200, 851968, 884736, 917504, 950272, 983040, 1015808, + 1048576, 1114112, 1179648, 1245184, 1310720, 1376256, 1441792, + 1507328, 1572864, 1638400, 1703936, 1769472, 1835008, 1900544, + 1966080, 2031616, 2097152, 2228224, 2359296, 2490368, 2621440, + 2752512, 2883584, 3014656, 3145728, 3276800, 3407872, 3538944, + 3670016, 3801088, 3932160, 4063232, 4194304, 4456448, 4718592, + 4980736, 5242880, 5505024, 5767168, 6029312, 6291456, 6553600, + 6815744, 7077888, 7340032, 7602176, 7864320, 8126464, 8388608, + 8912896, 9437184, 9961472, 10485760, 11010048, 11534336, + 12058624, 12582912, 13107200, 13631488, 14155776, 14680064, + 15204352, 15728640, 16252928, 16777216, 17825792, 18874368, + 19922944, 20971520, 22020096, 23068672, 24117248, 25165824, + 26214400, 27262976, 28311552, 29360128, 30408704, 31457280, + 32505856, 33554432, 35651584, 37748736, 39845888, 41943040, + 44040192, 46137344, 48234496, 50331648, 52428800, 54525952, + 56623104, 58720256, 60817408, 62914560, 65011712 }; + //static uint8_t OpenPGP_S2K::encode_count(size_t desired_iterations) { @@ -17,17 +57,18 @@ uint8_t OpenPGP_S2K::encode_count(size_t desired_iterations) */ for(size_t c = 0; c < 256; ++c) { - size_t decoded_iter = OpenPGP_S2K::decode_count(c); + size_t decoded_iter = OPENPGP_S2K_ITERS[c]; if(decoded_iter >= desired_iterations) return c; } + + return 255; } //static size_t OpenPGP_S2K::decode_count(uint8_t iter) { - // See RFC 4880 section 3.7.1.3 - return (16 + (iter & 0x0F)) << ((iter >> 4) + 6); + return OPENPGP_S2K_ITERS[iter]; } size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len, @@ -51,11 +92,6 @@ size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len, passphrase.size()); } - /* - The input is always fully processed even if iterations is very small - */ - const size_t to_hash = std::max(iterations, input_buf.size()); - secure_vector<uint8_t> hash_buf(m_hash->output_length()); size_t pass = 0; @@ -70,7 +106,8 @@ size_t OpenPGP_S2K::pbkdf(uint8_t output_buf[], size_t output_len, std::vector<uint8_t> zero_padding(pass); m_hash->update(zero_padding); - size_t left = to_hash; + // The input is always fully processed even if iterations is very small + size_t left = std::max(iterations, input_buf.size()); while(left > 0) { const size_t input_to_take = std::min(left, input_buf.size()); diff --git a/src/lib/pbkdf/pgp_s2k/pgp_s2k.h b/src/lib/pbkdf/pgp_s2k/pgp_s2k.h index 3d85ba306..7d8e60a82 100644 --- a/src/lib/pbkdf/pgp_s2k/pgp_s2k.h +++ b/src/lib/pbkdf/pgp_s2k/pgp_s2k.h @@ -21,8 +21,11 @@ namespace Botan { * If the salt is non-empty and iterations == 1, "salted" S2K is used * If the salt is non-empty and iterations > 1, "iterated" S2K is used * -* If iterations == 0 and msec.count() > 0, "iterated" S2K is assumed, -* and the number of iterations performed is returned. +* Due to complexities of the PGP S2K algorithm, time-based derivation +* is not supported. So if iterations == 0 and msec.count() > 0, an +* exception is thrown. In the future this may be supported, in which +* case "iterated" S2K will be used and the number of iterations +* performed is returned. * * Note that unlike PBKDF2, OpenPGP S2K's "iterations" are defined as * the number of bytes hashed. |