void CBC_CTS_Encryption::ProcessLastBlock(byte *outString, const byte *inString, size_t length)
{
if (length <= BlockSize())
{
if (!m_stolenIV)
throw InvalidArgument("CBC_Encryption: message is too short for ciphertext stealing");
// steal from IV
memcpy(outString, m_register, length);
outString = m_stolenIV;
}
else
{
// steal from next to last block
xorbuf(m_register, inString, BlockSize());
m_cipher->ProcessBlock(m_register);
inString += BlockSize();
length -= BlockSize();
memcpy(outString+BlockSize(), m_register, length);
}
// output last full ciphertext block
xorbuf(m_register, inString, length);
m_cipher->ProcessBlock(m_register);
memcpy(outString, m_register, BlockSize());
}
void CBC_CTS_Decryption::ProcessLastBlock(byte *outString, const byte *inString, size_t length)
{
const byte *pn, *pn1;
bool stealIV = length <= BlockSize();
if (stealIV)
{
pn = inString;
pn1 = m_register;
}
else
{
pn = inString + BlockSize();
pn1 = inString;
length -= BlockSize();
}
// decrypt last partial plaintext block
memcpy(m_temp, pn1, BlockSize());
m_cipher->ProcessBlock(m_temp);
xorbuf(m_temp, pn, length);
if (stealIV)
memcpy(outString, m_temp, length);
else
{
memcpy(outString+BlockSize(), m_temp, length);
// decrypt next to last plaintext block
memcpy(m_temp, pn, length);
m_cipher->ProcessBlock(m_temp);
xorbuf(outString, m_temp, m_register, BlockSize());
}
}
byte X917RNG::GenerateByte()
{
if (randbuf_counter==0)
{
// calculate new enciphered timestamp
if (m_deterministicTimeVector)
{
xorbuf(dtbuf, (byte *)&m_deterministicTimeVector, STDMIN((int)sizeof(m_deterministicTimeVector), S));
while (++m_deterministicTimeVector == 0) {} // skip 0
}
else
{
clock_t tstamp = clock();
xorbuf(dtbuf, (byte *)&tstamp, STDMIN((int)sizeof(tstamp), S));
}
cipher->ProcessBlock(dtbuf);
// combine enciphered timestamp with seed
xorbuf(randseed, dtbuf, S);
// generate a new block of random bytes
cipher->ProcessBlock(randseed, randbuf);
// compute new seed vector
for (int i=0; i<S; i++)
randseed[i] = randbuf[i] ^ dtbuf[i];
cipher->ProcessBlock(randseed);
randbuf_counter=S;
}
return(randbuf[--randbuf_counter]);
}
void AdditiveCipherTemplate<S>::ProcessData(byte *outString, const byte *inString, size_t length)
{
if (m_leftOver > 0)
{
size_t len = STDMIN(m_leftOver, length);
xorbuf(outString, inString, KeystreamBufferEnd()-m_leftOver, len);
length -= len;
m_leftOver -= len;
inString += len;
outString += len;
if (!length)
return;
}
CRYPTOPP_ASSERT(m_leftOver == 0);
PolicyInterface &policy = this->AccessPolicy();
unsigned int bytesPerIteration = policy.GetBytesPerIteration();
if (policy.CanOperateKeystream() && length >= bytesPerIteration)
{
size_t iterations = length / bytesPerIteration;
unsigned int alignment = policy.GetAlignment();
KeystreamOperation operation = KeystreamOperation((IsAlignedOn(inString, alignment) * 2) | (int)IsAlignedOn(outString, alignment));
policy.OperateKeystream(operation, outString, inString, iterations);
inString += iterations * bytesPerIteration;
outString += iterations * bytesPerIteration;
length -= iterations * bytesPerIteration;
if (!length)
return;
}
size_t bufferByteSize = m_buffer.size();
