blob: da926a76ed28a3c1b5dc9ee1c2e35cfa34d87249 [file] [log] [blame] [edit]
// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package s2k implements the various OpenPGP string-to-key transforms as
// specified in RFC 4800 section 3.7.1.
package s2k
import (
// Simple writes to out the result of computing the Simple S2K function (RFC
// 4880, section using the given hash and input passphrase.
func Simple(out []byte, h hash.Hash, in []byte) {
Salted(out, h, in, nil)
var zero [1]byte
// Salted writes to out the result of computing the Salted S2K function (RFC
// 4880, section using the given hash, input passphrase and salt.
func Salted(out []byte, h hash.Hash, in []byte, salt []byte) {
done := 0
for i := 0; done < len(out); i++ {
for j := 0; j < i; j++ {
n := copy(out[done:], h.Sum())
done += n
// Iterated writes to out the result of computing the Iterated and Salted S2K
// function (RFC 4880, section using the given hash, input passphrase,
// salt and iteration count.
func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {
combined := make([]byte, len(in)+len(salt))
copy(combined, salt)
copy(combined[len(salt):], in)
if count < len(combined) {
count = len(combined)
done := 0
for i := 0; done < len(out); i++ {
for j := 0; j < i; j++ {
written := 0
for written < count {
if written+len(combined) > count {
todo := count - written
written = count
} else {
written += len(combined)
n := copy(out[done:], h.Sum())
done += n
// Parse reads a binary specification for a string-to-key transformation from r
// and returns a function which performs that transform.
func Parse(r io.Reader) (f func(out, in []byte), err os.Error) {
var buf [9]byte
_, err = io.ReadFull(r, buf[:2])
if err != nil {
hash, ok := HashIdToHash(buf[1])
if !ok {
return nil, error.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1])))
h := hash.New()
if h == nil {
return nil, error.UnsupportedError("hash not available: " + strconv.Itoa(int(hash)))
switch buf[0] {
case 1:
f := func(out, in []byte) {
Simple(out, h, in)
return f, nil
case 2:
_, err := io.ReadFull(r, buf[:8])
if err != nil {
f := func(out, in []byte) {
Salted(out, h, in, buf[:8])
return f, nil
case 3:
_, err := io.ReadFull(r, buf[:9])
if err != nil {
count := (16 + int(buf[8]&15)) << (uint32(buf[8]>>4) + 6)
f := func(out, in []byte) {
Iterated(out, h, in, buf[:8], count)
return f, nil
return nil, error.UnsupportedError("S2K function")
// Serialize salts and stretches the given passphrase and writes the resulting
// key into key. It also serializes an S2K descriptor to w.
func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte) os.Error {
var buf [11]byte
buf[0] = 3 /* iterated and salted */
buf[1], _ = HashToHashId(crypto.SHA1)
salt := buf[2:10]
if _, err := io.ReadFull(rand, salt); err != nil {
return err
const count = 65536 // this is the default in gpg
buf[10] = 96 // 65536 iterations
if _, err := w.Write(buf[:]); err != nil {
return err
Iterated(key, crypto.SHA1.New(), passphrase, salt, count)
return nil
// hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with
// Go's crypto.Hash type. See RFC 4880, section 9.4.
var hashToHashIdMapping = []struct {
id byte
hash crypto.Hash
{1, crypto.MD5},
{2, crypto.SHA1},
{3, crypto.RIPEMD160},
{8, crypto.SHA256},
{9, crypto.SHA384},
{10, crypto.SHA512},
{11, crypto.SHA224},
// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
// hash id.
func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
for _, m := range hashToHashIdMapping {
if == id {
return m.hash, true
return 0, false
// HashIdToHash returns an OpenPGP hash id which corresponds the given Hash.
func HashToHashId(h crypto.Hash) (id byte, ok bool) {
for _, m := range hashToHashIdMapping {
if m.hash == h {
return, true
return 0, false