Line | Count | Source (jump to first uncovered line) |
1 | | // gfpcrypt.h - originally written and placed in the public domain by Wei Dai |
2 | | // RFC6979 deterministic signatures added by Douglas Roark |
3 | | // ECGDSA added by Jeffrey Walton |
4 | | |
5 | | /// \file gfpcrypt.h |
6 | | /// \brief Classes and functions for schemes based on Discrete Logs (DL) over GF(p) |
7 | | |
8 | | #ifndef CRYPTOPP_GFPCRYPT_H |
9 | | #define CRYPTOPP_GFPCRYPT_H |
10 | | |
11 | | #include "config.h" |
12 | | |
13 | | #if CRYPTOPP_MSC_VERSION |
14 | | # pragma warning(push) |
15 | | # pragma warning(disable: 4189 4231 4275) |
16 | | #endif |
17 | | |
18 | | #include "cryptlib.h" |
19 | | #include "pubkey.h" |
20 | | #include "integer.h" |
21 | | #include "modexppc.h" |
22 | | #include "algparam.h" |
23 | | #include "smartptr.h" |
24 | | #include "sha.h" |
25 | | #include "asn.h" |
26 | | #include "hmac.h" |
27 | | #include "misc.h" |
28 | | |
29 | | NAMESPACE_BEGIN(CryptoPP) |
30 | | |
31 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>; |
32 | | |
33 | | /// \brief Integer-based GroupParameters specialization |
34 | | class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> > |
35 | | { |
36 | | typedef DL_GroupParameters_IntegerBased ThisClass; |
37 | | |
38 | | public: |
39 | 0 | virtual ~DL_GroupParameters_IntegerBased() {} |
40 | | |
41 | | /// \brief Initialize a group parameters over integers |
42 | | /// \param params the group parameters |
43 | | void Initialize(const DL_GroupParameters_IntegerBased ¶ms) |
44 | 0 | {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());} |
45 | | |
46 | | /// \brief Create a group parameters over integers |
47 | | /// \param rng a RandomNumberGenerator derived class |
48 | | /// \param pbits the size of p, in bits |
49 | | /// \details This function overload of Initialize() creates a new private key because it |
50 | | /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair, |
51 | | /// then use one of the other Initialize() overloads. |
52 | | void Initialize(RandomNumberGenerator &rng, unsigned int pbits) |
53 | 0 | {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));} |
54 | | |
55 | | /// \brief Initialize a group parameters over integers |
56 | | /// \param p the modulus |
57 | | /// \param g the generator |
58 | | void Initialize(const Integer &p, const Integer &g) |
59 | 0 | {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);} |
60 | | |
61 | | /// \brief Initialize a group parameters over integers |
62 | | /// \param p the modulus |
63 | | /// \param q the subgroup order |
64 | | /// \param g the generator |
65 | | void Initialize(const Integer &p, const Integer &q, const Integer &g) |
66 | 0 | {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);} |
67 | | |
68 | | // ASN1Object interface |
69 | | void BERDecode(BufferedTransformation &bt); |
70 | | void DEREncode(BufferedTransformation &bt) const; |
71 | | |
72 | | /// \brief Generate a random key |
73 | | /// \param rng a RandomNumberGenerator to produce keying material |
74 | | /// \param alg additional initialization parameters |
75 | | /// \details Recognised NameValuePairs are ModulusSize and |
76 | | /// SubgroupOrderSize (optional) |
77 | | /// \throw KeyingErr if a key can't be generated or algorithm parameters |
78 | | /// are invalid |
79 | | void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg); |
80 | | |
81 | | /// \brief Get a named value |
82 | | /// \param name the name of the object or value to retrieve |
83 | | /// \param valueType reference to a variable that receives the value |
84 | | /// \param pValue void pointer to a variable that receives the value |
85 | | /// \return true if the value was retrieved, false otherwise |
86 | | /// \details GetVoidValue() retrieves the value of name if it exists. |
87 | | /// \note GetVoidValue() is an internal function and should be implemented |
88 | | /// by derived classes. Users should use one of the other functions instead. |
89 | | /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(), |
90 | | /// GetRequiredParameter() and GetRequiredIntParameter() |
91 | | bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const; |
92 | | |
93 | | /// \brief Initialize or reinitialize this key |
94 | | /// \param source NameValuePairs to assign |
95 | | void AssignFrom(const NameValuePairs &source); |
96 | | |
97 | | // DL_GroupParameters |
98 | 0 | const Integer & GetSubgroupOrder() const {return m_q;} |
99 | 0 | Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();} |
100 | | bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const; |
101 | | bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const; |
102 | | |
103 | | /// \brief Determine if subgroup membership check is fast |
104 | | /// \return true or false |
105 | 0 | bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;} |
106 | | |
107 | | /// \brief Encodes the element |
108 | | /// \param reversible flag indicating the encoding format |
109 | | /// \param element reference to the element to encode |
110 | | /// \param encoded destination byte array for the encoded element |
111 | | /// \details EncodeElement() must be implemented in a derived class. |
112 | | /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt> |
113 | | /// \sa GetEncodedElementSize(), DecodeElement(), <A |
114 | | /// HREF="http://github.com/weidai11/cryptopp/issues/40">Cygwin |
115 | | /// i386 crash at -O3</A> |
116 | | void EncodeElement(bool reversible, const Element &element, byte *encoded) const; |
117 | | |
118 | | /// \brief Retrieve the encoded element's size |
119 | | /// \param reversible flag indicating the encoding format |
120 | | /// \return encoded element's size, in bytes |
121 | | /// \details The format of the encoded element varies by the underlying |
122 | | /// type of the element and the reversible flag. |
123 | | /// \sa EncodeElement(), DecodeElement() |
124 | | unsigned int GetEncodedElementSize(bool reversible) const; |
125 | | |
126 | | /// \brief Decodes the element |
127 | | /// \param encoded byte array with the encoded element |
128 | | /// \param checkForGroupMembership flag indicating if the element should be validated |
129 | | /// \return Element after decoding |
130 | | /// \details DecodeElement() must be implemented in a derived class. |
