PEM formats iteration count reporting

[solardiz]

Our pem and pem-opencl formats sometimes report double the actual PBKDF2 iteration count, considering (if I understand correctly) also the derived key length. I find this unexpected and confusing. Do we do this in any other formats? I don't recall seeing this before. If we don't, then this is also inconsistent. We might want to drop this adjustment of the reported iteration count, always reporting it as-is. (Incidentally, such adjustment would fit in with magnum's recently suggested addition of "overall cost" reporting - but we don't have that yet, and if/when we add that it'd be a separate figure.)

Introduced by @kholia in b749fab.

[magnumripper]

Well that depends on what you mean with iteration count. For two blocks of PBKDF2, the number of SHA1 operations obviously doubles.

This change would report all cost factors and add an "overall cost" (#4814) that is the same as the existing "iteration count":

diff --git a/src/opencl_pem_fmt_plug.c b/src/opencl_pem_fmt_plug.c
index 57387489e..21aa9da8a 100644
--- a/src/opencl_pem_fmt_plug.c
+++ b/src/opencl_pem_fmt_plug.c
@@ -348,7 +348,9 @@ struct fmt_main fmt_opencl_pem = {
 		MAX_KEYS_PER_CRYPT,
 		FMT_CASE | FMT_8_BIT | FMT_HUGE_INPUT,
 		{
+			"overall cost",
 			"iteration count",
+			"key length",
 			"cipher [1=3DES 2/3/4=AES-128/192/256]",
 		},
 		{ FORMAT_TAG },
@@ -363,7 +365,9 @@ struct fmt_main fmt_opencl_pem = {
 		fmt_default_binary,
 		pem_get_salt,
 		{
+			pem_overall_cost,
 			pem_iteration_count,
+			pem_key_length,
 			pem_cipher,
 		},
 		fmt_default_source,
diff --git a/src/pem_common.h b/src/pem_common.h
index 110038120..c98ec8c76 100644
--- a/src/pem_common.h
+++ b/src/pem_common.h
@@ -33,11 +33,13 @@ struct custom_salt {
 
 extern struct fmt_tests pem_tests[];
 
-int pem_valid(char *ciphertext, struct fmt_main *self);
+extern int pem_valid(char *ciphertext, struct fmt_main *self);
 
-void *pem_get_salt(char *ciphertext);
+extern void *pem_get_salt(char *ciphertext);
 
-int pem_decrypt(unsigned char *key, unsigned char *iv, unsigned char *data, struct custom_salt *cur_salt);
+extern int pem_decrypt(unsigned char *key, unsigned char *iv, unsigned char *data, struct custom_salt *cur_salt);
 
-unsigned int pem_iteration_count(void *salt);
-unsigned int pem_cipher(void *salt);
+extern unsigned int pem_overall_cost(void *salt);
+extern unsigned int pem_iteration_count(void *salt);
+extern unsigned int pem_key_length(void *salt);
+extern unsigned int pem_cipher(void *salt);
diff --git a/src/pem_common_plug.c b/src/pem_common_plug.c
index 782c204a6..17621e994 100644
--- a/src/pem_common_plug.c
+++ b/src/pem_common_plug.c
@@ -250,11 +250,25 @@ bad:
 	return -1;
 }
 
+unsigned int pem_overall_cost(void *salt)
+{
+	struct custom_salt *cs = salt;
+
+	return cs->iterations * ((cs->key_length + 19) / 20);
+}
+
 unsigned int pem_iteration_count(void *salt)
 {
 	struct custom_salt *cs = salt;
 
-	return cs->iterations * (cs->key_length > 20 ? 2 : 1);
+	return cs->iterations;
+}
+
+unsigned int pem_key_length(void *salt)
+{
+	struct custom_salt *cs = salt;
+
+	return cs->key_length;
 }
 
 unsigned int pem_cipher(void *salt)
diff --git a/src/pem_fmt_plug.c b/src/pem_fmt_plug.c
index 197a56e52..b9462409a 100644
--- a/src/pem_fmt_plug.c
+++ b/src/pem_fmt_plug.c
@@ -168,7 +168,9 @@ struct fmt_main fmt_pem = {
 		MAX_KEYS_PER_CRYPT,
 		FMT_CASE | FMT_8_BIT | FMT_OMP | FMT_HUGE_INPUT,
 		{
+			"overall cost",
 			"iteration count",
+			"key length",
 			"cipher [1=3DES 2/3/4=AES-128/192/256]",
 		},
 		{ FORMAT_TAG },
@@ -183,7 +185,9 @@ struct fmt_main fmt_pem = {
 		fmt_default_binary,
 		pem_get_salt,
 		{
+			pem_overall_cost,
 			pem_iteration_count,
+			pem_key_length,
 			pem_cipher,
 		},
 		fmt_default_source,

It might be overkill - but less confusing. Only the overall cost matters, and it didn't change. We could just as well rename the existing "iteration count" to "overall cost" and leave it by that.

For testing/debugging purposes, having all costs defined like this sometimes helps: If the format fails, you can -test -cost=(...) to single out if it's just a certain type that fails.