GnuPG S2K Iterated+Salted Discrepancy
Keith Ray
aphex at nullify.org
Sat Jan 20 20:12:25 CET 2001
I was reading through the S2K code and I seem to have found a discrepancy with
regard to the OpenPGP standard. When creating an iterated+salted key, if the
size of the pw+salt is larger than the number of octets needed on the last
iteration, the entire pw+salt should be used even though it exceeds the octets
needed. Both commercial PGP v7 and GnuPG 1.0.4 only use the exact amount of
the pw+salt needed.
Am I reading this wrong or are they indeed different?
OpenPGP - 3.6.1.3. Iterated and Salted S2K
Initially, one or more hash contexts are set up as with the other S2K
algorithms, depending on how many octets of key data are needed.
Then the salt, followed by the passphrase data is repeatedly hashed
until the number of octets specified by the octet count has been
hashed. The one exception is that if the octet count is less than
the size of the salt plus passphrase, the full salt plus passphrase
will be hashed even though that is greater than the octet count.
gnupg-1.0.4/g10/passphrase.c
int pwlen = strlen(pw);
---
int len2 = pwlen + 8;
---
count = (16ul + (s2k->count & 15)) << ((s2k->count >> 4) + 6);
---
while( count > len2 ) { /* maybe iterated+salted */
md_write( md, s2k->salt, 8 );
md_write( md, pw, pwlen );
count -= len2;
}
if( count < 8 )
md_write( md, s2k->salt, count );
else {
md_write( md, s2k->salt, 8 );
count -= 8;
md_write( md, pw, count );
}
--------------------------------------------------------------------
Keith Ray aphex at nullify.org
http://www.nullify.org
PGP - 0xAE1B3529 - 8227 60E5 BAA5 9461 CAB3 A6F2 4DFE F573 AE1B 3529
More information about the Gnupg-devel
mailing list