131 | | /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt> |
132 | | /// \sa GetEncodedElementSize(), EncodeElement() |
133 | | Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const; |
134 | | |
135 | | /// \brief Converts an element to an Integer |
136 | | /// \param element the element to convert to an Integer |
137 | | /// \return Element after converting to an Integer |
138 | | /// \details ConvertElementToInteger() must be implemented in a derived class. |
139 | | Integer ConvertElementToInteger(const Element &element) const |
140 | 0 | {return element;} |
141 | | |
142 | | /// \brief Retrieve the maximum exponent for the group |
143 | | /// \return the maximum exponent for the group |
144 | | Integer GetMaxExponent() const; |
145 | | |
146 | | /// \brief Retrieve the OID of the algorithm |
147 | | /// \return OID of the algorithm |
148 | | OID GetAlgorithmID() const; |
149 | | |
150 | | /// \brief Retrieve the modulus for the group |
151 | | /// \return the modulus for the group |
152 | | virtual const Integer & GetModulus() const =0; |
153 | | |
154 | | /// \brief Set group parameters |
155 | | /// \param p the prime modulus |
156 | | /// \param g the group generator |
157 | | virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0; |
158 | | |
159 | | /// \brief Set subgroup order |
160 | | /// \param q the subgroup order |
161 | | void SetSubgroupOrder(const Integer &q) |
162 | 0 | {m_q = q; ParametersChanged();} |
163 | | |
164 | 0 | static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";} |
165 | | |
166 | | protected: |
167 | | Integer ComputeGroupOrder(const Integer &modulus) const |
168 | 0 | {return modulus-(GetFieldType() == 1 ? 1 : -1);} |
169 | | |
170 | | // GF(p) = 1, GF(p^2) = 2 |
171 | | virtual int GetFieldType() const =0; |
172 | | virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const; |
173 | | |
174 | | private: |
175 | | Integer m_q; |
176 | | }; |
177 | | |
178 | | /// \brief Integer-based GroupParameters default implementation |
179 | | /// \tparam GROUP_PRECOMP group parameters precomputation specialization |
180 | | /// \tparam BASE_PRECOMP base class precomputation specialization |
181 | | template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<typename GROUP_PRECOMP::Element> > |
182 | | class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased> |
183 | | { |
184 | | typedef DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> ThisClass; |
185 | | |
186 | | public: |
187 | | typedef typename GROUP_PRECOMP::Element Element; |
188 | | |
189 | 0 | virtual ~DL_GroupParameters_IntegerBasedImpl() {} |
190 | | |
191 | | // GeneratibleCryptoMaterial interface |
192 | | bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const |
193 | 0 | {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();} |
194 | | |
195 | | void AssignFrom(const NameValuePairs &source) |
196 | 0 | {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);} |
197 | | |
198 | | // DL_GroupParameters |
199 | 0 | const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;} |
200 | 0 | DL_FixedBasePrecomputation<Element> & AccessBasePrecomputation() {return this->m_gpc;} |
201 | | |
202 | | // IntegerGroupParameters |
203 | | /// \brief Retrieve the modulus for the group |
204 | | /// \return the modulus for the group |
205 | 0 | const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();} |
206 | | |
207 | | /// \brief Retrieves a reference to the group generator |
208 | | /// \return const reference to the group generator |
209 | 0 | const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());} |
210 | | |
211 | | void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) // these have to be set together |
212 | 0 | {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();} |
213 | | |
214 | | // non-inherited |
215 | | bool operator==(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const |
216 | 0 | {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();} |
217 | | bool operator!=(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const |
218 | 0 | {return !operator==(rhs);} |
219 | | }; |
220 | | |
221 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>; |
222 | | |
223 | | /// \brief GF(p) group parameters |
224 | | class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation> |
225 | | { |
226 | | public: |
227 | 0 | virtual ~DL_GroupParameters_GFP() {} |
228 | | |
229 | | /// \brief Determines if an element is an identity |
230 | | /// \param element element to check |
231 | | /// \return true if the element is an identity, false otherwise |
232 | | /// \details The identity element or or neutral element is a special element |
233 | | /// in a group that leaves other elements unchanged when combined with it. |
234 | | /// \details IsIdentity() must be implemented in a derived class. |
235 | 0 | bool IsIdentity(const Integer &element) const {return element == Integer::One();} |
236 | | |
237 | | /// \brief Exponentiates a base to multiple exponents |
238 | | /// \param results an array of Elements |
239 | | /// \param base the base to raise to the exponents |
240 | | /// \param exponents an array of exponents |
241 | | /// \param exponentsCount the number of exponents in the array |
242 | | /// \details SimultaneousExponentiate() raises the base to each exponent in |
243 | | /// the exponents array and stores the result at the respective position in |
244 | | /// the results array. |
245 | | /// \details SimultaneousExponentiate() must be implemented in a derived class. |
246 | | /// \pre <tt>COUNTOF(results) == exponentsCount</tt> |
247 | | /// \pre <tt>COUNTOF(exponents) == exponentsCount</tt> |
248 | | void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const; |
249 | | |
250 | | /// \brief Get a named value |
251 | | /// \param name the name of the object or value to retrieve |
252 | | /// \param valueType reference to a variable that receives the value |
253 | | /// \param pValue void pointer to a variable that receives the value |
254 | | /// \return true if the value was retrieved, false otherwise |
255 | | /// \details GetVoidValue() retrieves the value of name if it exists. |
256 | | /// \note GetVoidValue() is an internal function and should be implemented |
