@@ -132,12 +132,10 @@ calc_s2k_iter_salted(PGP_S2K *s2k, PX_MD *md, const uint8 *key,
132
132
unsigned preload = 0 ;
133
133
unsigned remain ,
134
134
c ,
135
- cval ,
136
135
curcnt ,
137
136
count ;
138
137
139
- cval = s2k -> iter ;
140
- count = ((unsigned ) 16 + (cval & 15 )) << ((cval >> 4 ) + 6 );
138
+ count = s2k_decode_count (s2k -> iter );
141
139
142
140
md_rlen = px_md_result_size (md );
143
141
@@ -195,21 +193,34 @@ calc_s2k_iter_salted(PGP_S2K *s2k, PX_MD *md, const uint8 *key,
195
193
}
196
194
197
195
/*
198
- * Decide S2K_ISALTED iteration count
196
+ * Decide PGP_S2K_ISALTED iteration count (in OpenPGP one-byte representation)
199
197
*
200
198
* Too small: weak
201
199
* Too big: slow
202
200
* gpg defaults to 96 => 65536 iters
203
- * let it float a bit: 96 + 32 => 262144 iters
201
+ *
202
+ * For our default (count=-1) we let it float a bit: 96 + 32 => between 65536
203
+ * and 262144 iterations.
204
+ *
205
+ * Otherwise, find the smallest number which provides at least the specified
206
+ * iteration count.
204
207
*/
205
- static int
206
- decide_count (unsigned rand_byte )
208
+ static uint8
209
+ decide_s2k_iter (unsigned rand_byte , int count )
207
210
{
208
- return 96 + (rand_byte & 0x1F );
211
+ int iter ;
212
+
213
+ if (count == -1 )
214
+ return 96 + (rand_byte & 0x1F );
215
+ /* this is a bit brute-force, but should be quick enough */
216
+ for (iter = 0 ; iter <= 255 ; iter ++ )
217
+ if (s2k_decode_count (iter ) >= count )
218
+ return iter ;
219
+ return 255 ;
209
220
}
210
221
211
222
int
212
- pgp_s2k_fill (PGP_S2K * s2k , int mode , int digest_algo )
223
+ pgp_s2k_fill (PGP_S2K * s2k , int mode , int digest_algo , int count )
213
224
{
214
225
int res = 0 ;
215
226
uint8 tmp ;
@@ -219,19 +230,19 @@ pgp_s2k_fill(PGP_S2K *s2k, int mode, int digest_algo)
219
230
220
231
switch (s2k -> mode )
221
232
{
222
- case 0 :
233
+ case PGP_S2K_SIMPLE :
223
234
break ;
224
- case 1 :
235
+ case PGP_S2K_SALTED :
225
236
res = px_get_pseudo_random_bytes (s2k -> salt , PGP_S2K_SALT );
226
237
break ;
227
- case 3 :
238
+ case PGP_S2K_ISALTED :
228
239
res = px_get_pseudo_random_bytes (s2k -> salt , PGP_S2K_SALT );
229
240
if (res < 0 )
230
241
break ;
231
242
res = px_get_pseudo_random_bytes (& tmp , 1 );
232
243
if (res < 0 )
233
244
break ;
234
- s2k -> iter = decide_count (tmp );
245
+ s2k -> iter = decide_s2k_iter (tmp , count );
235
246
break ;
236
247
default :
237
248
res = PXE_PGP_BAD_S2K_MODE ;
0 commit comments