size_t bufferIterations = bufferByteSize / bytesPerIteration;
while (length >= bufferByteSize)
{
policy.WriteKeystream(m_buffer, bufferIterations);
xorbuf(outString, inString, KeystreamBufferBegin(), bufferByteSize);
length -= bufferByteSize;
inString += bufferByteSize;
outString += bufferByteSize;
}
if (length > 0)
{
bufferByteSize = RoundUpToMultipleOf(length, bytesPerIteration);
bufferIterations = bufferByteSize / bytesPerIteration;
policy.WriteKeystream(KeystreamBufferEnd()-bufferByteSize, bufferIterations);
xorbuf(outString, inString, KeystreamBufferEnd()-bufferByteSize, length);
m_leftOver = bufferByteSize - length;
}
}
inline void AdditiveCipherTemplate<S>::ProcessData(byte *outString, const byte *inString, unsigned int length)
{
if (m_leftOver > 0)
{
unsigned int len = STDMIN(m_leftOver, length);
xorbuf(outString, inString, KeystreamBufferEnd()-m_leftOver, len);
length -= len;
m_leftOver -= len;
inString += len;
outString += len;
}
if (!length)
return;
assert(m_leftOver == 0);
PolicyInterface &policy = this->AccessPolicy();
unsigned int bytesPerIteration = policy.GetBytesPerIteration();
unsigned int alignment = policy.GetAlignment();
if (policy.CanOperateKeystream() && length >= bytesPerIteration && IsAlignedOn(outString, alignment))
{
if (IsAlignedOn(inString, alignment))
policy.OperateKeystream(XOR_KEYSTREAM, outString, inString, length / bytesPerIteration);
else
{
memcpy(outString, inString, length);
policy.OperateKeystream(XOR_KEYSTREAM_INPLACE, outString, outString, length / bytesPerIteration);
}
inString += length - length % bytesPerIteration;
outString += length - length % bytesPerIteration;
length %= bytesPerIteration;
if (!length)
return;
}
unsigned int bufferByteSize = GetBufferByteSize(policy);
unsigned int bufferIterations = policy.GetIterationsToBuffer();
while (length >= bufferByteSize)
{
policy.WriteKeystream(m_buffer, bufferIterations);
xorbuf(outString, inString, KeystreamBufferBegin(), bufferByteSize);
length -= bufferByteSize;
inString += bufferByteSize;
outString += bufferByteSize;
}
if (length > 0)
{
policy.WriteKeystream(m_buffer, bufferIterations);
xorbuf(outString, inString, KeystreamBufferBegin(), length);
m_leftOver = bytesPerIteration - length;
}
}
void SEAL::ProcessString(byte *outString, const byte *inString, unsigned int length)
{
while (length >= L/8-position)
{
xorbuf(outString, inString, buffer+position, L/8-position);
length -= L/8-position;
inString += L/8-position;
outString += L/8-position;
IncrementCounter();
}
xorbuf(outString, inString, buffer+position, length);
position += length;
}
void CBC_Encryption::ProcessBlocks(byte *outString, const byte *inString, size_t numberOfBlocks)
{
unsigned int blockSize = BlockSize();
xorbuf(m_register, inString, blockSize);
while (--numberOfBlocks)
{
m_cipher->ProcessBlock(m_register, outString);
inString += blockSize;
xorbuf(m_register, inString, outString, blockSize);
outString += blockSize;
}
m_cipher->ProcessBlock(m_register);
memcpy(outString, m_register, blockSize);
}
void SHA3::Update(const byte *input, size_t length)
{
size_t spaceLeft;
while (length >= (spaceLeft = r() - m_counter))
{
xorbuf(m_state.BytePtr() + m_counter, input, spaceLeft);