257 | | /// by derived classes. Users should use one of the other functions instead. |
258 | | /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(), |
259 | | /// GetRequiredParameter() and GetRequiredIntParameter() |
260 | | bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const |
261 | 0 | { |
262 | 0 | return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable(); |
263 | 0 | } |
264 | | |
265 | | // used by MQV |
266 | | Element MultiplyElements(const Element &a, const Element &b) const; |
267 | | Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const; |
268 | | |
269 | | protected: |
270 | 0 | int GetFieldType() const {return 1;} |
271 | | }; |
272 | | |
273 | | /// \brief GF(p) group parameters that default to safe primes |
274 | | class CRYPTOPP_DLL DL_GroupParameters_GFP_DefaultSafePrime : public DL_GroupParameters_GFP |
275 | | { |
276 | | public: |
277 | | typedef NoCofactorMultiplication DefaultCofactorOption; |
278 | | |
279 | 0 | virtual ~DL_GroupParameters_GFP_DefaultSafePrime() {} |
280 | | |
281 | | protected: |
282 | 0 | unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;} |
283 | | }; |
284 | | |
285 | | /// ElGamal encryption for safe interop |
286 | | /// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the |
287 | | /// (in)security of ElGamal in OpenPGP</A>, |
288 | | /// <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>, |
289 | | /// <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A> |
290 | | /// \since Crypto++ 8.6 |
291 | | class CRYPTOPP_DLL DL_GroupParameters_ElGamal : public DL_GroupParameters_GFP_DefaultSafePrime |
292 | | { |
293 | | public: |
294 | | typedef NoCofactorMultiplication DefaultCofactorOption; |
295 | | |
296 | 0 | virtual ~DL_GroupParameters_ElGamal() {} |
297 | | |
298 | | Integer GetMaxExponent() const |
299 | 0 | { |
300 | 0 | return GetSubgroupOrder()-1; |
301 | 0 | } |
302 | | }; |
303 | | |
304 | | /// \brief GDSA algorithm |
305 | | /// \tparam T FieldElement type or class |
306 | | /// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N. |
307 | | template <class T> |
308 | | class DL_Algorithm_GDSA : public DL_ElgamalLikeSignatureAlgorithm<T> |
309 | | { |
310 | | public: |
311 | 0 | CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";} Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::StaticAlgorithmName() Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::StaticAlgorithmName() Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::StaticAlgorithmName() |
312 | | |
313 | 0 | virtual ~DL_Algorithm_GDSA() {} Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::~DL_Algorithm_GDSA() Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::~DL_Algorithm_GDSA() Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::~DL_Algorithm_GDSA() |
314 | | |
315 | | void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const |
316 | 0 | { |
317 | 0 | const Integer &q = params.GetSubgroupOrder(); |
318 | 0 | r %= q; |
319 | 0 | Integer kInv = k.InverseMod(q); |
320 | 0 | s = (kInv * (x*r + e)) % q; |
321 | 0 | CRYPTOPP_ASSERT(!!r && !!s); |
322 | 0 | } Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::Sign(CryptoPP::DL_GroupParameters<CryptoPP::Integer> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer&, CryptoPP::Integer&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::Sign(CryptoPP::DL_GroupParameters<CryptoPP::ECPPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer&, CryptoPP::Integer&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::Sign(CryptoPP::DL_GroupParameters<CryptoPP::EC2NPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer&, CryptoPP::Integer&) const |
323 | | |
324 | | bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const |
325 | 0 | { |
326 | 0 | const Integer &q = params.GetSubgroupOrder(); |
327 | 0 | if (r>=q || r<1 || s>=q || s<1) |
328 | 0 | return false; |
329 | | |
330 | 0 | Integer w = s.InverseMod(q); |
331 | 0 | Integer u1 = (e * w) % q; |
332 | 0 | Integer u2 = (r * w) % q; |
333 | | // verify r == (g^u1 * y^u2 mod p) mod q |
334 | 0 | return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q; |
335 | 0 | } Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::Verify(CryptoPP::DL_GroupParameters<CryptoPP::Integer> const&, CryptoPP::DL_PublicKey<CryptoPP::Integer> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::Verify(CryptoPP::DL_GroupParameters<CryptoPP::ECPPoint> const&, CryptoPP::DL_PublicKey<CryptoPP::ECPPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::Verify(CryptoPP::DL_GroupParameters<CryptoPP::EC2NPoint> const&, CryptoPP::DL_PublicKey<CryptoPP::EC2NPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const |
336 | | }; |
337 | | |
338 | | /// \brief DSA signature algorithm based on RFC 6979 |
339 | | /// \tparam T FieldElement type or class |
340 | | /// \tparam H HashTransformation derived class |
341 | | /// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N. |
342 | | /// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the |
343 | | /// Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a> |
344 | | /// \since Crypto++ 6.0 |
345 | | template <class T, class H> |
346 | | class DL_Algorithm_DSA_RFC6979 : public DL_Algorithm_GDSA<T>, public DeterministicSignatureAlgorithm |
347 | | { |
348 | | public: |
349 | 0 | CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-RFC6979";} Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::StaticAlgorithmName() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::StaticAlgorithmName() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::StaticAlgorithmName() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::StaticAlgorithmName() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::StaticAlgorithmName() |
350 | | |
351 | 0 | virtual ~DL_Algorithm_DSA_RFC6979() {} Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::~DL_Algorithm_DSA_RFC6979() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::~DL_Algorithm_DSA_RFC6979() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::~DL_Algorithm_DSA_RFC6979() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::~DL_Algorithm_DSA_RFC6979() Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::~DL_Algorithm_DSA_RFC6979() |
352 | | |
353 | | bool IsProbabilistic() const |
