ext-cryptopp/pssr.cpp

// pssr.cpp - written and placed in the public domain by Wei Dai

#include "pch.h"
#include "pssr.h"
#include "trap.h"

#include <functional>

NAMESPACE_BEGIN(CryptoPP)

// more in dll.cpp
template<> const byte EMSA2HashId<RIPEMD160>::id = 0x31;
template<> const byte EMSA2HashId<RIPEMD128>::id = 0x32;
template<> const byte EMSA2HashId<Whirlpool>::id = 0x37;

#ifndef CRYPTOPP_IMPORTS

size_t PSSR_MEM_Base::MinRepresentativeBitLength(size_t hashIdentifierLength, size_t digestLength) const
{
	size_t saltLen = SaltLen(digestLength);
	size_t minPadLen = MinPadLen(digestLength);
	return 9 + 8*(minPadLen + saltLen + digestLength + hashIdentifierLength);
}

size_t PSSR_MEM_Base::MaxRecoverableLength(size_t representativeBitLength, size_t hashIdentifierLength, size_t digestLength) const
{
	if (AllowRecovery())
		return SaturatingSubtract(representativeBitLength, MinRepresentativeBitLength(hashIdentifierLength, digestLength)) / 8;
	return 0;
}

bool PSSR_MEM_Base::IsProbabilistic() const 
{
	return SaltLen(1) > 0;
}

bool PSSR_MEM_Base::AllowNonrecoverablePart() const
{
	return true;
}

bool PSSR_MEM_Base::RecoverablePartFirst() const
{
	return false;
}

void PSSR_MEM_Base::ComputeMessageRepresentative(RandomNumberGenerator &rng, 
	const byte *recoverableMessage, size_t recoverableMessageLength,
	HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,
	byte *representative, size_t representativeBitLength) const
{
	CRYPTOPP_ASSERT(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));

	const size_t u = hashIdentifier.second + 1;
	const size_t representativeByteLength = BitsToBytes(representativeBitLength);
	const size_t digestSize = hash.DigestSize();
	const size_t saltSize = SaltLen(digestSize);
	byte *const h = representative + representativeByteLength - u - digestSize;

	SecByteBlock digest(digestSize), salt(saltSize);
	hash.Final(digest);
	rng.GenerateBlock(salt, saltSize);

	// compute H = hash of M'
	byte c[8];
	PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));
	PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));
	hash.Update(c, 8);
	hash.Update(recoverableMessage, recoverableMessageLength);
	hash.Update(digest, digestSize);
	hash.Update(salt, saltSize);
	hash.Final(h);

	// compute representative
	GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize, false);
	byte *xorStart = representative + representativeByteLength - u - digestSize - salt.size() - recoverableMessageLength - 1;
	xorStart[0] ^= 1;
	xorbuf(xorStart + 1, recoverableMessage, recoverableMessageLength);
	xorbuf(xorStart + 1 + recoverableMessageLength, salt, salt.size());

	if (representative && hashIdentifier.first)
		memcpy(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second);
    representative[representativeByteLength - 1] = hashIdentifier.second ? 0xcc : 0xbc;

	if (representativeBitLength % 8 != 0)
		representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);
}

DecodingResult PSSR_MEM_Base::RecoverMessageFromRepresentative(
	HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,
	byte *representative, size_t representativeBitLength,
	byte *recoverableMessage) const
{
	CRYPTOPP_ASSERT(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));

	const size_t u = hashIdentifier.second + 1;
	const size_t representativeByteLength = BitsToBytes(representativeBitLength);
	const size_t digestSize = hash.DigestSize();
	const size_t saltSize = SaltLen(digestSize);
	const byte *const h = representative + representativeByteLength - u - digestSize;

	SecByteBlock digest(digestSize);
	hash.Final(digest);

	DecodingResult result(0);
	bool &valid = result.isValidCoding;
	size_t &recoverableMessageLength = result.messageLength;

	valid = (representative[representativeByteLength - 1] == (hashIdentifier.second ? 0xcc : 0xbc)) && valid;
	valid = VerifyBufsEqual(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second) && valid;

	GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize);
	if (representativeBitLength % 8 != 0)
		representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);

	// extract salt and recoverableMessage from DB = 00 ... || 01 || M || salt
	byte *salt = representative + representativeByteLength - u - digestSize - saltSize;
	byte *M = std::find_if (representative, salt-1, std::bind2nd(std::not_equal_to<byte>(), byte(0)));
	recoverableMessageLength = salt-M-1;
	if (*M == 0x01 
		&& (size_t)(M - representative - (representativeBitLength % 8 != 0)) >= MinPadLen(digestSize)
		&& recoverableMessageLength <= MaxRecoverableLength(representativeBitLength, hashIdentifier.second, digestSize))
	{
		if (recoverableMessage && M && recoverableMessageLength)
			memcpy(recoverableMessage, M+1, recoverableMessageLength);
	}
	else
	{
		recoverableMessageLength = 0;
		valid = false;
	}