KeccakF1600(m_state);
input += spaceLeft;
length -= spaceLeft;
m_counter = 0;
}
xorbuf(m_state.BytePtr() + m_counter, input, length);
m_counter += (unsigned int)length;
}
void VDA_CBCNotPaddedDecryptor_3_2::NextPut(const byte *inString, unsigned int)
{
cipher.ProcessBlock(inString, buffer);
xorbuf(buffer, reg, S);
AttachedTransformation()->Put(buffer, S);
memcpy(reg, inString, S);
}
int PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
int sLen, int iterations, int kLen, int hashType)
{
word32 i = 1;
int hLen;
int j, ret;
Hmac hmac;
byte buffer[MAX_DIGEST_SIZE];
if (hashType == MD5) {
hLen = MD5_DIGEST_SIZE;
}
else if (hashType == SHA) {
hLen = SHA_DIGEST_SIZE;
}
#ifndef NO_SHA256
else if (hashType == SHA256) {
hLen = SHA256_DIGEST_SIZE;
}
#endif
#ifdef CYASSL_SHA512
else if (hashType == SHA512) {
hLen = SHA512_DIGEST_SIZE;
}
#endif
else
return BAD_FUNC_ARG;
ret = HmacSetKey(&hmac, hashType, passwd, pLen);
if (ret != 0)
return ret;
while (kLen) {
int currentLen;
HmacUpdate(&hmac, salt, sLen);
/* encode i */
for (j = 0; j < 4; j++) {
byte b = (byte)(i >> ((3-j) * 8));
HmacUpdate(&hmac, &b, 1);
}
HmacFinal(&hmac, buffer);
currentLen = min(kLen, hLen);
XMEMCPY(output, buffer, currentLen);
for (j = 1; j < iterations; j++) {
HmacUpdate(&hmac, buffer, hLen);
HmacFinal(&hmac, buffer);
xorbuf(output, buffer, currentLen);
}
output += currentLen;
kLen -= currentLen;
i++;
}
return 0;
}
void CBCPaddedDecryptor::ProcessBuf()
{
cipher.ProcessBlock(buffer, temp);
xorbuf(temp, reg, S);
outQueue->Put(temp, S);
reg.swap(buffer);
counter = 0;
}
void OldRandomPool::IncorporateEntropy(const byte *input, size_t length)
{
size_t t;
while (length > (t = pool.size() - addPos))
{
xorbuf(pool+addPos, input, t);
input += t;
length -= t;
Stir();
}
if (length)
{
xorbuf(pool+addPos, input, length);
addPos += length;
getPos = pool.size(); // Force stir on get
}
}
void EAX_Base::AuthenticateLastFooterBlock(byte *tag, size_t macSize)
{
CRYPTOPP_ASSERT(m_bufferedDataLength == 0);
MessageAuthenticationCode &mac = AccessMAC();
unsigned int blockSize = mac.TagSize();
mac.TruncatedFinal(m_buffer, macSize);
xorbuf(tag, m_buffer, m_buffer+blockSize, macSize);
}
void CBCPaddedDecryptor::InputFinished()
{
// unpad last block
cipher.ProcessBlock(buffer);
xorbuf(buffer, reg, S);
if (buffer[S-1] > S)
buffer[S-1] = 0; // something's wrong with the padding
outQueue->Put(buffer, S-buffer[S-1]);
}
void CMAC_Base::Update(const byte *input, size_t length)
{
assert((input && length) || !(input || length));
if (!length)
return;
BlockCipher &cipher = AccessCipher();
unsigned int blockSize = cipher.BlockSize();
if (m_counter > 0)
{
const unsigned int len = UnsignedMin(blockSize - m_counter, length);
if (len)
{
xorbuf(m_reg+m_counter, input, len);
length -= len;
input += len;
m_counter += len;
}
if (m_counter == blockSize && length > 0)
{
cipher.ProcessBlock(m_reg);
m_counter = 0;
}
}
if (length > blockSize)
{
assert(m_counter == 0);
size_t leftOver = 1 + cipher.AdvancedProcessBlocks(m_reg, input, m_reg, length-1, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
input += (length - leftOver);
length = leftOver;
}
if (length > 0)
{
assert(m_counter + length <= blockSize);