354 | 0 | {return false;} Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::IsProbabilistic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::IsProbabilistic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::IsProbabilistic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::IsProbabilistic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::IsProbabilistic() const |
355 | | bool IsDeterministic() const |
356 | 0 | {return true;} Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::IsDeterministic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::IsDeterministic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::IsDeterministic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::IsDeterministic() const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::IsDeterministic() const |
357 | | |
358 | | // Deterministic K |
359 | | Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const |
360 | 0 | { |
361 | 0 | static const byte zero = 0, one = 1; |
362 | 0 | const size_t qlen = q.BitCount(); |
363 | 0 | const size_t rlen = BitsToBytes(qlen); |
364 | | |
365 | | // Step (a) - formatted E(m) |
366 | 0 | SecByteBlock BH(e.MinEncodedSize()); |
367 | 0 | e.Encode(BH, BH.size()); |
368 | 0 | BH = bits2octets(BH, q); |
369 | | |
370 | | // Step (a) - private key to byte array |
371 | 0 | SecByteBlock BX(STDMAX(rlen, x.MinEncodedSize())); |
372 | 0 | x.Encode(BX, BX.size()); |
373 | | |
374 | | // Step (b) |
375 | 0 | SecByteBlock V(H::DIGESTSIZE); |
376 | 0 | std::fill(V.begin(), V.begin()+H::DIGESTSIZE, one); |
377 | | |
378 | | // Step (c) |
379 | 0 | SecByteBlock K(H::DIGESTSIZE); |
380 | 0 | std::fill(K.begin(), K.begin()+H::DIGESTSIZE, zero); |
381 | | |
382 | | // Step (d) |
383 | 0 | m_hmac.SetKey(K, K.size()); |
384 | 0 | m_hmac.Update(V, V.size()); |
385 | 0 | m_hmac.Update(&zero, 1); |
386 | 0 | m_hmac.Update(BX, BX.size()); |
387 | 0 | m_hmac.Update(BH, BH.size()); |
388 | 0 | m_hmac.TruncatedFinal(K, K.size()); |
389 | | |
390 | | // Step (e) |
391 | 0 | m_hmac.SetKey(K, K.size()); |
392 | 0 | m_hmac.Update(V, V.size()); |
393 | 0 | m_hmac.TruncatedFinal(V, V.size()); |
394 | | |
395 | | // Step (f) |
396 | 0 | m_hmac.SetKey(K, K.size()); |
397 | 0 | m_hmac.Update(V, V.size()); |
398 | 0 | m_hmac.Update(&one, 1); |
399 | 0 | m_hmac.Update(BX, BX.size()); |
400 | 0 | m_hmac.Update(BH, BH.size()); |
401 | 0 | m_hmac.TruncatedFinal(K, K.size()); |
402 | | |
403 | | // Step (g) |
404 | 0 | m_hmac.SetKey(K, K.size()); |
405 | 0 | m_hmac.Update(V, V.size()); |
406 | 0 | m_hmac.TruncatedFinal(V, V.size()); |
407 | |
|
408 | 0 | Integer k; |
409 | 0 | SecByteBlock temp(rlen); |
410 | 0 | for (;;) |
411 | 0 | { |
412 | | // We want qlen bits, but we support only hash functions with an output length |
413 | | // multiple of 8; hence, we will gather rlen bits, i.e., rolen octets. |
414 | 0 | size_t toff = 0; |
415 | 0 | while (toff < rlen) |
416 | 0 | { |
417 | 0 | m_hmac.Update(V, V.size()); |
418 | 0 | m_hmac.TruncatedFinal(V, V.size()); |
419 | |
|
420 | 0 | size_t cc = STDMIN(V.size(), temp.size() - toff); |
421 | 0 | memcpy_s(temp+toff, temp.size() - toff, V, cc); |
422 | 0 | toff += cc; |
423 | 0 | } |
424 | |
|
425 | 0 | k = bits2int(temp, qlen); |
426 | 0 | if (k > 0 && k < q) |
427 | 0 | break; |
428 | | |
429 | | // k is not in the proper range; update K and V, and loop. |
430 | 0 | m_hmac.Update(V, V.size()); |
431 | 0 | m_hmac.Update(&zero, 1); |
432 | 0 | m_hmac.TruncatedFinal(K, K.size()); |
433 | |
|
434 | 0 | m_hmac.SetKey(K, K.size()); |
435 | 0 | m_hmac.Update(V, V.size()); |
436 | 0 | m_hmac.TruncatedFinal(V, V.size()); |
437 | 0 | } |
438 | |
|
439 | 0 | return k; |
440 | 0 | } Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const |
441 | | |
442 | | protected: |
443 | | |
444 | | Integer bits2int(const SecByteBlock& bits, size_t qlen) const |
445 | 0 | { |
446 | 0 | Integer ret(bits, bits.size()); |
447 | 0 | size_t blen = bits.size()*8; |
448 | |
|
449 | 0 | if (blen > qlen) |
450 | 0 | ret >>= blen - qlen; |
451 | |
|
452 | 0 | return ret; |
453 | 0 | } Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const |
454 | | |
455 | | // RFC 6979 support function. Takes an integer and converts it into bytes that |
456 | | // are the same length as an elliptic curve's order. |
457 | | SecByteBlock int2octets(const Integer& val, size_t rlen) const |
458 | 0 | { |
459 | 0 | SecByteBlock block(val.MinEncodedSize()); |
460 | 0 | val.Encode(block, val.MinEncodedSize()); |
461 | |
|
462 | 0 | if (block.size() == rlen) |
463 | 0 | return block; |
464 | | |
465 | | // The least significant bytes are the ones we need to preserve. |
466 | 0 | SecByteBlock t(rlen); |
467 | 0 | if (block.size() > rlen) |
468 | 0 | { |
469 | 0 | size_t offset = block.size() - rlen; |
470 | 0 | std::memcpy(t, block + offset, rlen); |
471 | 0 | } |
472 | 0 | else // block.size() < rlen |
473 | 0 | { |
474 | 0 | size_t offset = rlen - block.size(); |
475 | 0 | std::memset(t, '\x00', offset); |
476 | 0 | std::memcpy(t + offset, block, rlen - offset); |
477 | 0 | } |
478 | |
|
479 | 0 | return t; |
480 | 0 | } Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::int2octets(CryptoPP::Integer const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::int2octets(CryptoPP::Integer const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::int2octets(CryptoPP::Integer const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::int2octets(CryptoPP::Integer const&, unsigned long) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::int2octets(CryptoPP::Integer const&, unsigned long) const |
481 | | |
482 | | // Turn a stream of bits into a set of bytes with the same length as an elliptic |
483 | | // curve's order. |
484 | | SecByteBlock bits2octets(const SecByteBlock& in, const Integer& q) const |
485 | 0 | { |
486 | 0 | Integer b2 = bits2int(in, q.BitCount()); |
487 | 0 | Integer b1 = b2 - q; |
488 | 0 | return int2octets(b1.IsNegative() ? b2 : b1, q.ByteCount()); |
489 | 0 | } Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const |
490 | | |
491 | | private: |
492 | | mutable H m_hash; |
493 | | mutable HMAC<H> m_hmac; |
494 | | }; |
495 | | |
496 | | /// \brief German Digital Signature Algorithm |
497 | | /// \tparam T FieldElement type or class |
498 | | /// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N. |
