GnuPG S2K Iterated+Salted Discrepancy

Keith Ray aphex at
Sat Jan 20 20:12:25 CET 2001

I was reading through the S2K code and I seem to have found a discrepancy with 
regard to the OpenPGP standard.  When creating an iterated+salted key, if the 
size of the pw+salt is larger than the number of octets needed on the last 
iteration, the entire pw+salt should be used even though it exceeds the octets 
needed.  Both commercial PGP v7 and GnuPG 1.0.4 only use the exact amount of 
the pw+salt needed.

Am I reading this wrong or are they indeed different?

OpenPGP - Iterated and Salted S2K
   Initially, one or more hash contexts are set up as with the other S2K
   algorithms, depending on how many octets of key data are needed.
   Then the salt, followed by the passphrase data is repeatedly hashed
   until the number of octets specified by the octet count has been
   hashed.  The one exception is that if the octet count is less than
   the size of the salt plus passphrase, the full salt plus passphrase
   will be hashed even though that is greater than the octet count.

        int pwlen = strlen(pw);
        int len2 = pwlen + 8;
        count = (16ul + (s2k->count & 15)) << ((s2k->count >> 4) + 6);
        while( count > len2 ) { /* maybe iterated+salted */
        md_write( md, s2k->salt, 8 );
        md_write( md, pw, pwlen );
        count -= len2;
        if( count < 8 )
        md_write( md, s2k->salt, count );
        else {
        md_write( md, s2k->salt, 8 );
        count -= 8;
                md_write( md, pw, count );
Keith Ray                                          aphex at
PGP - 0xAE1B3529 - 8227 60E5 BAA5 9461 CAB3 A6F2 4DFE F573 AE1B 3529

More information about the Gnupg-devel mailing list