xorbuf(m_reg+m_counter, input, length);
m_counter += (unsigned int)length;
}
assert(m_counter > 0);
}
void RandomPool::Put(const byte *inString, unsigned int length)
{
unsigned t;
while (length > (t = pool.size - addPos))
{
xorbuf(pool+addPos, inString, t);
inString += t;
length -= t;
Stir();
}
if (length)
{
xorbuf(pool+addPos, inString, length);
addPos += length;
getPos = pool.size; // Force stir on get
}
}
bool DSA::GeneratePrimes(const byte *seedIn, unsigned int g, int &counter,
Integer &p, unsigned int L, Integer &q, bool useInputCounterValue)
{
assert(g%8 == 0);
SHA sha;
SecByteBlock seed(seedIn, g/8);
SecByteBlock U(SHA::DIGESTSIZE);
SecByteBlock temp(SHA::DIGESTSIZE);
SecByteBlock W(((L-1)/160+1) * SHA::DIGESTSIZE);
const int n = (L-1) / 160;
const int b = (L-1) % 160;
Integer X;
sha.CalculateDigest(U, seed, g/8);
for (int i=g/8-1, carry=true; i>=0 && carry; i--)
carry=!++seed[i];
sha.CalculateDigest(temp, seed, g/8);
xorbuf(U, temp, SHA::DIGESTSIZE);
U[0] |= 0x80;
U[SHA::DIGESTSIZE-1] |= 1;
q.Decode(U, SHA::DIGESTSIZE);
if (!IsPrime(q))
return false;
int counterEnd = useInputCounterValue ? counter+1 : 4096;
for (int c = 0; c < counterEnd; c++)
{
for (int k=0; k<=n; k++)
{
for (int i=g/8-1, carry=true; i>=0 && carry; i--)
carry=!++seed[i];
if (!useInputCounterValue || c == counter)
sha.CalculateDigest(W+(n-k)*SHA::DIGESTSIZE, seed, g/8);
}
if (!useInputCounterValue || c == counter)
{
W[SHA::DIGESTSIZE - 1 - b/8] |= 0x80;
X.Decode(W + SHA::DIGESTSIZE - 1 - b/8, L/8);
p = X-((X % (2*q))-1);
if (p.GetBit(L-1) && IsPrime(p))
{
counter = c;
return true;
}
}
}
return false;
}
void SHA3::Update(const byte *input, size_t length)
{
CRYPTOPP_ASSERT((input && length) || !(input || length));
if (!length) { return; }
size_t spaceLeft;
while (length >= (spaceLeft = r() - m_counter))
{
if (spaceLeft)
xorbuf(m_state.BytePtr() + m_counter, input, spaceLeft);
KeccakF1600(m_state);
input += spaceLeft;
length -= spaceLeft;
m_counter = 0;
}
if (length)
xorbuf(m_state.BytePtr() + m_counter, input, length);
m_counter += (unsigned int)length;
}
unsigned int RandomPool::Put2(const byte *inString, unsigned int length, int messageEnd, bool blocking)
{
unsigned t;
while (length > (t = pool.size() - addPos))
{
xorbuf(pool+addPos, inString, t);
inString += t;
length -= t;
Stir();
}
if (length)
{
xorbuf(pool+addPos, inString, length);
addPos += length;
getPos = pool.size(); // Force stir on get
}
return 0;
}
// CBC Encrypt
inline void Mode_BASE::CBC_Encrypt(byte* out, const byte* in, word32 sz)
{
word32 blocks = sz / blockSz_;
while (blocks--) {
xorbuf(reg_, in, blockSz_);
ProcessAndXorBlock(reg_, 0, reg_);
memcpy(out, reg_, blockSz_);
out += blockSz_;
in += blockSz_;
}
}
void EAX_Base::AuthenticateLastHeaderBlock()
{
CRYPTOPP_ASSERT(m_bufferedDataLength == 0);
MessageAuthenticationCode &mac = AccessMAC();
unsigned int blockSize = mac.TagSize();
mac.Final(m_buffer);
xorbuf(m_buffer+blockSize, m_buffer, blockSize);
memset(m_buffer, 0, blockSize);
m_buffer[blockSize-1] = 2;
mac.Update(m_buffer, blockSize);
}
void Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
{
word32 blocks = sz / DES_BLOCK_SIZE;
while (blocks--) {