499 | | /// \details The Digital Signature Scheme ECGDSA does not define the algorithm over integers. Rather, the |
500 | | /// signature algorithm is only defined over elliptic curves. However, the library design is such that the |
501 | | /// generic algorithm reside in <tt>gfpcrypt.h</tt>. |
502 | | /// \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf"> |
503 | | /// The Digital Signature Scheme ECGDSA (October 24, 2006)</A> |
504 | | template <class T> |
505 | | class DL_Algorithm_GDSA_ISO15946 : public DL_ElgamalLikeSignatureAlgorithm<T> |
506 | | { |
507 | | public: |
508 | | CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "GDSA-ISO15946";} |
509 | | |
510 | | virtual ~DL_Algorithm_GDSA_ISO15946() {} |
511 | | |
512 | | void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const |
513 | | { |
514 | | const Integer &q = params.GetSubgroupOrder(); |
515 | | // r = x(k * G) mod q |
516 | | r = params.ConvertElementToInteger(params.ExponentiateBase(k)) % q; |
517 | | // s = (k * r - h(m)) * d_A mod q |
518 | | s = (k * r - e) * x % q; |
519 | | CRYPTOPP_ASSERT(!!r && !!s); |
520 | | } |
521 | | |
522 | | bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const |
523 | | { |
524 | | const Integer &q = params.GetSubgroupOrder(); |
525 | | if (r>=q || r<1 || s>=q || s<1) |
526 | | return false; |
527 | | |
528 | | const Integer& rInv = r.InverseMod(q); |
529 | | const Integer u1 = (rInv * e) % q; |
530 | | const Integer u2 = (rInv * s) % q; |
531 | | // verify x(G^u1 + P_A^u2) mod q |
532 | | return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q; |
533 | | } |
534 | | }; |
535 | | |
536 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>; |
537 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA1>; |
538 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA224>; |
539 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA256>; |
540 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA384>; |
541 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA512>; |
542 | | |
543 | | /// \brief NR algorithm |
544 | | /// \tparam T FieldElement type or class |
545 | | /// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N. |
546 | | template <class T> |
547 | | class DL_Algorithm_NR : public DL_ElgamalLikeSignatureAlgorithm<T> |
548 | | { |
549 | | public: |
550 | | CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "NR";} |
551 | | |
552 | | virtual ~DL_Algorithm_NR() {} |
553 | | |
554 | | void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const |
555 | | { |
556 | | const Integer &q = params.GetSubgroupOrder(); |
557 | | r = (r + e) % q; |
558 | | s = (k - x*r) % q; |
559 | | CRYPTOPP_ASSERT(!!r); |
560 | | } |
561 | | |
562 | | bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const |
563 | | { |
564 | | const Integer &q = params.GetSubgroupOrder(); |
565 | | if (r>=q || r<1 || s>=q) |
566 | | return false; |
567 | | |
568 | | // check r == (m_g^s * m_y^r + m) mod m_q |
569 | | return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q; |
570 | | } |
571 | | }; |
572 | | |
573 | | /// \brief Discrete Log (DL) public key in GF(p) groups |
574 | | /// \tparam GP GroupParameters derived class |
575 | | /// \details DSA public key format is defined in 7.3.3 of RFC 2459. The private key format is defined in 12.9 of PKCS #11 v2.10. |
576 | | template <class GP> |
577 | | class DL_PublicKey_GFP : public DL_PublicKeyImpl<GP> |
578 | | { |
579 | | public: |
580 | 0 | virtual ~DL_PublicKey_GFP() {} |
581 | | |
582 | | /// \brief Initialize a public key over GF(p) |
583 | | /// \param params the group parameters |
584 | | /// \param y the public element |
585 | | void Initialize(const DL_GroupParameters_IntegerBased ¶ms, const Integer &y) |
586 | 0 | {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);} |
587 | | |
588 | | /// \brief Initialize a public key over GF(p) |
589 | | /// \param p the modulus |
590 | | /// \param g the generator |
591 | | /// \param y the public element |
592 | | void Initialize(const Integer &p, const Integer &g, const Integer &y) |
593 | 0 | {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);} |
594 | | |
595 | | /// \brief Initialize a public key over GF(p) |
596 | | /// \param p the modulus |
597 | | /// \param q the subgroup order |
598 | | /// \param g the generator |
599 | | /// \param y the public element |
600 | | void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y) |
601 | 0 | {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);} |
602 | | |
603 | | // X509PublicKey |
604 | | void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t) |
605 | 0 | {this->SetPublicElement(Integer(bt));} |
606 | | void DEREncodePublicKey(BufferedTransformation &bt) const |
607 | 0 | {this->GetPublicElement().DEREncode(bt);} |
608 | | }; |
609 | | |
610 | | /// \brief Discrete Log (DL) private key in GF(p) groups |
611 | | /// \tparam GP GroupParameters derived class |
612 | | template <class GP> |
613 | | class DL_PrivateKey_GFP : public DL_PrivateKeyImpl<GP> |
614 | | { |
615 | | public: |
616 | | virtual ~DL_PrivateKey_GFP(); |
617 | | |
618 | | /// \brief Create a private key |
619 | | /// \param rng a RandomNumberGenerator derived class |
620 | | /// \param modulusBits the size of the modulus, in bits |
621 | | /// \details This function overload of Initialize() creates a new private key because it |
622 | | /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair, |
623 | | /// then use one of the other Initialize() overloads. |
624 | | void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits) |
625 | 0 | {this->GenerateRandomWithKeySize(rng, modulusBits);} |
626 | | |
627 | | /// \brief Create a private key |
628 | | /// \param rng a RandomNumberGenerator derived class |
629 | | /// \param p the modulus |
630 | | /// \param g the generator |
631 | | /// \details This function overload of Initialize() creates a new private key because it |
632 | | /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair, |
633 | | /// then use one of the other Initialize() overloads. |
634 | | void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g) |
635 | 0 | {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));} |
636 | | |
637 | | /// \brief Create a private key |
638 | | /// \param rng a RandomNumberGenerator derived class |
639 | | /// \param p the modulus |
