3 * OpenPGP string2key functions.
5 * Copyright (c) 2005 Marko Kreen
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * contrib/pgcrypto/pgp-s2k.c
38 calc_s2k_simple(PGP_S2K
*s2k
, PX_MD
*md
, const uint8
*key
,
42 uint8 buf
[PGP_MAX_DIGEST
];
45 uint8
*dst
= s2k
->key
;
47 md_rlen
= px_md_result_size(md
);
49 remain
= s2k
->key_len
;
57 memset(buf
, 0, preload
);
58 px_md_update(md
, buf
, preload
);
62 px_md_update(md
, key
, key_len
);
63 px_md_finish(md
, buf
);
67 memcpy(dst
, buf
, md_rlen
);
73 memcpy(dst
, buf
, remain
);
77 px_memset(buf
, 0, sizeof(buf
));
82 calc_s2k_salted(PGP_S2K
*s2k
, PX_MD
*md
, const uint8
*key
, unsigned key_len
)
85 uint8 buf
[PGP_MAX_DIGEST
];
90 md_rlen
= px_md_result_size(md
);
93 remain
= s2k
->key_len
;
100 memset(buf
, 0, preload
);
101 px_md_update(md
, buf
, preload
);
105 px_md_update(md
, s2k
->salt
, PGP_S2K_SALT
);
106 px_md_update(md
, key
, key_len
);
107 px_md_finish(md
, buf
);
109 if (remain
> md_rlen
)
111 memcpy(dst
, buf
, md_rlen
);
117 memcpy(dst
, buf
, remain
);
121 px_memset(buf
, 0, sizeof(buf
));
126 calc_s2k_iter_salted(PGP_S2K
*s2k
, PX_MD
*md
, const uint8
*key
,
130 uint8 buf
[PGP_MAX_DIGEST
];
132 unsigned preload
= 0;
138 count
= s2k_decode_count(s2k
->iter
);
140 md_rlen
= px_md_result_size(md
);
142 remain
= s2k
->key_len
;
150 memset(buf
, 0, preload
);
151 px_md_update(md
, buf
, preload
);
155 px_md_update(md
, s2k
->salt
, PGP_S2K_SALT
);
156 px_md_update(md
, key
, key_len
);
157 curcnt
= PGP_S2K_SALT
+ key_len
;
159 while (curcnt
< count
)
161 if (curcnt
+ PGP_S2K_SALT
< count
)
165 px_md_update(md
, s2k
->salt
, c
);
168 if (curcnt
+ key_len
< count
)
170 else if (curcnt
< count
)
174 px_md_update(md
, key
, c
);
177 px_md_finish(md
, buf
);
179 if (remain
> md_rlen
)
181 memcpy(dst
, buf
, md_rlen
);
187 memcpy(dst
, buf
, remain
);
191 px_memset(buf
, 0, sizeof(buf
));
196 * Decide PGP_S2K_ISALTED iteration count (in OpenPGP one-byte representation)
200 * gpg defaults to 96 => 65536 iters
202 * For our default (count=-1) we let it float a bit: 96 + 32 => between 65536
203 * and 262144 iterations.
205 * Otherwise, find the smallest number which provides at least the specified
209 decide_s2k_iter(unsigned rand_byte
, int count
)
214 return 96 + (rand_byte
& 0x1F);
215 /* this is a bit brute-force, but should be quick enough */
216 for (iter
= 0; iter
<= 255; iter
++)
217 if (s2k_decode_count(iter
) >= count
)
223 pgp_s2k_fill(PGP_S2K
*s2k
, int mode
, int digest_algo
, int count
)
229 s2k
->digest_algo
= digest_algo
;
236 if (!pg_strong_random(s2k
->salt
, PGP_S2K_SALT
))
237 return PXE_NO_RANDOM
;
239 case PGP_S2K_ISALTED
:
240 if (!pg_strong_random(s2k
->salt
, PGP_S2K_SALT
))
241 return PXE_NO_RANDOM
;
242 if (!pg_strong_random(&tmp
, 1))
243 return PXE_NO_RANDOM
;
244 s2k
->iter
= decide_s2k_iter(tmp
, count
);
247 res
= PXE_PGP_BAD_S2K_MODE
;
253 pgp_s2k_read(PullFilter
*src
, PGP_S2K
*s2k
)
257 GETBYTE(src
, s2k
->mode
);
258 GETBYTE(src
, s2k
->digest_algo
);
264 res
= pullf_read_fixed(src
, 8, s2k
->salt
);
267 res
= pullf_read_fixed(src
, 8, s2k
->salt
);
270 GETBYTE(src
, s2k
->iter
);
273 res
= PXE_PGP_BAD_S2K_MODE
;
279 pgp_s2k_process(PGP_S2K
*s2k
, int cipher
, const uint8
*key
, int key_len
)
284 s2k
->key_len
= pgp_get_cipher_key_size(cipher
);
285 if (s2k
->key_len
<= 0)
286 return PXE_PGP_UNSUPPORTED_CIPHER
;
288 res
= pgp_load_digest(s2k
->digest_algo
, &md
);
295 res
= calc_s2k_simple(s2k
, md
, key
, key_len
);
298 res
= calc_s2k_salted(s2k
, md
, key
, key_len
);
301 res
= calc_s2k_iter_salted(s2k
, md
, key
, key_len
);
304 res
= PXE_PGP_BAD_S2K_MODE
;