xorbuf((byte*)des->reg, in, DES_BLOCK_SIZE);
Des3ProcessBlock(des, (byte*)des->reg, (byte*)des->reg);
XMEMCPY(out, des->reg, DES_BLOCK_SIZE);
out += DES_BLOCK_SIZE;
in += DES_BLOCK_SIZE;
}
}
void PSSR_MEM_Base::ComputeMessageRepresentative(RandomNumberGenerator &rng,
const byte *recoverableMessage, size_t recoverableMessageLength,
HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,
byte *representative, size_t representativeBitLength) const
{
assert(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));
const size_t u = hashIdentifier.second + 1;
const size_t representativeByteLength = BitsToBytes(representativeBitLength);
const size_t digestSize = hash.DigestSize();
const size_t saltSize = SaltLen(digestSize);
byte *const h = representative + representativeByteLength - u - digestSize;
SecByteBlock digest(digestSize), salt(saltSize);
hash.Final(digest);
rng.GenerateBlock(salt, saltSize);
// compute H = hash of M'
byte c[8];
PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));
PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));
hash.Update(c, 8);
hash.Update(recoverableMessage, recoverableMessageLength);
hash.Update(digest, digestSize);
hash.Update(salt, saltSize);
hash.Final(h);
// compute representative
GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize, false);
byte *xorStart = representative + representativeByteLength - u - digestSize - salt.size() - recoverableMessageLength - 1;
xorStart[0] ^= 1;
xorbuf(xorStart + 1, recoverableMessage, recoverableMessageLength);
xorbuf(xorStart + 1 + recoverableMessageLength, salt, salt.size());
memcpy(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second);
representative[representativeByteLength - 1] = hashIdentifier.second ? 0xcc : 0xbc;
if (representativeBitLength % 8 != 0)
representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);
}
/* see bearssl_block.h */
uint32_t
br_aes_small_ctr_run(const br_aes_small_ctr_keys *ctx,
const void *iv, uint32_t cc, void *data, size_t len)
{
unsigned char *buf;
buf = data;
while (len > 0) {
unsigned char tmp[16];
memcpy(tmp, iv, 12);
br_enc32be(tmp + 12, cc ++);
br_aes_small_encrypt(ctx->num_rounds, ctx->skey, tmp);
if (len <= 16) {
xorbuf(buf, tmp, len);
break;
}
xorbuf(buf, tmp, 16);
buf += 16;
len -= 16;
}
return cc;
}
size_t BlockTransformation::AdvancedProcessBlocks(const byte *inBlocks, const byte *xorBlocks, byte *outBlocks, size_t length, word32 flags) const
{
CRYPTOPP_ASSERT(inBlocks);
CRYPTOPP_ASSERT(outBlocks);
CRYPTOPP_ASSERT(length);
size_t blockSize = BlockSize();
size_t inIncrement = (flags & (BT_InBlockIsCounter|BT_DontIncrementInOutPointers)) ? 0 : blockSize;
size_t xorIncrement = xorBlocks ? blockSize : 0;
size_t outIncrement = (flags & BT_DontIncrementInOutPointers) ? 0 : blockSize;
if (flags & BT_ReverseDirection)
{
CRYPTOPP_ASSERT(length % blockSize == 0);
inBlocks += length - blockSize;
xorBlocks += length - blockSize;
outBlocks += length - blockSize;
inIncrement = 0-inIncrement;
xorIncrement = 0-xorIncrement;
outIncrement = 0-outIncrement;
}
while (length >= blockSize)
{
if (flags & BT_XorInput)
{
// Coverity finding. However, xorBlocks is never NULL if BT_XorInput.
