closed-social
/
gitea

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package s2k implements the various OpenPGP string-to-key transforms as
// specified in RFC 4800 section 3.7.1.
package s2k // import "github.com/keybase/go-crypto/openpgp/s2k"

import (	"crypto"	"hash"	"io"	"strconv"
	"github.com/keybase/go-crypto/openpgp/errors")
// Config collects configuration parameters for s2k key-stretching
// transformatioms. A nil *Config is valid and results in all default
// values. Currently, Config is used only by the Serialize function in
// this package.
type Config struct {	// Hash is the default hash function to be used. If
	// nil, SHA1 is used.
	Hash crypto.Hash	// S2KCount is only used for symmetric encryption. It
	// determines the strength of the passphrase stretching when
	// the said passphrase is hashed to produce a key. S2KCount
	// should be between 1024 and 65011712, inclusive. If Config
	// is nil or S2KCount is 0, the value 65536 used. Not all
	// values in the above range can be represented. S2KCount will
	// be rounded up to the next representable value if it cannot
	// be encoded exactly. When set, it is strongly encrouraged to
	// use a value that is at least 65536. See RFC 4880 Section
	// 3.7.1.3.
	S2KCount int}
func (c *Config) hash() crypto.Hash {	if c == nil || uint(c.Hash) == 0 {		// SHA1 is the historical default in this package.
		return crypto.SHA1	}
	return c.Hash}
func (c *Config) encodedCount() uint8 {	if c == nil || c.S2KCount == 0 {		return 96 // The common case. Correspoding to 65536
	}
	i := c.S2KCount	switch {	// Behave like GPG. Should we make 65536 the lowest value used?
	case i < 1024:		i = 1024	case i > 65011712:		i = 65011712	}
	return encodeCount(i)}
// encodeCount converts an iterative "count" in the range 1024 to
// 65011712, inclusive, to an encoded count. The return value is the
// octet that is actually stored in the GPG file. encodeCount panics
// if i is not in the above range (encodedCount above takes care to
// pass i in the correct range). See RFC 4880 Section 3.7.7.1.
func encodeCount(i int) uint8 {	if i < 1024 || i > 65011712 {		panic("count arg i outside the required range")	}
	for encoded := 0; encoded < 256; encoded++ {		count := decodeCount(uint8(encoded))		if count >= i {			return uint8(encoded)		}	}
	return 255}
// decodeCount returns the s2k mode 3 iterative "count" corresponding to
// the encoded octet c.
func decodeCount(c uint8) int {	return (16 + int(c&15)) << (uint32(c>>4) + 6)}
// Simple writes to out the result of computing the Simple S2K function (RFC
// 4880, section 3.7.1.1) using the given hash and input passphrase.
func Simple(out []byte, h hash.Hash, in []byte) {	Salted(out, h, in, nil)}
var zero [1]byte
// Salted writes to out the result of computing the Salted S2K function (RFC
// 4880, section 3.7.1.2) using the given hash, input passphrase and salt.
func Salted(out []byte, h hash.Hash, in []byte, salt []byte) {	done := 0	var digest []byte
	for i := 0; done < len(out); i++ {		h.Reset()		for j := 0; j < i; j++ {			h.Write(zero[:])		}		h.Write(salt)		h.Write(in)		digest = h.Sum(digest[:0])		n := copy(out[done:], digest)		done += n	}}
// Iterated writes to out the result of computing the Iterated and Salted S2K
// function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase,
// salt and iteration count.
func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {	combined := make([]byte, len(in)+len(salt))	copy(combined, salt)	copy(combined[len(salt):], in)
	if count < len(combined) {		count = len(combined)	}
	done := 0	var digest []byte	for i := 0; done < len(out); i++ {		h.Reset()		for j := 0; j < i; j++ {			h.Write(zero[:])		}		written := 0		for written < count {			if written+len(combined) > count {				todo := count - written				h.Write(combined[:todo])				written = count			} else {				h.Write(combined)				written += len(combined)			}		}		digest = h.Sum(digest[:0])		n := copy(out[done:], digest)		done += n	}}
func parseGNUExtensions(r io.Reader) (f func(out, in []byte), err error) {	var buf [9]byte
	// A three-byte string identifier
	_, err = io.ReadFull(r, buf[:3])	if err != nil {		return	}	gnuExt := string(buf[:3])
	if gnuExt != "GNU" {		return nil, errors.UnsupportedError("Malformed GNU extension: " + gnuExt)	}	_, err = io.ReadFull(r, buf[:1])	if err != nil {		return	}	gnuExtType := int(buf[0])	switch gnuExtType {	case 1:		return nil, nil	case 2:		// Read a serial number, which is prefixed by a 1-byte length.