640 | | /// \param q the subgroup order |
641 | | /// \param g the generator |
642 | | /// \details This function overload of Initialize() creates a new private key because it |
643 | | /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair, |
644 | | /// then use one of the other Initialize() overloads. |
645 | | void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g) |
646 | 0 | {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));} |
647 | | |
648 | | /// \brief Initialize a private key over GF(p) |
649 | | /// \param params the group parameters |
650 | | /// \param x the private exponent |
651 | | void Initialize(const DL_GroupParameters_IntegerBased ¶ms, const Integer &x) |
652 | 0 | {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);} |
653 | | |
654 | | /// \brief Initialize a private key over GF(p) |
655 | | /// \param p the modulus |
656 | | /// \param g the generator |
657 | | /// \param x the private exponent |
658 | | void Initialize(const Integer &p, const Integer &g, const Integer &x) |
659 | 0 | {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);} |
660 | | |
661 | | /// \brief Initialize a private key over GF(p) |
662 | | /// \param p the modulus |
663 | | /// \param q the subgroup order |
664 | | /// \param g the generator |
665 | | /// \param x the private exponent |
666 | | void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x) |
667 | 0 | {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);} |
668 | | }; |
669 | | |
670 | | // Out-of-line dtor due to AIX and GCC, http://github.com/weidai11/cryptopp/issues/499 |
671 | | template <class GP> |
672 | 0 | DL_PrivateKey_GFP<GP>::~DL_PrivateKey_GFP() {} |
673 | | |
674 | | /// \brief Discrete Log (DL) signing/verification keys in GF(p) groups |
675 | | struct DL_SignatureKeys_GFP |
676 | | { |
677 | | typedef DL_GroupParameters_GFP GroupParameters; |
678 | | typedef DL_PublicKey_GFP<GroupParameters> PublicKey; |
679 | | typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey; |
680 | | }; |
681 | | |
682 | | /// \brief Discrete Log (DL) encryption/decryption keys in GF(p) groups |
683 | | struct DL_CryptoKeys_GFP |
684 | | { |
685 | | typedef DL_GroupParameters_GFP_DefaultSafePrime GroupParameters; |
686 | | typedef DL_PublicKey_GFP<GroupParameters> PublicKey; |
687 | | typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey; |
688 | | }; |
689 | | |
690 | | /// ElGamal encryption keys for safe interop |
691 | | /// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the |
692 | | /// (in)security of ElGamal in OpenPGP</A>, |
693 | | /// <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>, |
694 | | /// <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A> |
695 | | /// \since Crypto++ 8.6 |
696 | | struct DL_CryptoKeys_ElGamal |
697 | | { |
698 | | typedef DL_GroupParameters_ElGamal GroupParameters; |
699 | | typedef DL_PublicKey_GFP<GroupParameters> PublicKey; |
700 | | typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey; |
701 | | }; |
702 | | |
703 | | /// \brief DSA signature scheme |
704 | | /// \tparam H HashTransformation derived class |
705 | | /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a> |
706 | | /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2 |
707 | | template <class H> |
708 | | struct GDSA : public DL_SS< |
709 | | DL_SignatureKeys_GFP, |
710 | | DL_Algorithm_GDSA<Integer>, |
711 | | DL_SignatureMessageEncodingMethod_DSA, |
712 | | H> |
713 | | { |
714 | | }; |
715 | | |
716 | | /// \brief NR signature scheme |
717 | | /// \tparam H HashTransformation derived class |
718 | | /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#NR">NR</a> |
719 | | template <class H> |
720 | | struct NR : public DL_SS< |
721 | | DL_SignatureKeys_GFP, |
722 | | DL_Algorithm_NR<Integer>, |
723 | | DL_SignatureMessageEncodingMethod_NR, |
724 | | H> |
725 | | { |
726 | | }; |
727 | | |
728 | | /// \brief DSA group parameters |
729 | | /// \details These are GF(p) group parameters that are allowed by the DSA standard |
730 | | /// \sa DL_Keys_DSA |
731 | | /// \since Crypto++ 1.0 |
732 | | class CRYPTOPP_DLL DL_GroupParameters_DSA : public DL_GroupParameters_GFP |
733 | | { |
734 | | public: |
735 | 0 | virtual ~DL_GroupParameters_DSA() {} |
736 | | |
737 | | /// \brief Check the group for errors |
738 | | /// \param rng RandomNumberGenerator for objects which use randomized testing |
739 | | /// \param level level of thoroughness |
740 | | /// \return true if the tests succeed, false otherwise |
741 | | /// \details ValidateGroup() also checks that the lengths of p and q are allowed |
742 | | /// by the DSA standard. |
743 | | /// \details There are four levels of thoroughness: |
744 | | /// <ul> |
745 | | /// <li>0 - using this object won't cause a crash or exception |
746 | | /// <li>1 - this object will probably function, and encrypt, sign, other operations correctly |
747 | | /// <li>2 - ensure this object will function correctly, and perform reasonable security checks |
748 | | /// <li>3 - perform reasonable security checks, and do checks that may take a long time |
749 | | /// </ul> |
750 | | /// \details Level 0 does not require a RandomNumberGenerator. A NullRNG() can be used for level 0. |
751 | | /// Level 1 may not check for weak keys and such. Levels 2 and 3 are recommended. |
752 | | bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const; |
753 | | |
754 | | /// \brief Generate a random key or crypto parameters |
755 | | /// \param rng a RandomNumberGenerator to produce keying material |
756 | | /// \param alg additional initialization parameters |
757 | | /// \details NameValuePairs can be ModulusSize alone; or Modulus, SubgroupOrder, and |
758 | | /// SubgroupGenerator. ModulusSize must be between <tt>DSA::MIN_PRIME_LENGTH</tt> and |
759 | | /// <tt>DSA::MAX_PRIME_LENGTH</tt>, and divisible by <tt>DSA::PRIME_LENGTH_MULTIPLE</tt>. |
760 | | /// \details An example of changing the modulus size using NameValuePairs is shown below. |
761 | | /// <pre> |
762 | | /// AlgorithmParameters params = MakeParameters |
763 | | /// (Name::ModulusSize(), 2048); |
764 | | /// |
765 | | /// DL_GroupParameters_DSA groupParams; |
766 | | /// groupParams.GenerateRandom(prng, params); |
767 | | /// </pre> |
768 | | /// \throw KeyingErr if a key can't be generated or algorithm parameters are invalid. |