CRYPTOPP_ASSERT(xorBlocks);
#if defined(__COVERITY__)
if (xorBlocks)
#endif
xorbuf(outBlocks, xorBlocks, inBlocks, blockSize);
ProcessBlock(outBlocks);
}
else
{
// xorBlocks can be NULL. See, for example, ECB_OneWay::ProcessData.
ProcessAndXorBlock(inBlocks, xorBlocks, outBlocks);
}
if (flags & BT_InBlockIsCounter)
const_cast<byte *>(inBlocks)[blockSize-1]++;
inBlocks += inIncrement;
outBlocks += outIncrement;
xorBlocks += xorIncrement;
length -= blockSize;
}
return length;
}
size_t ArrayXorSink::Put2(const byte *begin, size_t length, int messageEnd, bool blocking)
{
CRYPTOPP_UNUSED(messageEnd); CRYPTOPP_UNUSED(blocking);
// Avoid passing NULL pointer to xorbuf
size_t copied = 0;
if (m_buf && begin)
{
copied = STDMIN(length, SaturatingSubtract(m_size, m_total));
xorbuf(m_buf+m_total, begin, copied);
}
m_total += copied;
return length - copied;
}
/* see bearssl_block.h */
void
br_aes_big_ctrcbc_mac(const br_aes_big_ctrcbc_keys *ctx,
void *cbcmac, const void *data, size_t len)
{
const unsigned char *buf;
buf = data;
while (len > 0) {
xorbuf(cbcmac, buf, 16);
br_aes_big_encrypt(ctx->num_rounds, ctx->skey, cbcmac);
buf += 16;
len -= 16;
}
}
int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
{
word32 blocks = sz / DES_BLOCK_SIZE;
while (blocks--) {
XMEMCPY(des->tmp, in, DES_BLOCK_SIZE);
DesProcessBlock(des, (byte*)des->tmp, out);
xorbuf(out, (byte*)des->reg, DES_BLOCK_SIZE);
XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
out += DES_BLOCK_SIZE;
in += DES_BLOCK_SIZE;
}
return 0;
}
void CCM_Base::AuthenticateLastHeaderBlock()
{
byte *cbcBuffer = CBC_Buffer();
const BlockCipher &cipher = GetBlockCipher();
if (m_aadLength != m_totalHeaderLength)
throw InvalidArgument(AlgorithmName() + ": header length doesn't match that given in SpecifyDataLengths");
if (m_bufferedDataLength > 0)
{
xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);
cipher.ProcessBlock(cbcBuffer);
m_bufferedDataLength = 0;
}
}
X917RNG::X917RNG(BlockTransformation *c, const byte *seed, unsigned long deterministicTimeVector)
: cipher(c),
S(cipher->BlockSize()),
dtbuf(S),
randseed(seed, S),
randbuf(S),
randbuf_counter(0),
m_deterministicTimeVector(deterministicTimeVector)
{
if (m_deterministicTimeVector)
{
memset(dtbuf, 0, S);
memcpy(dtbuf, (byte *)&m_deterministicTimeVector, STDMIN((int)sizeof(m_deterministicTimeVector), S));
}
else
{
time_t tstamp1 = time(0);
xorbuf(dtbuf, (byte *)&tstamp1, STDMIN((int)sizeof(tstamp1), S));
cipher->ProcessBlock(dtbuf);
clock_t tstamp2 = clock();
xorbuf(dtbuf, (byte *)&tstamp2, STDMIN((int)sizeof(tstamp2), S));
cipher->ProcessBlock(dtbuf);
}
}