		// The maximum length is 16.
		var lenBuf [1]byte		_, err = io.ReadFull(r, lenBuf[:])		if err != nil {			return		}
		maxLen := 16		ivLen := int(lenBuf[0])		if ivLen > maxLen {			ivLen = maxLen		}		ivBuf := make([]byte, ivLen)		// For now we simply discard the IV
		_, err = io.ReadFull(r, ivBuf)		if err != nil {			return		}		return nil, nil	default:		return nil, errors.UnsupportedError("unknown S2K GNU protection mode: " + strconv.Itoa(int(gnuExtType)))	}}
// Parse reads a binary specification for a string-to-key transformation from r
// and returns a function which performs that transform.
func Parse(r io.Reader) (f func(out, in []byte), err error) {	var buf [9]byte
	_, err = io.ReadFull(r, buf[:2])	if err != nil {		return	}
	// GNU Extensions; handle them before we try to look for a hash, which won't
	// be needed in most cases anyway.
	if buf[0] == 101 {		return parseGNUExtensions(r)	}
	hash, ok := HashIdToHash(buf[1])	if !ok {		return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1])))	}	if !hash.Available() {		return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hash)))	}	h := hash.New()
	switch buf[0] {	case 0:		f := func(out, in []byte) {			Simple(out, h, in)		}		return f, nil	case 1:		_, err = io.ReadFull(r, buf[:8])		if err != nil {			return		}		f := func(out, in []byte) {			Salted(out, h, in, buf[:8])		}		return f, nil	case 3:		_, err = io.ReadFull(r, buf[:9])		if err != nil {			return		}		count := decodeCount(buf[8])		f := func(out, in []byte) {			Iterated(out, h, in, buf[:8], count)		}		return f, nil	}
	return nil, errors.UnsupportedError("S2K function")}
// Serialize salts and stretches the given passphrase and writes the
// resulting key into key. It also serializes an S2K descriptor to
// w. The key stretching can be configured with c, which may be
// nil. In that case, sensible defaults will be used.
func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error {	var buf [11]byte	buf[0] = 3 /* iterated and salted */	buf[1], _ = HashToHashId(c.hash())	salt := buf[2:10]	if _, err := io.ReadFull(rand, salt); err != nil {		return err	}	encodedCount := c.encodedCount()	count := decodeCount(encodedCount)	buf[10] = encodedCount	if _, err := w.Write(buf[:]); err != nil {		return err	}
	Iterated(key, c.hash().New(), passphrase, salt, count)	return nil}
// hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with
// Go's crypto.Hash type. See RFC 4880, section 9.4.
var hashToHashIdMapping = []struct {	id   byte	hash crypto.Hash	name string}{	{1, crypto.MD5, "MD5"},	{2, crypto.SHA1, "SHA1"},	{3, crypto.RIPEMD160, "RIPEMD160"},	{8, crypto.SHA256, "SHA256"},	{9, crypto.SHA384, "SHA384"},	{10, crypto.SHA512, "SHA512"},	{11, crypto.SHA224, "SHA224"},}
// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
// hash id.
func HashIdToHash(id byte) (h crypto.Hash, ok bool) {	for _, m := range hashToHashIdMapping {		if m.id == id {			return m.hash, true		}	}	return 0, false}
// HashIdToString returns the name of the hash function corresponding to the
// given OpenPGP hash id, or panics if id is unknown.
func HashIdToString(id byte) (name string, ok bool) {	for _, m := range hashToHashIdMapping {		if m.id == id {			return m.name, true		}	}
	return "", false}
// HashIdToHash returns an OpenPGP hash id which corresponds the given Hash.
func HashToHashId(h crypto.Hash) (id byte, ok bool) {	for _, m := range hashToHashIdMapping {		if m.hash == h {			return m.id, true		}	}	return 0, false}