	// verify H = hash of M'
	byte c[8];
	PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));
	PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));
	hash.Update(c, 8);
	hash.Update(recoverableMessage, recoverableMessageLength);
	hash.Update(digest, digestSize);
	hash.Update(salt, saltSize);
	valid = hash.Verify(h) && valid;

	if (!AllowRecovery() && valid && recoverableMessageLength != 0)
		{throw NotImplemented("PSSR_MEM: message recovery disabled");}
	
	return result;
}

#endif

NAMESPACE_END
various changes for 5.1 2003-03-20 01:24:12 +00:00			`// pssr.cpp - written and placed in the public domain by Wei Dai`

			`#include "pch.h"`
			`#include "pssr.h"`
Added "trap.h" include for header and source files that assert 2015-07-26 19:51:16 +00:00			`#include "trap.h"`

add missing #include 2006-06-09 06:27:44 +00:00			`#include <functional>`
various changes for 5.1 2003-03-20 01:24:12 +00:00
			`NAMESPACE_BEGIN(CryptoPP)`

changes related to the next FIPS validation 2004-09-03 10:57:31 +00:00			`// more in dll.cpp`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`template<> const byte EMSA2HashId<RIPEMD160>::id = 0x31;`
minor changes 2003-08-25 21:41:09 +00:00			`template<> const byte EMSA2HashId<RIPEMD128>::id = 0x32;`
			`template<> const byte EMSA2HashId<Whirlpool>::id = 0x37;`
various changes for 5.1 2003-03-20 01:24:12 +00:00
changes related to the next FIPS validation 2004-09-03 10:57:31 +00:00			`#ifndef CRYPTOPP_IMPORTS`

port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`size_t PSSR_MEM_Base::MinRepresentativeBitLength(size_t hashIdentifierLength, size_t digestLength) const`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`{`
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`size_t saltLen = SaltLen(digestLength);`
			`size_t minPadLen = MinPadLen(digestLength);`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`return 9 + 8*(minPadLen + saltLen + digestLength + hashIdentifierLength);`
			`}`

port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`size_t PSSR_MEM_Base::MaxRecoverableLength(size_t representativeBitLength, size_t hashIdentifierLength, size_t digestLength) const`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`{`
			`if (AllowRecovery())`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`return SaturatingSubtract(representativeBitLength, MinRepresentativeBitLength(hashIdentifierLength, digestLength)) / 8;`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`return 0;`
			`}`

			`bool PSSR_MEM_Base::IsProbabilistic() const`
			`{`
			`return SaltLen(1) > 0;`
			`}`

			`bool PSSR_MEM_Base::AllowNonrecoverablePart() const`
			`{`
			`return true;`
			`}`

			`bool PSSR_MEM_Base::RecoverablePartFirst() const`
			`{`
			`return false;`
			`}`

			`void PSSR_MEM_Base::ComputeMessageRepresentative(RandomNumberGenerator &rng,`
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`const byte *recoverableMessage, size_t recoverableMessageLength,`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,`
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`byte *representative, size_t representativeBitLength) const`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`{`
Cut-in CRYPTOPP_ASSERT in all remaining header and source files 2015-07-26 20:03:14 +00:00			`CRYPTOPP_ASSERT(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`const size_t u = hashIdentifier.second + 1;`
			`const size_t representativeByteLength = BitsToBytes(representativeBitLength);`
			`const size_t digestSize = hash.DigestSize();`
			`const size_t saltSize = SaltLen(digestSize);`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`byte *const h = representative + representativeByteLength - u - digestSize;`

			`SecByteBlock digest(digestSize), salt(saltSize);`
			`hash.Final(digest);`
			`rng.GenerateBlock(salt, saltSize);`

			`// compute H = hash of M'`
			`byte c[8];`
removed UnalignedPutWord 2007-04-16 00:20:57 +00:00			`PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));`
			`PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`hash.Update(c, 8);`
			`hash.Update(recoverableMessage, recoverableMessageLength);`
			`hash.Update(digest, digestSize);`
			`hash.Update(salt, saltSize);`
			`hash.Final(h);`