769 | | void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg); |
770 | | |
771 | | /// \brief Check the prime length for errors |
772 | | /// \param pbits number of bits in the prime number |
773 | | /// \return true if the tests succeed, false otherwise |
774 | | static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits) |
775 | 0 | {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;} |
776 | | |
777 | | /// \brief DSA prime length |
778 | | enum { |
779 | | /// \brief Minimum prime length |
780 | | MIN_PRIME_LENGTH = 1024, |
781 | | /// \brief Maximum prime length |
782 | | MAX_PRIME_LENGTH = 3072, |
783 | | /// \brief Prime length multiple |
784 | | PRIME_LENGTH_MULTIPLE = 1024 |
785 | | }; |
786 | | }; |
787 | | |
788 | | template <class H> |
789 | | class DSA2; |
790 | | |
791 | | /// \brief DSA keys |
792 | | /// \sa DL_GroupParameters_DSA |
793 | | /// \since Crypto++ 1.0 |
794 | | struct DL_Keys_DSA |
795 | | { |
796 | | typedef DL_PublicKey_GFP<DL_GroupParameters_DSA> PublicKey; |
797 | | typedef DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA1> > PrivateKey; |
798 | | }; |
799 | | |
800 | | /// \brief DSA signature scheme |
801 | | /// \tparam H HashTransformation derived class |
802 | | /// \details The class is named DSA2 instead of DSA for backwards compatibility because |
803 | | /// DSA was a non-template class. |
804 | | /// \details DSA default method GenerateRandom uses a 2048-bit modulus and a 224-bit subgoup by default. |
805 | | /// The modulus can be changed using the following code: |
806 | | /// <pre> |
807 | | /// DSA::PrivateKey privateKey; |
808 | | /// privateKey.GenerateRandomWithKeySize(prng, 2048); |
809 | | /// </pre> |
810 | | /// \details The subgroup order can be changed using the following code: |
811 | | /// <pre> |
812 | | /// AlgorithmParameters params = MakeParameters |
813 | | /// (Name::ModulusSize(), 2048) |
814 | | /// (Name::SubgroupOrderSize(), 256); |
815 | | /// |
816 | | /// DSA::PrivateKey privateKey; |
817 | | /// privateKey.GenerateRandom(prng, params); |
818 | | /// </pre> |
819 | | /// \sa <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, as specified in FIPS 186-3, |
820 | | /// <a href="https://www.cryptopp.com/wiki/Digital_Signature_Algorithm">Digital Signature Algorithm</a> on the wiki, and |
821 | | /// <a href="https://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</a> on the wiki. |
822 | | /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2, Crypto++ 6.1 for 2048-bit modulus. |
823 | | template <class H> |
824 | | class DSA2 : public DL_SS< |
825 | | DL_Keys_DSA, |
826 | | DL_Algorithm_GDSA<Integer>, |
827 | | DL_SignatureMessageEncodingMethod_DSA, |
828 | | H, |
829 | | DSA2<H> > |
830 | | { |
831 | | public: |
832 | 0 | static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();} |
833 | | }; |
834 | | |
835 | | /// \brief DSA deterministic signature scheme |
836 | | /// \tparam H HashTransformation derived class |
837 | | /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a> |
838 | | /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2 |
839 | | template <class H> |
840 | | struct DSA_RFC6979 : public DL_SS< |
841 | | DL_SignatureKeys_GFP, |
842 | | DL_Algorithm_DSA_RFC6979<Integer, H>, |
843 | | DL_SignatureMessageEncodingMethod_DSA, |
844 | | H, |
845 | | DSA_RFC6979<H> > |
846 | | { |
847 | | static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("DSA-RFC6979/") + H::StaticAlgorithmName();} |
848 | | }; |
849 | | |
850 | | /// DSA with SHA-1, typedef'd for backwards compatibility |
851 | | typedef DSA2<SHA1> DSA; |
852 | | |
853 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>; |
854 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>; |
855 | | CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA1> >; |
856 | | |
857 | | /// \brief P1363 based XOR Encryption Method |
858 | | /// \tparam MAC MessageAuthenticationCode derived class used for MAC computation |
859 | | /// \tparam DHAES_MODE flag indicating DHAES mode |
860 | | /// \tparam LABEL_OCTETS flag indicating the label is octet count |
861 | | /// \details DL_EncryptionAlgorithm_Xor is based on an early P1363 draft, which itself appears to be based on an |
862 | | /// early Certicom SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used it in its Integrated |
863 | | /// Ecryption Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>. |
864 | | /// \details If you need this method for Crypto++ 4.2 compatibility, then use the ECIES template class with |
865 | | /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>. |
866 | | /// \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with |
867 | | /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>. |
868 | | /// \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters. |
869 | | /// \since Crypto++ 4.0 |
870 | | template <class MAC, bool DHAES_MODE, bool LABEL_OCTETS=false> |
871 | | class DL_EncryptionAlgorithm_Xor : public DL_SymmetricEncryptionAlgorithm |
872 | | { |
873 | | public: |
874 | | virtual ~DL_EncryptionAlgorithm_Xor() {} |
875 | | |
876 | | bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;} |
877 | | size_t GetSymmetricKeyLength(size_t plaintextLength) const |
878 | | {return plaintextLength + static_cast<size_t>(MAC::DEFAULT_KEYLENGTH);} |
879 | | size_t GetSymmetricCiphertextLength(size_t plaintextLength) const |
880 | | {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);} |
881 | | size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const |
882 | | {return SaturatingSubtract(ciphertextLength, static_cast<size_t>(MAC::DIGESTSIZE));} |
883 | | void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs ¶meters) const |
884 | | { |
885 | | CRYPTOPP_UNUSED(rng); |
886 | | const byte *cipherKey = NULLPTR, *macKey = NULLPTR; |
887 | | if (DHAES_MODE) |
888 | | { |
889 | | macKey = key; |
890 | | cipherKey = key + MAC::DEFAULT_KEYLENGTH; |
891 | | } |
892 | | else |
893 | | { |
894 | | cipherKey = key; |
895 | | macKey = key + plaintextLength; |
896 | | } |
897 | | |
898 | | ConstByteArrayParameter encodingParameters; |
899 | | parameters.GetValue(Name::EncodingParameters(), encodingParameters); |
900 | | |
901 | | if (plaintextLength) // Coverity finding |
