s2k_ossl.cpp - mozsearch

/*-

 * Copyright (c) 2021 Ribose Inc.

 * All rights reserved.

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED

 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS

 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

 * POSSIBILITY OF SUCH DAMAGE.

*/

#include <cstdint>

#include <vector>

#include <algorithm>

#include <openssl/evp.h>

#include "hash.hpp"

#include "s2k.h"

#include "mem.h"

#include "logging.h"

int

pgp_s2k_iterated(pgp_hash_alg_t alg,

                 uint8_t *      out,

                 size_t         output_len,

                 const char *   password,

                 const uint8_t *salt,

                 size_t         iterations)

    if ((iterations > 1) && !salt) {

        RNP_LOG("Iterated S2K mus be salted as well.");

        return 1;

    size_t hash_len = rnp::Hash::size(alg);

    if (!hash_len) {

        RNP_LOG("Unknown digest: %d", (int) alg);

        return 1;

    try {

        size_t pswd_len = strlen(password);

        size_t salt_len = salt ? PGP_SALT_SIZE : 0;

        rnp::secure_vector<uint8_t> data(salt_len + pswd_len);

        if (salt_len) {

            memcpy(data.data(), salt, PGP_SALT_SIZE);

        memcpy(data.data() + salt_len, password, pswd_len);

        size_t zeroes = 0;

        while (output_len) {

            /* create hash context */

            auto hash = rnp::Hash::create(alg);

            /* add leading zeroes */

            for (size_t z = 0; z < zeroes; z++) {

                uint8_t zero = 0;

                hash->add(&zero, 1);

            if (!data.empty()) {

                /* if iteration is 1 then still hash the whole data chunk */

                size_t left = std::max(data.size(), iterations);

                while (left) {

                    size_t to_hash = std::min(left, data.size());

                    hash->add(data.data(), to_hash);

                    left -= to_hash;

            rnp::secure_vector<uint8_t> dgst(hash_len);

            size_t                      out_cpy = std::min(dgst.size(), output_len);

            if (hash->finish(dgst.data()) != dgst.size()) {

                RNP_LOG("Unexpected digest size.");

                return 1;

            memcpy(out, dgst.data(), out_cpy);

            output_len -= out_cpy;

            out += out_cpy;

            zeroes++;

        return 0;

    } catch (const std::exception &e) {

        RNP_LOG("s2k failed: %s", e.what());

        return 1;