			`// compute representative`
			`GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize, false);`
			`byte *xorStart = representative + representativeByteLength - u - digestSize - salt.size() - recoverableMessageLength - 1;`
			`xorStart[0] ^= 1;`
			`xorbuf(xorStart + 1, recoverableMessage, recoverableMessageLength);`
			`xorbuf(xorStart + 1 + recoverableMessageLength, salt, salt.size());`
Cleared UBsan error using non-null pointer 2015-07-18 01:36:13 +00:00
Whitespace checkin 2015-07-30 17:07:33 +00:00			`if (representative && hashIdentifier.first)`
Cleared UBsan error using non-null pointer 2015-07-18 01:36:13 +00:00			`memcpy(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second);`
Changed guard on memcpy use to make it less intrusive. More closely resembles original code 2015-07-18 01:44:53 +00:00			`representative[representativeByteLength - 1] = hashIdentifier.second ? 0xcc : 0xbc;`
Cleared UBsan error using non-null pointer 2015-07-18 01:36:13 +00:00
various changes for 5.1 2003-03-20 01:24:12 +00:00			`if (representativeBitLength % 8 != 0)`
fix warnings for VC7 and GCC 2003-03-20 20:39:59 +00:00			`representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`}`

			`DecodingResult PSSR_MEM_Base::RecoverMessageFromRepresentative(`
			`HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,`
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`byte *representative, size_t representativeBitLength,`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`byte *recoverableMessage) const`
			`{`
Cut-in CRYPTOPP_ASSERT in all remaining header and source files 2015-07-26 20:03:14 +00:00			`CRYPTOPP_ASSERT(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`const size_t u = hashIdentifier.second + 1;`
			`const size_t representativeByteLength = BitsToBytes(representativeBitLength);`
			`const size_t digestSize = hash.DigestSize();`
			`const size_t saltSize = SaltLen(digestSize);`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`const byte *const h = representative + representativeByteLength - u - digestSize;`

			`SecByteBlock digest(digestSize);`
			`hash.Final(digest);`

			`DecodingResult result(0);`
			`bool &valid = result.isValidCoding;`
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`size_t &recoverableMessageLength = result.messageLength;`
various changes for 5.1 2003-03-20 01:24:12 +00:00
			`valid = (representative[representativeByteLength - 1] == (hashIdentifier.second ? 0xcc : 0xbc)) && valid;`
changes for 5.6: - added AuthenticatedSymmetricCipher interface class and Filter wrappers - added CCM, GCM (with SSE2 assembly), CMAC, and SEED - improved AES speed on x86 and x64 - removed WORD64_AVAILABLE; compiler 64-bit int support is now required 2009-03-02 02:39:17 +00:00			`valid = VerifyBufsEqual(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second) && valid;`
various changes for 5.1 2003-03-20 01:24:12 +00:00
			`GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize);`
			`if (representativeBitLength % 8 != 0)`
fix warnings for VC7 and GCC 2003-03-20 20:39:59 +00:00			`representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);`
various changes for 5.1 2003-03-20 01:24:12 +00:00
			`// extract salt and recoverableMessage from DB = 00 ... \|\| 01 \|\| M \|\| salt`
			`byte *salt = representative + representativeByteLength - u - digestSize - saltSize;`
Whitespace checkin 2015-07-30 17:07:33 +00:00			`byte *M = std::find_if (representative, salt-1, std::bind2nd(std::not_equal_to<byte>(), byte(0)));`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`recoverableMessageLength = salt-M-1;`
			`if (*M == 0x01`
port to MSVC .NET 2005 beta 2 2005-07-12 04:23:32 +00:00			`&& (size_t)(M - representative - (representativeBitLength % 8 != 0)) >= MinPadLen(digestSize)`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`&& recoverableMessageLength <= MaxRecoverableLength(representativeBitLength, hashIdentifier.second, digestSize))`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`{`
Whitespace checkin 2015-07-30 17:07:33 +00:00			`if (recoverableMessage && M && recoverableMessageLength)`
Cleared UBsan error using non-null pointer 2015-07-18 01:36:13 +00:00			`memcpy(recoverableMessage, M+1, recoverableMessageLength);`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`}`
			`else`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`{`
			`recoverableMessageLength = 0;`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`valid = false;`
changes done for FIPS-140 lab code drop 2005-01-20 04:19:35 +00:00			`}`
various changes for 5.1 2003-03-20 01:24:12 +00:00
			`// verify H = hash of M'`
			`byte c[8];`
removed UnalignedPutWord 2007-04-16 00:20:57 +00:00			`PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));`
			`PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));`
various changes for 5.1 2003-03-20 01:24:12 +00:00			`hash.Update(c, 8);`
			`hash.Update(recoverableMessage, recoverableMessageLength);`
			`hash.Update(digest, digestSize);`
			`hash.Update(salt, saltSize);`
			`valid = hash.Verify(h) && valid;`

			`if (!AllowRecovery() && valid && recoverableMessageLength != 0)`
			`{throw NotImplemented("PSSR_MEM: message recovery disabled");}`

			`return result;`
			`}`

changes related to the next FIPS validation 2004-09-03 10:57:31 +00:00			`#endif`

various changes for 5.1 2003-03-20 01:24:12 +00:00			`NAMESPACE_END`