902 | | xorbuf(ciphertext, plaintext, cipherKey, plaintextLength); |
903 | | |
904 | | MAC mac(macKey); |
905 | | mac.Update(ciphertext, plaintextLength); |
906 | | mac.Update(encodingParameters.begin(), encodingParameters.size()); |
907 | | if (DHAES_MODE) |
908 | | { |
909 | | byte L[8]; |
910 | | PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size()))); |
911 | | mac.Update(L, 8); |
912 | | } |
913 | | mac.Final(ciphertext + plaintextLength); |
914 | | } |
915 | | DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs ¶meters) const |
916 | | { |
917 | | size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength); |
918 | | const byte *cipherKey, *macKey; |
919 | | if (DHAES_MODE) |
920 | | { |
921 | | macKey = key; |
922 | | cipherKey = key + MAC::DEFAULT_KEYLENGTH; |
923 | | } |
924 | | else |
925 | | { |
926 | | cipherKey = key; |
927 | | macKey = key + plaintextLength; |
928 | | } |
929 | | |
930 | | ConstByteArrayParameter encodingParameters; |
931 | | parameters.GetValue(Name::EncodingParameters(), encodingParameters); |
932 | | |
933 | | MAC mac(macKey); |
934 | | mac.Update(ciphertext, plaintextLength); |
935 | | mac.Update(encodingParameters.begin(), encodingParameters.size()); |
936 | | if (DHAES_MODE) |
937 | | { |
938 | | byte L[8]; |
939 | | PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size()))); |
940 | | mac.Update(L, 8); |
941 | | } |
942 | | if (!mac.Verify(ciphertext + plaintextLength)) |
943 | | return DecodingResult(); |
944 | | |
945 | | if (plaintextLength) // Coverity finding |
946 | | xorbuf(plaintext, ciphertext, cipherKey, plaintextLength); |
947 | | |
948 | | return DecodingResult(plaintextLength); |
949 | | } |
950 | | }; |
951 | | |
952 | | /// \brief P1363 based Key Derivation Method |
953 | | /// \tparam T FieldElement type or class |
954 | | /// \tparam DHAES_MODE flag indicating DHAES mode |
955 | | /// \tparam KDF key derivation function |
956 | | /// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N. |
957 | | template <class T, bool DHAES_MODE, class KDF> |
958 | | class DL_KeyDerivationAlgorithm_P1363 : public DL_KeyDerivationAlgorithm<T> |
959 | | { |
960 | | public: |
961 | | virtual ~DL_KeyDerivationAlgorithm_P1363() {} |
962 | | |
963 | | bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;} |
964 | | void Derive(const DL_GroupParameters<T> ¶ms, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs ¶meters) const |
965 | | { |
966 | | SecByteBlock agreedSecret; |
967 | | if (DHAES_MODE) |
968 | | { |
969 | | agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false)); |
970 | | params.EncodeElement(true, ephemeralPublicKey, agreedSecret); |
971 | | params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true)); |
972 | | } |
973 | | else |
974 | | { |
975 | | agreedSecret.New(params.GetEncodedElementSize(false)); |
976 | | params.EncodeElement(false, agreedElement, agreedSecret); |
977 | | } |
978 | | |
979 | | ConstByteArrayParameter derivationParameters; |
980 | | parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters); |
981 | | KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size()); |
982 | | } |
983 | | }; |
984 | | |
985 | | /// \brief Discrete Log Integrated Encryption Scheme |
986 | | /// \tparam COFACTOR_OPTION cofactor multiplication option |
987 | | /// \tparam HASH HashTransformation derived class used for key drivation and MAC computation |
988 | | /// \tparam DHAES_MODE flag indicating if the MAC includes addition context parameters such as the label |
989 | | /// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits |
990 | | /// \details DLIES is an Integer based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation Method (KEM) |
991 | | /// with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is |
992 | | /// <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security. |
993 | | /// You should prefer an Integrated Encryption Scheme over homegrown schemes. |
994 | | /// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom |
995 | | /// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption |
996 | | /// Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>. |
997 | | /// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the DLIES template class with |
998 | | /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>. |
999 | | /// \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the DLIES |
1000 | | /// template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>. |
1001 | | /// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of |
1002 | | /// <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security. |
1003 | | /// SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the |
1004 | | /// security provided by the MAC. The hash is also used in the key derivation function as a PRF. |
1005 | | /// \details Below is an example of constructing a Crypto++ 4.2 compatible DLIES encryptor and decryptor. |
1006 | | /// <pre> |
1007 | | /// AutoSeededRandomPool prng; |
1008 | | /// DL_PrivateKey_GFP<DL_GroupParameters_GFP> key; |
1009 | | /// key.Initialize(prng, 2048); |
1010 | | /// |
1011 | | /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key); |
1012 | | /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor); |
1013 | | /// </pre> |
1014 | | /// \sa ECIES, <a href="http://www.weidai.com/scan-mirror/ca.html#DLIES">Discrete Log Integrated Encryption Scheme (DLIES)</a>, |
1015 | | /// Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic |
1016 | | /// Curve Integrated Encryption Schemes</A> |
1017 | | /// \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility |
1018 | | template <class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS=false> |
1019 | | struct DLIES |
1020 | | : public DL_ES< |
1021 | | DL_CryptoKeys_GFP, |
1022 | | DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>, |
1023 | | DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<HASH> >, |
1024 | | DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>, |
1025 | | DLIES<> > |
1026 | | { |
1027 | | static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";} // TODO: fix this after name is standardized |
1028 | | }; |
1029 | | |
1030 | | NAMESPACE_END |
1031 | | |
1032 | | #if CRYPTOPP_MSC_VERSION |
1033 | | # pragma warning(pop) |
1034 | | #endif |
1035 | | |
1036 | | #endif |